bmad-plus 0.7.4 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +450 -407
- package/LICENSE +21 -0
- package/README.md +555 -446
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
- package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +62 -57
- package/readme-international/README.de.md +576 -426
- package/readme-international/README.es.md +578 -518
- package/readme-international/README.fr.md +576 -516
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
- package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
- package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
- package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
- package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
- package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
- package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
- package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
- package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
- package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
- package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
- package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
- package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
- package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
- package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
- package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
- package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
- package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
- package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/module.yaml +283 -280
- package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
- package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
- package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
- package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
- package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
- package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
- package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
- package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
- package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
- package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
- package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
- package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
- package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
- package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
- package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
- package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
- package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
- package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
- package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
- package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
- package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
- package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/commands/autoconfig.js +498 -489
- package/tools/cli/commands/doctor.js +222 -175
- package/tools/cli/commands/install.js +739 -739
- package/tools/cli/commands/memory.js +194 -194
- package/tools/cli/commands/scan.js +360 -350
- package/tools/cli/commands/uninstall.js +96 -96
- package/tools/cli/commands/update.js +174 -174
- package/tools/cli/i18n.js +763 -763
|
@@ -1,173 +1,173 @@
|
|
|
1
|
-
# DPDPA vs GDPR — Compliance Comparison Reference
|
|
2
|
-
|
|
3
|
-
For compliance teams that are GDPR-experienced and are mapping obligations under
|
|
4
|
-
India's Digital Personal Data Protection Act, 2023.
|
|
5
|
-
|
|
6
|
-
---
|
|
7
|
-
|
|
8
|
-
## Quick Terminology Map
|
|
9
|
-
|
|
10
|
-
| GDPR Term | DPDPA Equivalent |
|
|
11
|
-
|-----------|-----------------|
|
|
12
|
-
| Data Controller | **Data Fiduciary** |
|
|
13
|
-
| Data Subject | **Data Principal** |
|
|
14
|
-
| Data Processor | **Data Processor** (same) |
|
|
15
|
-
| High-Risk Controller | **Significant Data Fiduciary (SDF)** |
|
|
16
|
-
| Supervisory Authority / DPA | **Data Protection Board of India (DPBI)** |
|
|
17
|
-
| Lawful Basis / Legal Ground | **Ground for Processing** |
|
|
18
|
-
| Legitimate Interests | **No equivalent** — does not exist under DPDPA |
|
|
19
|
-
| Adequacy Decision | **No equivalent** — DPDPA uses blacklist, not whitelist |
|
|
20
|
-
| Standard Contractual Clauses | **No equivalent prescribed** — contractual safeguards required but SCC-style mechanism not prescribed |
|
|
21
|
-
| Privacy Notice | **Notice** (Section 5 + Rule 3) |
|
|
22
|
-
| Data Subject Rights | **Data Principal Rights** (Sections 11–14) |
|
|
23
|
-
| Data Protection Impact Assessment | **DPIA** (SDFs only, Rule 13) |
|
|
24
|
-
| Data Protection Officer | **Data Protection Officer** (SDFs only; must be India-resident) |
|
|
25
|
-
| Right to be Forgotten | **Right to Erasure** (Section 12(3) — narrower than GDPR) |
|
|
26
|
-
|
|
27
|
-
---
|
|
28
|
-
|
|
29
|
-
## 8 Substantive Differences
|
|
30
|
-
|
|
31
|
-
### 1. Scope: Digital-Only vs. All Personal Data
|
|
32
|
-
|
|
33
|
-
| Dimension | GDPR | DPDPA |
|
|
34
|
-
|-----------|------|-------|
|
|
35
|
-
| Data medium | ALL personal data — digital, paper, audio, visual | Only **digital personal data** (or data subsequently digitised) |
|
|
36
|
-
| Physical records | Covered | Excluded unless digitised |
|
|
37
|
-
| Verbal data | Covered if recorded | Only if converted to digital form |
|
|
38
|
-
|
|
39
|
-
**Implication:** Organisations can maintain some non-digital records outside DPDPA scope. However, any digitisation triggers DPDPA applicability. Organisations should not rely on keeping data non-digital as a compliance strategy — most operational data is inherently digital.
