New Delhi, India|Updated: April 2026
info@neuratwin.in
Home Policy & Regulatory Library Domain Knowledge Base Digital Twin Guide RFP & Tender Intelligence Case Studies Compliance Compass Tech Stack Evaluator Policy Watch
  1. Home
  2. Compliance Compass
Module 06 · DPDP · IT Act · Data Sovereignty

Regulatory Compliance Compass

Navigate India's evolving data protection, information security, and data sovereignty frameworks applicable to GIS platforms, digital twins, and spatial data systems. 48 compliance checklists across 12 areas.

3
Major Acts
12
Compliance Areas
48
Checklists
6
Risk Areas
Critical Timeline: DPDP Rules 2025 notified in January 2025. Compliance required within 12 months for Significant Data Fiduciaries. Most GIS platforms handling citizen data will qualify as SDF. Failure to comply triggers ₹50 Cr penalties or 3% annual turnover.

DPDP Compliance Checklist

Data Collection & Consent
  • ☐ Consent mechanism documented for all personal data (citizen PII, property ownership, grievance data)
  • ☐ Consent notices provided in Hindi + local language, not just English
  • ☐ Purpose of collection explicitly stated (e.g., "property tax assessment", "service delivery")
  • ☐ Granular consent for specific uses (aggregation, analytics, third-party sharing)
  • ☐ Digital consent records maintained with audit trail
Purpose Limitation & Data Minimisation
  • ☐ Data processing limited to stated purpose — no repurposing without fresh consent
  • ☐ Only necessary personal data collected (no over-collection for "future use")
  • ☐ Personal data stripped/anonymised for analytics and non-citizen-facing dashboards
  • ☐ Processing agreements with third parties (cloud providers, integrators) documented
  • ☐ Data flow diagram showing where citizen data travels within and outside system
Data Retention & Deletion Policy
  • ☐ Retention schedule defined for each data category (e.g., grievances deleted after 2 years)
  • ☐ Deletion mechanism implemented — automatic purge or manual deletion on request
  • ☐ "Right to be forgotten" process documented for citizen requests
  • ☐ Deletion from both primary and backup systems (not just primary)
  • ☐ Legal holds documented for cases under litigation or audit
Data Security & Encryption
  • ☐ Encryption in transit (TLS 1.2+) for all citizen data transfers
  • ☐ Encryption at rest (AES-256) for personal data in databases
  • ☐ Key management policy documented — no hardcoded keys in code
  • ☐ Access controls implemented — role-based, least privilege
  • ☐ Multi-factor authentication for admin/sensitive data access
  • ☐ Security audit and penetration testing completed annually
Breach Notification & Accountability
  • ☐ Data breach incident response plan documented
  • ☐ Notification to affected data principals within 30 days of breach discovery
  • ☐ DPIB (Data Protection Impact Board) notified for breaches affecting >1000 individuals
  • ☐ Breach register maintained with incident date, type, number affected, remediation
  • ☐ Data Protection Officer (DPO) appointed and contact details published
  • ☐ Staff training on data handling and breach protocols completed

Impact on GIS Platforms

Citizen-Facing GIS Portals

Obligations: Property tax portals, grievance mapping apps, and public service dashboards must implement granular consent for location data, PII viewing, and any analytics. Restrict dashboard drill-down by ward/zone to prevent individual identification. Implement right-to-be-forgotten workflow.

Survey Data Platforms

Obligations: SVAMITVA, DILRMP, and urban survey platforms collecting property-holder details must separate personal data (name, age, contact) from property spatial data. Use UUID linking, not personal identifiers, in spatial layers. Anonymise historical survey versions.

Property & Cadastral Systems

Obligations: Land record systems must mask landowner PII in public-facing maps and reports. Admin-only views can show details. Implement audit trail for all PII access. Restrict third-party integrations (e.g., property valuation platforms) via processing agreements defining scope and purpose.

IT Act 2000 — Key Sections for GIS

Section 43A — Data Protection Obligation

Applicability: All body corporates collecting sensitive personal data via GIS platforms.

Requirement: Implement "reasonable security practices" to protect personal data from unauthorised access, modification, destruction. Failure results in liability up to ₹5 Cr + criminal penalties.

GIS Impact: Property tax portals, utility mapping with customer details, smart city IoT data must implement security measures. DPDP Rules now provide more specific guidance than Section 43A alone.

Section 69 — Lawful Interception

Applicability: Central/state agencies can intercept GIS platform communications for national security, public order, or criminal investigation.

