Children's data, DPIA, SDF obligations, algorithm registry. The modules that carry the steepest per-violation penalties in the Act.
A single children's data violation is ₹200 crore. SDF obligations can be imposed retroactively with no grace period.
DPDPA S.9 — ₹200 Cr
Age gate widget, verifiable parental consent via OTP, default restrictions on minor accounts (no targeting, profiling, tracking), and annual consent review scheduler.
DPDPA S.10 — ₹150 Cr
20-question DPIA wizard with automatic risk scoring, algorithm registry for automated decisions, cross-border transfer tracking, and annual DPIA review scheduler.
Embeddable JS widget checks date of birth, returns isMinor flag. Integrates with any form or flow.
Guardian OTP email flow, 24-hour expiry, bcrypt-secured verification. Creates ChildAccount on success.
Default restrictions: ad targeting, profiling, data sharing, behavioral tracking — all off by default for minors.
5 categories × 4 questions. Risk score 0–100. Automatically sets COMPLETED status on 20 answers.
Document every automated decision system: output type (Decision/Scoring/Profiling), risk level, human oversight status.
Log data transfers by mechanism (ADEQUACY, SCC, CONSENT, LI), destination country, and encryption status. CSV export.
Children's Data module and SDF/DPIA module are Enterprise-only features.
DPDPA S.9 prohibits three categories of processing for children (under 18) without exception: (1) targeted advertising directed at children, (2) tracking or behavioural monitoring of children, and (3) processing that may have a detrimental effect on the wellbeing of the child. It also requires verifiable parental or guardian consent before any other processing of a child's personal data. DPDPA Shield enforces all four restrictions automatically on ChildAccount records.
The Central Government designates SDFs based on the volume and sensitivity of personal data processed, potential risk to national security or public order, risk of harm to data principals, and impact on sovereignty and integrity of India. There is no fixed threshold — designation is by government notification. Once designated, SDFs must appoint an Indian-resident DPO, conduct DPIAs, maintain an algorithm audit registry, and file periodic compliance reports.
A DPIA is a structured assessment of the privacy risks introduced by a new processing activity. Under DPDPA, DPIAs are mandatory for Significant Data Fiduciaries before deploying any new automated processing system. DPDPA Shield's 20-question DPIA wizard covers 5 categories — Scope & Scale, Data Sensitivity, Data Subject Rights, Security Controls, and Governance — and outputs a risk score (LOW/MEDIUM/HIGH/CRITICAL) plus a required controls checklist.
The Act provides no fixed timeline for SDF designation — notifications can be issued at any point after commencement. Companies processing large volumes of sensitive data (health, financial, children's data) should prepare SDF-level controls proactively. Retroactive designation with no grace period is the highest-risk scenario. DPDPA Shield's Enterprise modules are designed precisely for this preparedness posture.
Enterprise plan includes all modules. Talk to us about SDF compliance readiness.
Prove every consent. Court-admissible SHA-256 proof.
Learn moreOTP-verified portal. 30-day SLA countdown.
Learn moreNever miss the 72-hour Board notification window.
Learn moreReal-time 0–100 compliance health score.
Learn moreMap every asset, processor, and data flow. Auto-generate RoPA.
Learn moreTrack, score, and treat every DPDPA risk. Growth+.
Learn moreAutomated security scoring for every data processor. Growth+.
Learn moreAI-curated DPDPA updates. Never miss an enforcement signal.
Learn more