|
|
40
|
-
|
|
41
|
-
---
|
|
42
|
-
|
|
43
|
-
### 2. Lawful Bases: Closed List vs. Balancing Test
|
|
44
|
-
|
|
45
|
-
| Dimension | GDPR | DPDPA |
|
|
46
|
-
|-----------|------|-------|
|
|
47
|
-
| Number of lawful bases | 6 (consent, contract, legal obligation, vital interests, public task, legitimate interests) | **2** (consent; or 8 enumerated "legitimate uses") |
|
|
48
|
-
| Legitimate interests | Yes — balancing test: organisation's interest vs. individual rights | **No** — does not exist |
|
|
49
|
-
| Contract performance | Yes — broad category | Narrow: covered only where it falls under employment (Section 7(e)) or specified purpose (Section 7(a)) |
|
|
50
|
-
| Flexibility | High — large class of processing can be justified on legitimate interests | Low — any processing not fitting 8 categories requires consent |
|
|
51
|
-
|
|
52
|
-
**Implication:** GDPR practitioners who rely on **legitimate interests** for analytics, fraud prevention, marketing to existing customers, or B2B data processing must map these use cases to either **consent** or one of the 8 Section 7 categories under the DPDPA. Most commercial analytics, profiling, and B2C marketing will require explicit consent.
|
|
53
|
-
|
|
54
|
-
---
|
|
55
|
-
|
|
56
|
-
### 3. Consent: "Unconditional" vs. "Freely Given"
|
|
57
|
-
|
|
58
|
-
| Dimension | GDPR | DPDPA |
|
|
59
|
-
|-----------|------|-------|
|
|
60
|
-
| Consent standard | Freely given, specific, informed, unambiguous | Free, specific, informed, **unconditional**, unambiguous |
|
|
61
|
-
| Bundled consent | Problematic under GDPR but not explicitly banned | **Explicitly prohibited** — consent cannot be bundled with service provision |
|
|
62
|
-
| Conditional processing | Possible via other lawful bases (contract, legitimate interests) | If service cannot be provided without consent, consent validity is questionable |
|
|
63
|
-
| Mechanism | Clear affirmative action (no pre-ticked boxes) | Same: clear affirmative action |
|
|
64
|
-
|
|
65
|
-
**Implication:** The DPDPA's addition of "unconditional" and explicit bundling prohibition is stricter than GDPR in practice. An "accept our privacy policy to use this app" mechanism is more clearly unlawful under DPDPA than under GDPR (where it might survive if the processing is genuinely necessary for the contract).
|
|
66
|
-
|
|
67
|
-
---
|
|
68
|
-
|
|
69
|
-
### 4. Cross-Border Data Transfers: Blacklist vs. Whitelist
|
|
70
|
-
|
|
71
|
-
| Dimension | GDPR | DPDPA |
|
|
72
|
-
|-----------|------|-------|
|
|
73
|
-
| Default position | **Restrictive** — transfers only to countries with adequacy or via SCCs, BCRs, etc. | **Permissive** — transfers allowed to all countries except notified restricted ones |
|
|
74
|
-
| Transfer mechanism required | Adequacy decision, SCCs, BCRs, binding corporate rules, derogations | **None required** — no adequacy assessment, no SCC-equivalent |
|
|
75
|
-
| Current restricted list | EU publishes list of adequate and inadequate countries | **No restricted countries notified** (April 2026) |
|
|
76
|
-
| Contractual documentation | Detailed SCC/BCR documentation required | Contractual safeguards with recipients recommended but not yet specified |
|
|
77
|
-
| Legal certainty | High (established mechanism) | Lower (uncertainty until blacklist notifications) |
|
|
78
|
-
|
|
79
|
-
**Implication:** For organisations currently applying GDPR SCCs, DPDPA does not require equivalent mechanisms. However, the lack of formal restrictions does not mean absence of accountability. Future notifications could restrict transfers, and organisations should maintain data flow maps and basic contractual protections.
