Cookies & Site Data

We use only essential storage to remember your disclaimer acknowledgment and cookie choice. We do not load third-party analytics or advertising trackers today. You can review the details in our Cookie Policy.

BEYOND THE CHECKBOX

GRC software tracks your data.DRMLAW carries your liability.

A GRC platform generates a checkmark. It cannot speak for the organisation when a breach happens, an AI pipeline leaks data, or the Data Protection Board of India sends a notice under Section 27. DRMLAW does not sell GRC platforms or security software. We assess the business, recommend and coordinate the right technology partners, govern AI usage, train staff, and represent the client before regulators when enforcement arrives.

The statutory penalty cap under the DPDPA, 2023 is ₹250 crore per instance for failure of reasonable security safeguards. That is the size of the question. Software helps; it does not answer it.

Direct access to certified DPOs and practising advocates. No sales calls from software vendors.

Core philosophy

Software is a tool. We are accountable for the outcome.

GRC and security platforms do real work — they map assets, track tasks, flag vendor risk, and surface alerts. That is the top of the compliance pyramid, and we use these tools every day. What they cannot do is sit in the Data Protection Board's chamber, explain why a particular processing activity was lawful, or absorb regulatory consequence on behalf of a board.

No two businesses share a risk profile. A retail jeweller's WhatsApp marketing, an EdTech firm's biometric attendance, a hospital's patient records and an NBFC's loan-decisioning model raise entirely different questions under the same statute. A generic dashboard cannot answer those questions. A practitioner who has read the statute, the rules, the CERT-In directions and the sector-regulator overlap can.

DRMLAW treats DPDP compliance as a managed business function — assessed against the organisation's actual operations, fitted with an independently chosen technology stack, and held together by project management, AI governance and workforce training. The outcome is a programme that survives scrutiny, not a screen that says everything is fine.

The boundary

Where software stops, our work begins.

Data mapping & asset tracking
Software
DRMLAW
Automated checklists & task alerts
Software
DRMLAW
Vendor risk flagging
Software
DRMLAW
Business-specific risk assessment
Software
DRMLAW
Independent technology stack selection
Software
DRMLAW
AI governance
Software
DRMLAW
Legal risk judgement
Software
DRMLAW
Contract & SLA realignment
Software
DRMLAW
Court-admissible evidence formatting (Bharatiya Sakshya Adhiniyam)
Software
DRMLAW
Workforce privacy training
Software
DRMLAW
Representation before the Data Protection Board of India
Software
DRMLAW

Software handles the top rows well. Everything below requires legal judgement, business context, or human accountability.

How we work

Six disciplines. One programme.

01

Business ecosystem assessment

We start by understanding how the business actually operates — WhatsApp marketing flows, CCTV at the front desk, biometric attendance, vendor data-sharing arrangements, customer onboarding paths — not by handing over a generic checklist template.

02

Independent technology stack selection

DRMLAW has no commercial relationship with any GRC, consent management or security vendor. We evaluate and recommend tools on fit; you contract and own the technology directly, on terms you control.

03

AI governance

Data-ingestion rules and usage boundaries for AI tools — covering customer-facing models, internal copilots and third-party APIs. DRMLAW can serve as your Chief AI Officer function or advise an existing CTO / CISO absorbing the role.

04

Contractual & vendor governance

Restructure SLAs, cross-border transfer terms and processor agreements so legal liability sits where it can be enforced — not where the contract template happened to leave it.

05

Programme management & privacy culture training

Ongoing coordination of IT, vendors and auditors under one delivery plan, paired with role-based training for the workforce — marketing, HR, engineering and customer-facing teams each get what they actually need.

06

Forensic readiness & regulatory defence

Consent logs and breach evidence structured to meet Bharatiya Sakshya Adhiniyam admissibility standards. If a breach or DPB notice arrives, the same firm that built the programme appears as advocate of record.

Roles we fill

The people your compliance programme needs.

DPDPA compliance is not one role. It is several distinct functions that most organisations cannot resource individually. DRMLAW supplies the ones that should sit with the law firm and helps you source the ones that should not.

