The Digital Personal Data Protection Act was not written about AI. But the moment personal data — an employee's appraisal, a customer's complaint, a vendor's KYC file — flows into an AI tool, the Act's machinery attaches to that flow. Most organisations we assess have never mapped this. Here are the five questions that mapping must answer.
1. Is personal data going in at all?
Start embarrassingly simple: for each AI tool in use, sanctioned or otherwise, does personal data enter it? Names in a document being summarised count. Customer details in a spreadsheet being analysed count. In our experience, teams dramatically underestimate this — "we only use it for drafting" usually means "we paste in the email thread," and email threads are full of personal data.
2. What is your lawful basis, and does the purpose match?
The DPDP framework rests on consent and certain legitimate uses, bound by purpose. Data collected to process a loan was not collected to train or feed an analytics model. Purpose limitation is where AI use most quietly drifts out of compliance: the data is lawfully held, but the new AI-driven use was never within the purpose for which it was obtained. Every AI use case needs a purpose check against the original collection.
3. Who is the processor, and what do your contracts say?
When your team uses an external AI service, that provider is processing personal data on your behalf — which puts obligations on you as the data fiduciary to bind and oversee them. Free consumer AI tools generally offer no such contractual protections; their terms may even permit using your inputs to improve their models. Enterprise tiers exist precisely to close this gap. If your organisation is on the free tier, question one becomes urgent.
The fiduciary cannot outsource accountability. You can delegate the processing; you cannot delegate the responsibility.
4. Can you honour data-principal rights through the AI pipeline?
Individuals can seek correction and erasure of their personal data. Can you honour an erasure request for data that was pasted into an external tool six months ago? For most organisations the honest answer is no — which is an argument for controlling what enters these tools in the first place, and for choosing providers whose retention terms you can actually verify.
5. Where is your evidence?
This is the accountant's question, and it decides how any scrutiny actually goes. Compliance you cannot evidence is indistinguishable from non-compliance. For each obligation, something must exist: the purpose assessment, the processor terms, the approval record, the training log. We recommend a simple AI-use register — every approved tool, its data classification, its lawful basis, its contract reference — maintained like any other statutory register.
The practical sequence
Answering all five questions across an enterprise sounds heavy. It isn't, if sequenced: inventory the tools (question 1) in week one; run the purpose and processor analysis (questions 2–3) on the handful of tools that matter in week two; then design the rights-handling and evidence habits (questions 4–5) into your standing AI policy. The whole exercise typically fits inside a month — a modest price for being able to answer the regulator, a major customer's due-diligence questionnaire, or your own board with the same calm sentence: yes, we've mapped it, and here is the register.