|
|
80
|
-
|
|
81
|
-
---
|
|
82
|
-
|
|
83
|
-
### 5. Right to Erasure: Narrower vs. Broader
|
|
84
|
-
|
|
85
|
-
| Dimension | GDPR Art. 17 | DPDPA Section 12(3) |
|
|
86
|
-
|-----------|-------------|---------------------|
|
|
87
|
-
| Trigger grounds | Data no longer necessary; consent withdrawn; objection; unlawful processing; child consent; legal obligation | Data **no longer necessary for the specified purpose** |
|
|
88
|
-
| Right against profiling | Yes — right to erasure when objecting to profiling | No equivalent right to object to profiling |
|
|
89
|
-
| Historical/archival data | Specific exemptions for public interest archiving | Research/archiving exemption (Section 17(f)) |
|
|
90
|
-
| Children's "fading memory" | Enhanced right for minors' data posted online | Not explicitly addressed |
|
|
91
|
-
|
|
92
|
-
**Implication:** DPDPA's erasure right is narrower and more formulaic. The primary trigger is purpose fulfilment. Organisations can retain data lawfully so long as the specified purpose persists and retention is legally required or operationally necessary.
|
|
93
|
-
|
|
94
|
-
---
|
|
95
|
-
|
|
96
|
-
### 6. Data Protection Officer: SDFs Only vs. Broad Requirement
|
|
97
|
-
|
|
98
|
-
| Dimension | GDPR | DPDPA |
|
|
99
|
-
|-----------|------|-------|
|
|
100
|
-
| Mandatory for | Public authorities + large-scale systematic monitoring + large-scale special category processing | **Significant Data Fiduciaries only** (government-designated) |
|
|
101
|
-
| Location requirement | No mandatory location requirement | Must be **resident in India** |
|
|
102
|
-
| Role | Advisory; must report to highest management; protected from dismissal for role performance | Sole representative before Board; Data Principal grievance contact |
|
|
103
|
-
| Voluntary DPO | Not prohibited; recommended for smaller processors | Not addressed |
|
|
104
|
-
|
|
105
|
-
**Implication:** Most organisations that were required to appoint a GDPR DPO may NOT be required to appoint one under DPDPA (only if designated as SDF). However, assigning a senior privacy professional in an equivalent role is strongly recommended for compliance governance and Board interaction readiness.
|
|
106
|
-
|
|
107
|
-
---
|
|
108
|
-
|
|
109
|
-
### 7. Children's Data: Stricter Age Threshold and Broader Prohibitions
|
|
110
|
-
|
|
111
|
-
| Dimension | GDPR | DPDPA |
|
|
112
|
-
|-----------|------|-------|
|
|
113
|
-
| Age threshold | **16 years** (default; member states may lower to 13) | **18 years** (uniform; no variation) |
|
|
114
|
-
| Parental consent age range | 13–16 (varies by member state) | **All under 18** require verifiable parental consent |
|
|
115
|
-
| Behavioural monitoring | Permitted with appropriate legal basis | **Prohibited** for all children (Section 9(2)) |
|
|
116
|
-
| Targeted advertising | Permitted with appropriate consent/legal basis | **Prohibited** for all children (Section 9(2)) |
|
|
117
|
-
| Verification mechanism | Not specifically prescribed | Prescribed: DigiLocker, government tokens, existing data (Rule 12) |
|
|
118
|
-
|
|
119
|
-
**Implication:** DPDPA's 18-year threshold is more protective than GDPR's for the 16–17 age band. Organisations operating platforms accessible to teenagers must implement robust age-gate mechanisms in India, even if they have successfully managed GDPR compliance for 16–17 year olds in the EU.