Data Protection Officer

DRMLAW serves as your external statutory DPO under Section 10 of the DPDPA, 2023, with a board-level reporting line. The function is held by a C.DPO.DA-certified partner — not delegated to a junior associate.

Chief AI Officer

DRMLAW can serve as or advise the Chief AI Officer function — covering model risk, algorithmic fairness, NIST AI RMF risk-tiering and ISO/IEC 42001 controls. For most organisations a fractional CAIO is the right answer.

Chief Information Security Officer

DRMLAW does not place a CISO directly. We guide you to a Virtual CISO arrangement through specialist firms we work with, or help you scope, interview and hire a full-time CISO. You contract the CISO; we manage the seam.

Legal Counsel

Practising advocates — not a handoff to outside counsel. Our Founding Partner is enrolled at the Bar Council of West Bengal and can appear before the Data Protection Board under Section 27 and on appeal before TDSAT under Section 29.

Three ways to engage

Choose the level of support you need.

Tier 1

DPDPA Compliance Service Pack

Get audit-ready. Fixed scope. Fixed timeline. Fixed fee.

Right for: MSMEs, educational institutions, healthcare providers, retail businesses, and first-time compliance projects.

  • Data Mapping & RoPA
  • Gap Analysis & remediation roadmap
  • Privacy Notices & Consent Workflows
  • Internal Data Protection Policies
  • Privacy-by-Design Workshop
  • Breach Response SOP & Tabletop Drill
  • Staff Awareness Training
  • Compliance Attestation Pack

DRMLAW manages the entire project. We work with your existing IT team or bring in a system integrator. You don't need to hire anyone new.

Enquire about this tier
Tier 2

Service Pack + DPO as a Service

Compliance delivered. Statutory DPO in place. Ongoing legal cover.

Right for: Significant Data Fiduciaries or organisations approaching that threshold; businesses processing sensitive personal data at scale.

Adds over Tier 1
  • Section 10 statutory DPO with board-level reporting line
  • DPIAs for new products and high-risk activities
  • Vendor & third-party risk reviews
  • CERT-In 6-hour breach notification management
  • Quarterly board reporting
  • Regulator-facing representation before the Data Protection Board of India
Even if your organisation is not yet a Significant Data Fiduciary, appointing an external DPO signals governance maturity to clients, auditors and regulators — at a fraction of a full-time hire.
Enquire about this tier
Most comprehensive
Tier 3

Platinum · Full Programme

One team. Complete accountability. Board to engineering.

Right for: Enterprises with complex, multi-vendor, multi-jurisdiction data ecosystems — AI systems, cross-border operations, regulated sectors.

Adds over Tier 2
Programme Management
  • Single-point programme ownership across all workstreams
  • Monthly board briefings
  • On-call SOC liaison
AI Governance
  • AI Governance framework
  • Algorithm auditing
  • Chief AI Officer advisory function
Security Guidance
  • Vendor selection support — no security software sold
  • Virtual CISO coordination
  • Privacy-Enhancing Technologies (PETs) guidance
Advanced Compliance
  • PIA / DPIA in SDLC
  • Cross-border data transfer impact assessments
  • Continuous vendor monitoring
  • Certification readiness: NIST Privacy Framework, ISO/IEC 31700, ISO 27701
Enquire about this tier
Privacy by Design

We build compliance in — not on.

Bolt-on compliance always shows. A privacy notice taped onto an existing product, consent screens grafted into a signup flow, retention policies invented after the data has already been collected — these patterns are exactly what regulators look for and exactly what break first under scrutiny. DRMLAW embeds compliance from the start, as a property of the system rather than a wrapper around it.

01

Catch problems before they're expensive

PIA / DPIA early in the SDLC — so privacy risks surface during design, before architecture decisions lock in. A fix at the whiteboard stage costs nothing; the same fix after launch can mean a rewrite.

02

Controls built into your technology, not around it

DRMLAW specifies what the controls must do — consent, retention, DSAR, breach detection, AI governance. Your team or integrator implements them inside your existing stack. We do not sell or install the technology.

