Before any AI project touches real data, it’s worth running a simple data-protection checklist — built around the DPDP Act. Here’s a practical one for Indian businesses. (dgm implements osFoundry, a separate company’s platform — dgm is an independent integration partner, not osFoundry, and not a law firm. General information, not legal advice.)
Before you start
- Map the data — what personal and sensitive data will the AI process?
- Confirm the legal basis — consent or otherwise under the DPDP Act.
- Minimise — use only the data the use case needs.
During deployment
- Purpose limitation — data used only for the stated purpose.
- Security — encryption, access controls.
- Access controls — AI uses only data users may see.
- Controlled/self-hostable for personal, financial or confidential data — keep it in your environment (see data residency).
After deployment
- Audit trail — what data and models produced results.
- Human review — especially in regulated sectors.
- Data-principal rights — a process to handle access/correction/erasure requests.
What never goes into uncontrolled tools
Personal data (especially sensitive), financial records, confidential information, and anything under sectoral rules (RBI localisation). For these, use controlled, self-hostable AI. Reinforce with an AI usage policy.
SDF note
Significant Data Fiduciaries face additional duties (DPO, audits, DPIAs) — confirm whether they apply to you.
How dgm helps
dgm builds these controls into implementation — DPDP-aware, self-hostable AI on osFoundry with access controls and audit trails — for a $399 assessment and $3,999/month (INR approximate; 18% GST domestic). We don’t advise on your legal DPDP obligations; work with counsel for that.
General information, not legal advice. Confirm DPDP obligations with qualified counsel.