|
|
120
|
-
|
|
121
|
-
---
|
|
122
|
-
|
|
123
|
-
### 8. Enforcement Model: Centralised Single Body vs. Decentralised Multi-Authority
|
|
124
|
-
|
|
125
|
-
| Dimension | GDPR | DPDPA |
|
|
126
|
-
|-----------|------|-------|
|
|
127
|
-
| Enforcement bodies | 27+ national DPAs + EDPB coordination | **Single** Data Protection Board of India |
|
|
128
|
-
| Proactive investigation | DPAs can investigate proactively | Board is primarily complaint-driven; no stated proactive investigation power |
|
|
129
|
-
| Guidance authority | DPAs issue binding guidance and opinions | **Board has no guidance-issuing power** — guidance comes from MeitY (non-binding) |
|
|
130
|
-
| One-stop-shop | GDPR one-stop-shop for cross-border processing | Not applicable (single authority) |
|
|
131
|
-
| Max penalty | **€20M or 4% of global annual turnover** | **₹250 crore (~USD 30M)** — fixed amount; no turnover-linked cap |
|
|
132
|
-
| Penalty impact on large companies | Very high (4% of global turnover for large multinationals) | Fixed INR amounts — less severe for large global companies, but not trivial for mid-sized organisations |
|
|
133
|
-
|
|
134
|
-
**Implication:** GDPR penalties are more financially severe for global multinationals (% of turnover). DPDPA fixed-amount penalties are more predictable but may be less deterrent for large tech companies. For Indian SMEs and startups, DPDPA penalties could be existential (₹200–250 crore against a startup). The Board lacks proactive investigation and guidance-issuing powers — a significant structural difference from GDPR DPAs.
|
|
135
|
-
|
|
136
|
-
---
|
|
137
|
-
|
|
138
|
-
## Common GDPR-to-DPDPA Compliance Gaps
|
|
139
|
-
|
|
140
|
-
| GDPR-compliant practice | DPDPA status | Action needed |
|
|
141
|
-
|------------------------|-------------|---------------|
|
|
142
|
-
| Relies on "legitimate interests" for marketing analytics | **INVALID** — no equivalent basis | Obtain consent or cease processing |
|
|
143
|
-
| Privacy notice in T&Cs | **NON-COMPLIANT** — notice must be standalone, independent (Rule 3) | Separate, redesign notice |
|
|
144
|
-
| DPO based outside India | **NON-COMPLIANT** (for SDFs) | Appoint India-resident DPO if SDF-designated |
|
|
145
|
-
| SCCs for international transfers | **Not required, but not prohibited** | No action required; maintain contractual record |
|
|
146
|
-
| Age threshold 16 years | **NON-COMPLIANT** — DPDPA requires 18 | Implement 18-year age gate in India |
|
|
147
|
-
| Pre-ticked consent boxes | **NON-COMPLIANT** — same standard as GDPR | Remove; implement affirmative opt-in |
|
|
148
|
-
| DPIA for large-scale processing | Only for **SDFs** | Defer unless SDF designation received |
|
|
149
|
-
| Consent withdrawal by email | **LIKELY NON-COMPLIANT** — must be as easy as giving consent | Implement one-click/in-app withdrawal |
|
|
150
|
-
| Data processing agreements with vendors | Required (Rule 16) — similar to GDPR Art. 28 | Update contracts with DPDPA-specific terms |
|
|
151
|
-
| Annual data audit | Only for **SDFs** | Defer unless SDF designation received |
|
|
152
|
-
|
|
153
|
-
---
|
|
154
|
-
|
|
155
|
-
## Rights Comparison
|
|
156
|
-
|
|
157
|
-
| Right | GDPR | DPDPA Section | Notes |
|
|
158
|
-
|-------|------|--------------|-------|
|
|
159
|
-
| Right of access | Art. 15 — detailed portability and access rights | Section 11 | DPDPA access right is narrower; no explicit portability right (data portability absent) |
|
|
160
|
-
| Right to rectification | Art. 16 | Section 12(1) | Equivalent |
|
|
161
|
-
| Right to erasure | Art. 17 | Section 12(3) | DPDPA narrower — purpose fulfilment only; no objection-based erasure |
|
|
162
|
-
| Right to restrict processing | Art. 18 | **No equivalent** | Not provided under DPDPA |
|
|
163
|
-
| Right to data portability | Art. 20 | **No equivalent** | Not provided under DPDPA |
|
|
164
|
-
| Right to object | Art. 21 | **No equivalent** | Not provided under DPDPA (limited: Data Principal may object to Section 7(a) processing — voluntary data provided for a purpose — per Section 7(a) qualifier "unless specifically objected") |
|
|
165
|
-
| Rights in automated decision-making | Art. 22 | **No equivalent** | Not provided under DPDPA |
|
|
166
|
-
| Right to grievance redressal | Not explicit (complaint to DPA available) | Section 13 — explicit | Mandatory grievance mechanism at Fiduciary level; Board as escalation |
|
|
167
|
-
| Right to nominate | **No equivalent** | Section 14 | Unique to DPDPA |
|
|
168
|
-
|
|
169
|
-
**Key absences from DPDPA vs. GDPR:**
|
|
170
|
-
- No right to data portability
|
|
171
|
-
- No right to restrict processing
|
|
172
|
-
- No right to object to processing generally
|
|
173
|
-
- No rights against automated decision-making and profiling
|
|
1
|
+
# DPDPA vs GDPR — Compliance Comparison Reference
|
|
2
|
+
|
|
3
|
+
For compliance teams that are GDPR-experienced and are mapping obligations under
|
|
4
|
+
India's Digital Personal Data Protection Act, 2023.