03

One effort, multiple frameworks satisfied

DPDPA, GDPR, ISO 27701 and NIST Privacy Framework share most of their architectural primitives. Designed-for from the start, a single programme answers every audit — without a parallel compliance project for each regime.

Who we work with

Sectors where DPDPA risk is most material.

Educational Institutions

Student data, parental consent under Section 9, biometric attendance, LMS vendor due diligence.

Healthcare Providers

Sensitive health data, electronic medical records, TPA and insurance data-sharing, telemedicine consent.

Financial Services & NBFCs

DPDPA running concurrently with RBI Digital Lending and SEBI CSCRF — same incident, multiple regulators.

Retail & E-commerce

Loyalty data, payment records, marketing consent, WhatsApp outreach, in-store CCTV and footfall analytics.

Professional Services Firms

Client data held as a Data Fiduciary — confidentiality, retention, cross-border transfer, audit trails.

If you're unsure whether the DPDPA applies to your organisation, take our free 60-second self-assessment.

Take the self-assessment

A dashboard cannot attend a Data Protection Board hearing. When the statutory cap is ₹250 crore, compliance requires legal judgement, the right technology, and a workforce that understands its role — not just a green checkmark.

The team behind DRMLAW

Courtroom advocacy meets enterprise technology delivery.

Founder Partner · Legal lead

Dipak Ranjan Mukherjee

Advocate · Calcutta HC · C.DPO.DA · FDPPI

30+ years of practice in litigation, constitutional law and corporate advisory before the Calcutta High Court, the Supreme Court of India, NCLT and arbitral tribunals. Leads regulator-facing representation under Section 27 of the DPDPA, 2023 and on appeal before TDSAT.

Founder Partner · Technical lead

Rupak Ranjan Mukherjee

C.DPO.DA · FDPPI · Ex-Oracle (OCI) · Ex-TCS · GDPR (UK, 2018)

Founder Partner of DRMLAW LLP. Led Privacy Engineering for an internal Oracle division in Europe through the live GDPR introduction in the United Kingdom in 2018. Prior roles at Oracle and TCS across cloud, identity and large-scale platform delivery in North America, Europe and Asia.

Together, they cover both sides of a DPDP compliance programme — legal obligation and technical delivery.

FAQ

Frequently asked questions

About DRMLAW's model
About roles
About the law
About the engagement
DPDPA hub map

The DPDPA hub.

Every page in this hub answers a different question. Start here, then go deeper where it matters for your role.

Engage

Don't wait for a breach or a regulator's notice to find the gap in your compliance.

An independent, technology-neutral assessment from certified Data Protection Officers and practising advocates — before enforcement, not after.

Phone
+91 98311 61839
Email
Info@drmlaw.in
Offices
Kolkata HQ · 7A K.S. Roy Road
Salt Lake · Sector II
Bengaluru · HSR Layout

This page is general information about the firm and the Digital Personal Data Protection Act, 2023; it is not legal advice. As per Bar Council of India rules, this does not constitute advertising or solicitation.

DRMLAW
DRMLAW
Techno-Legal

DRMLAW is a techno-legal practice combining traditional advocacy with data protection counsel and digital forensics, in compliance with the Bar Council of India's rules on advertisement.

Offices
Kolkata — Office I
7A, K.S. Roy Road
2nd Floor, Suite #10/10
Kolkata 700001
Fax +91 33 22310767
Kolkata — Office II
BJ 19, Sector II, Salt Lake
Kolkata 700091
Bengaluru
153/A, 18th Main, 24th Cross
Sector 3, HSR Layout
Bengaluru 560102, India
© 2026 DRMLAW • drmlaw.in/technolegal
DRMLAW LLPIN: ACZ-5267
Cookie Policy
Bar Council of India Rules disclaimer: The information on this website is provided for general informational purposes only. Nothing herein constitutes solicitation, advertisement or legal advice. Communication does not establish an attorney-client relationship.

Made with Emergent