Requirement: GIS platform owners must comply with lawful interception requests from law enforcement. Cannot refuse or delay. Confidentiality of interception orders maintained.

GIS Impact: Smart city CCTV-GIS integration and citizen grievance platforms may be subject to surveillance. Platforms must maintain logs of all data access for potential audit. No encryption can prevent lawful interception.

Section 79 — Intermediary Liability Safe Harbour

Applicability: GIS platforms acting as intermediaries (hosting user-generated content, grievance data, citizen reports) can claim safe harbour from liability.

Requirement: Implement content moderation, CoC policies, respond to legal takedown notices within 72 hours, preserve evidence for law enforcement, no knowledge of/inducement of illegal activity.

GIS Impact: Citizen grievance mapping and participatory GIS platforms must monitor for illegal content (property disputes, harassment). Remove flagged data promptly. Maintain compliance records.

Note: IT Act provisions remain in force alongside DPDP Act. GIS platforms must comply with BOTH regimes. Where DPDP provides more stringent requirements (e.g., consent, transparency), DPDP takes precedence. IT Act continues to govern cybersecurity, intermediary liability, and lawful interception.

Data Sovereignty & Storage Requirements

India increasingly mandates data localisation for sensitive categories. GIS platforms must understand where different data types can be stored and processed.

Data Type Storage Requirement Cloud OK? Foreign Access? Notes
Citizen PII (name, address, phone, email) India only (DPDP) MeitY cloud No DPDP mandates processing in India. Can use MeitY-empanelled CSPs (AWS, Azure, GCP India regions). NO foreign data transfer except for processing agreement.
Cadastral Data (survey maps, property boundaries, RoR) India only (SOI licensing) On-prem/MeitY No Survey of India licensing restricts foreign access. Private sector must store in India. Government agencies can use cloud per empanelled CSP policy. Attribution to SOI required.
Defence/Security-Sensitive Data (border areas, security infrastructure maps) India only (Classified) No No Classified data under Official Secrets Act must NOT be cloud-stored. On-premises in secure facilities only. Requires security clearance for access.
Revenue Records (mutation, RoR, tax data) India only (DoLR) MeitY cloud No DILRMP systems must store in India. MeitY empanelled CSPs permitted. Some state DoLRs mandate on-prem only — verify state-specific policy.
IoT Sensor Data (real-time: traffic, air quality, water) Flexible (no restriction) Yes Check terms No data localisation mandate for sensor streams. Can use global cloud. If linked to citizen/location data, apply relevant restrictions.
Satellite Imagery & Aerial Data (high-res imagery) India storage (DPMSO guidelines) On-prem preferred No Geospatial Guidelines 2021 permit civilian high-res imagery collection, but storage restrictions apply to 10m+ resolution data. Foreign sharing restricted. SOI approval for national-level distribution.
Cloud Compliance Risk: Many GIS projects default to global cloud providers (AWS US, Azure global) without checking data type restrictions. Storing Indian citizen PII or cadastral data in foreign data centres violates DPDP and SOI licensing. Always architect for India-region-only storage for sensitive layers. Use AWS Mumbai, Azure India, GCP Delhi regions for MeitY-empanelled services.

Geospatial Data Guidelines 2021 & NSDI Compliance

Geospatial Data Acquisition & Liberalisation
  • ☐ Drone surveys permitted for civilians without SoI/MoD approval (under DST liberalisation 2021)
  • ☐ Foreign data sources (Google imagery, Copernicus) accessible but attribution required
  • ☐ Accuracy: Sub-meter civilian acquisition permitted. <10m resolution imagery open-source
  • ☐ Restricted areas: Border zones (100 km) require additional approvals from DGPS/DST
  • ☐ Private commercial GIS data collection now permitted — must register with DST portal
NSDI Compliance & Interoperability
  • ☐ Spatial data adheres to NSDI standards (WGS84 UTM projection for India)
  • ☐ Metadata recorded in standardized Dublin Core + ISO 19115 format
  • ☐ Data shared via NSDI-compliant APIs and WMS/WFS services
  • ☐ ISO/IEC 19115 metadata mandatory for all government spatial data (data.gov.in registration)
  • ☐ Unique dataset identifiers and version control implemented
SoI Attribution & Licensing
  • ☐ All Survey of India base maps include SoI copyright notice and attribution
  • ☐ Derivative maps from SoI must cite source (e.g., "Based on SoI Topomap")
  • ☐ SoI licensing for digital topo maps followed (Open data policy for 1:50k+)
  • ☐ No modification of SoI base layers without explicit license
  • ☐ NIC-issued SoI historical imagery properly cited with date and source classification