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Quick Terminology Map
|
|
9
|
+
|
|
10
|
+
| GDPR Term | DPDPA Equivalent |
|
|
11
|
+
|-----------|-----------------|
|
|
12
|
+
| Data Controller | **Data Fiduciary** |
|
|
13
|
+
| Data Subject | **Data Principal** |
|
|
14
|
+
| Data Processor | **Data Processor** (same) |
|
|
15
|
+
| High-Risk Controller | **Significant Data Fiduciary (SDF)** |
|
|
16
|
+
| Supervisory Authority / DPA | **Data Protection Board of India (DPBI)** |
|
|
17
|
+
| Lawful Basis / Legal Ground | **Ground for Processing** |
|
|
18
|
+
| Legitimate Interests | **No equivalent** — does not exist under DPDPA |
|
|
19
|
+
| Adequacy Decision | **No equivalent** — DPDPA uses blacklist, not whitelist |
|
|
20
|
+
| Standard Contractual Clauses | **No equivalent prescribed** — contractual safeguards required but SCC-style mechanism not prescribed |
|
|
21
|
+
| Privacy Notice | **Notice** (Section 5 + Rule 3) |
|
|
22
|
+
| Data Subject Rights | **Data Principal Rights** (Sections 11–14) |
|
|
23
|
+
| Data Protection Impact Assessment | **DPIA** (SDFs only, Rule 13) |
|
|
24
|
+
| Data Protection Officer | **Data Protection Officer** (SDFs only; must be India-resident) |
|
|
25
|
+
| Right to be Forgotten | **Right to Erasure** (Section 12(3) — narrower than GDPR) |
|
|
26
|
+
|
|
27
|
+
---
|
|
28
|
+
|
|
29
|
+
## 8 Substantive Differences
|
|
30
|
+
|
|
31
|
+
### 1. Scope: Digital-Only vs. All Personal Data
|
|
32
|
+
|
|
33
|
+
| Dimension | GDPR | DPDPA |
|
|
34
|
+
|-----------|------|-------|
|
|
35
|
+
| Data medium | ALL personal data — digital, paper, audio, visual | Only **digital personal data** (or data subsequently digitised) |
|
|
36
|
+
| Physical records | Covered | Excluded unless digitised |
|
|
37
|
+
| Verbal data | Covered if recorded | Only if converted to digital form |
|
|
38
|
+
|
|
39
|
+
**Implication:** Organisations can maintain some non-digital records outside DPDPA scope. However, any digitisation triggers DPDPA applicability. Organisations should not rely on keeping data non-digital as a compliance strategy — most operational data is inherently digital.
|
|
40
|
+
|
|
41
|
+
---
|
|
42
|
+
|
|
43
|
+
### 2. Lawful Bases: Closed List vs. Balancing Test
|
|
44
|
+
|
|
45
|
+
| Dimension | GDPR | DPDPA |
|
|
46
|
+
|-----------|------|-------|
|
|
47
|
+
| Number of lawful bases | 6 (consent, contract, legal obligation, vital interests, public task, legitimate interests) | **2** (consent; or 8 enumerated "legitimate uses") |
|
|
48
|
+
| Legitimate interests | Yes — balancing test: organisation's interest vs. individual rights | **No** — does not exist |
|
|
49
|
+
| Contract performance | Yes — broad category | Narrow: covered only where it falls under employment (Section 7(e)) or specified purpose (Section 7(a)) |
|
|
50
|
+
| Flexibility | High — large class of processing can be justified on legitimate interests | Low — any processing not fitting 8 categories requires consent |
|
|
51
|
+
|
|
52
|
+
**Implication:** GDPR practitioners who rely on **legitimate interests** for analytics, fraud prevention, marketing to existing customers, or B2B data processing must map these use cases to either **consent** or one of the 8 Section 7 categories under the DPDPA. Most commercial analytics, profiling, and B2C marketing will require explicit consent.
|
|
53
|
+
|
|
54
|
+
---
|
|
55
|
+
|
|
56
|
+
### 3. Consent: "Unconditional" vs. "Freely Given"
|
|
57
|
+
|
|
58
|
+
| Dimension | GDPR | DPDPA |
|
|
59
|
+
|-----------|------|-------|
|
|
60
|
+
| Consent standard | Freely given, specific, informed, unambiguous | Free, specific, informed, **unconditional**, unambiguous |
|
|
61
|
+
| Bundled consent | Problematic under GDPR but not explicitly banned | **Explicitly prohibited** — consent cannot be bundled with service provision |
|
|
62
|
+
| Conditional processing | Possible via other lawful bases (contract, legitimate interests) | If service cannot be provided without consent, consent validity is questionable |
|
|
63
|
+
| Mechanism | Clear affirmative action (no pre-ticked boxes) | Same: clear affirmative action |
|
|
64
|
+
|
|
65
|
+
**Implication:** The DPDPA's addition of "unconditional" and explicit bundling prohibition is stricter than GDPR in practice. An "accept our privacy policy to use this app" mechanism is more clearly unlawful under DPDPA than under GDPR (where it might survive if the processing is genuinely necessary for the contract).
|
|
66
|
+
|
|
67
|
+
---
|
|
68
|
+
|
|
69
|
+
### 4. Cross-Border Data Transfers: Blacklist vs. Whitelist
|
|
70
|
+
|
|
71
|
+
| Dimension | GDPR | DPDPA |
|
|
72
|
+
|-----------|------|-------|
|
|
73
|
+
| Default position | **Restrictive** — transfers only to countries with adequacy or via SCCs, BCRs, etc. | **Permissive** — transfers allowed to all countries except notified restricted ones |
|
|
74
|
+
| Transfer mechanism required | Adequacy decision, SCCs, BCRs, binding corporate rules, derogations | **None required** — no adequacy assessment, no SCC-equivalent |
|
|
75
|
+
| Current restricted list | EU publishes list of adequate and inadequate countries | **No restricted countries notified** (April 2026) |
|
|
76
|
+
| Contractual documentation | Detailed SCC/BCR documentation required | Contractual safeguards with recipients recommended but not yet specified |
|
|
77
|
+
| Legal certainty | High (established mechanism) | Lower (uncertainty until blacklist notifications) |
|
|
78
|
+
|
|
79
|
+
**Implication:** For organisations currently applying GDPR SCCs, DPDPA does not require equivalent mechanisms. However, the lack of formal restrictions does not mean absence of accountability. Future notifications could restrict transfers, and organisations should maintain data flow maps and basic contractual protections.
|
|
80
|
+
|
|
81
|
+
---
|
|
82
|
+
|
|
83
|
+
### 5. Right to Erasure: Narrower vs. Broader
|
|
84
|
+
|
|
85
|
+
| Dimension | GDPR Art. 17 | DPDPA Section 12(3) |
|
|
86
|
+
|-----------|-------------|---------------------|
|
|
87
|
+
| Trigger grounds | Data no longer necessary; consent withdrawn; objection; unlawful processing; child consent; legal obligation | Data **no longer necessary for the specified purpose** |
|
|
88
|
+
| Right against profiling | Yes — right to erasure when objecting to profiling | No equivalent right to object to profiling |
|
|
89
|
+
| Historical/archival data | Specific exemptions for public interest archiving | Research/archiving exemption (Section 17(f)) |
|
|
90
|
+
| Children's "fading memory" | Enhanced right for minors' data posted online | Not explicitly addressed |
|
|
91
|
+
|
|
92
|
+
**Implication:** DPDPA's erasure right is narrower and more formulaic. The primary trigger is purpose fulfilment. Organisations can retain data lawfully so long as the specified purpose persists and retention is legally required or operationally necessary.
|
|
93
|
+
|
|
94
|
+
---
|
|
95
|
+
|
|
96
|
+
### 6. Data Protection Officer: SDFs Only vs. Broad Requirement
|
|
97
|
+
|
|
98
|
+
| Dimension | GDPR | DPDPA |
|
|
99
|
+
|-----------|------|-------|
|
|
100
|
+
| Mandatory for | Public authorities + large-scale systematic monitoring + large-scale special category processing | **Significant Data Fiduciaries only** (government-designated) |
|
|
101
|
+
| Location requirement | No mandatory location requirement | Must be **resident in India** |
|
|
102
|
+
| Role | Advisory; must report to highest management; protected from dismissal for role performance | Sole representative before Board; Data Principal grievance contact |
|
|
103
|
+
| Voluntary DPO | Not prohibited; recommended for smaller processors | Not addressed |
|
|
104
|
+
|
|
105
|
+
**Implication:** Most organisations that were required to appoint a GDPR DPO may NOT be required to appoint one under DPDPA (only if designated as SDF). However, assigning a senior privacy professional in an equivalent role is strongly recommended for compliance governance and Board interaction readiness.
|
|
106
|
+
|
|
107
|
+
---
|
|
108
|
+
|
|
109
|
+
### 7. Children's Data: Stricter Age Threshold and Broader Prohibitions
|
|
110
|
+
|
|
111
|
+
| Dimension | GDPR | DPDPA |
|
|
112
|
+
|-----------|------|-------|
|
|
113
|
+
| Age threshold | **16 years** (default; member states may lower to 13) | **18 years** (uniform; no variation) |
|
|
114
|
+
| Parental consent age range | 13–16 (varies by member state) | **All under 18** require verifiable parental consent |
|
|
115
|
+
| Behavioural monitoring | Permitted with appropriate legal basis | **Prohibited** for all children (Section 9(2)) |
|
|
116
|
+
| Targeted advertising | Permitted with appropriate consent/legal basis | **Prohibited** for all children (Section 9(2)) |
|
|
117
|
+
| Verification mechanism | Not specifically prescribed | Prescribed: DigiLocker, government tokens, existing data (Rule 12) |
|
|
118
|
+
|
|
119
|
+
**Implication:** DPDPA's 18-year threshold is more protective than GDPR's for the 16–17 age band. Organisations operating platforms accessible to teenagers must implement robust age-gate mechanisms in India, even if they have successfully managed GDPR compliance for 16–17 year olds in the EU.
|
|
120
|
+
|
|
121
|
+
---
|
|
122
|
+
|
|
123
|
+
### 8. Enforcement Model: Centralised Single Body vs. Decentralised Multi-Authority
|
|
124
|
+
|
|
125
|
+
| Dimension | GDPR | DPDPA |
|
|
126
|
+
|-----------|------|-------|
|
|
127
|
+
| Enforcement bodies | 27+ national DPAs + EDPB coordination | **Single** Data Protection Board of India |
|
|
128
|
+
| Proactive investigation | DPAs can investigate proactively | Board is primarily complaint-driven; no stated proactive investigation power |
|
|
129
|
+
| Guidance authority | DPAs issue binding guidance and opinions | **Board has no guidance-issuing power** — guidance comes from MeitY (non-binding) |
|
|
130
|
+
| One-stop-shop | GDPR one-stop-shop for cross-border processing | Not applicable (single authority) |
|
|
131
|
+
| Max penalty | **€20M or 4% of global annual turnover** | **₹250 crore (~USD 30M)** — fixed amount; no turnover-linked cap |
|
|
132
|
+
| Penalty impact on large companies | Very high (4% of global turnover for large multinationals) | Fixed INR amounts — less severe for large global companies, but not trivial for mid-sized organisations |
|
|
133
|
+
|
|
134
|
+
**Implication:** GDPR penalties are more financially severe for global multinationals (% of turnover). DPDPA fixed-amount penalties are more predictable but may be less deterrent for large tech companies. For Indian SMEs and startups, DPDPA penalties could be existential (₹200–250 crore against a startup). The Board lacks proactive investigation and guidance-issuing powers — a significant structural difference from GDPR DPAs.
|
|
135
|
+
|
|
136
|
+
---
|
|
137
|
+
|
|
138
|
+
## Common GDPR-to-DPDPA Compliance Gaps
|
|
139
|
+
|
|
140
|
+
| GDPR-compliant practice | DPDPA status | Action needed |
|
|
141
|
+
|------------------------|-------------|---------------|
|
|
142
|
+
| Relies on "legitimate interests" for marketing analytics | **INVALID** — no equivalent basis | Obtain consent or cease processing |
|
|
143
|
+
| Privacy notice in T&Cs | **NON-COMPLIANT** — notice must be standalone, independent (Rule 3) | Separate, redesign notice |
|
|
144
|
+
| DPO based outside India | **NON-COMPLIANT** (for SDFs) | Appoint India-resident DPO if SDF-designated |
|
|
145
|
+
| SCCs for international transfers | **Not required, but not prohibited** | No action required; maintain contractual record |
|
|
146
|
+
| Age threshold 16 years | **NON-COMPLIANT** — DPDPA requires 18 | Implement 18-year age gate in India |
|
|
147
|
+
| Pre-ticked consent boxes | **NON-COMPLIANT** — same standard as GDPR | Remove; implement affirmative opt-in |
|
|
148
|
+
| DPIA for large-scale processing | Only for **SDFs** | Defer unless SDF designation received |
|
|
149
|
+
| Consent withdrawal by email | **LIKELY NON-COMPLIANT** — must be as easy as giving consent | Implement one-click/in-app withdrawal |
|
|
150
|
+
| Data processing agreements with vendors | Required (Rule 16) — similar to GDPR Art. 28 | Update contracts with DPDPA-specific terms |
|
|
151
|
+
| Annual data audit | Only for **SDFs** | Defer unless SDF designation received |
|
|
152
|
+
|
|
153
|
+
---
|
|
154
|
+
|
|
155
|
+
## Rights Comparison
|
|
156
|
+
|
|
157
|
+
| Right | GDPR | DPDPA Section | Notes |
|
|
158
|
+
|-------|------|--------------|-------|
|
|
159
|
+
| Right of access | Art. 15 — detailed portability and access rights | Section 11 | DPDPA access right is narrower; no explicit portability right (data portability absent) |
|
|
160
|
+
| Right to rectification | Art. 16 | Section 12(1) | Equivalent |
|
|
161
|
+
| Right to erasure | Art. 17 | Section 12(3) | DPDPA narrower — purpose fulfilment only; no objection-based erasure |
|
|
162
|
+
| Right to restrict processing | Art. 18 | **No equivalent** | Not provided under DPDPA |
|
|
163
|
+
| Right to data portability | Art. 20 | **No equivalent** | Not provided under DPDPA |
|
|
164
|
+
| Right to object | Art. 21 | **No equivalent** | Not provided under DPDPA (limited: Data Principal may object to Section 7(a) processing — voluntary data provided for a purpose — per Section 7(a) qualifier "unless specifically objected") |
|
|
165
|
+
| Rights in automated decision-making | Art. 22 | **No equivalent** | Not provided under DPDPA |
|
|
166
|
+
| Right to grievance redressal | Not explicit (complaint to DPA available) | Section 13 — explicit | Mandatory grievance mechanism at Fiduciary level; Board as escalation |
|
|
167
|
+
| Right to nominate | **No equivalent** | Section 14 | Unique to DPDPA |
|
|
168
|
+
|
|
169
|
+
**Key absences from DPDPA vs. GDPR:**
|
|
170
|
+
- No right to data portability
|
|
171
|
+
- No right to restrict processing
|
|
172
|
+
- No right to object to processing generally
|
|
173
|
+
- No rights against automated decision-making and profiling
|