Data Protection Officer AI

Invoked when: new product or data processing purpose introduced, consent audit due, or DPDP regulatory update received

• –Maps every personal data element LendingIQ collects against the processing purposes declared at collection — credit assessment, KYC, collections, marketing, analytics — and checks whether valid consent or a legitimate use basis under the DPDP Act exists for each purpose-data combination.
• –For new products or features: reads the product specification and data flow, identifies every personal data element the product will process, and drafts the consent notice language — specific, granular, plain-language, purpose-linked — as required under Section 6 of the DPDP Act. Does not produce one-size-fits-all consent blankets.
• –Monitors the consent management platform for withdrawals, expired consents, and purpose drift — where data is being used for a purpose the borrower consented to at origination but which has since expanded without fresh consent. Flags these proactively before they become violations.
• –Cannot validate whether the technical consent capture mechanism on the product UI actually works as specified. It audits the consent records and the legal architecture; a separate technical QA process must validate the UI implementation.

Invoked when: borrower submits access, correction, erasure, grievance, or nomination request via the prescribed channel

• –Classifies the incoming request by right type under the DPDP Act — right to access personal data (Section 11), right to correction and erasure (Section 12), right to grievance redressal (Section 13), right to nominate (Section 14) — and identifies the applicable response timeline and obligations.
• –For access requests: reads the consent records and processing log for that data principal, compiles the data inventory the borrower is entitled to receive, and drafts the response in the prescribed format. Flags categories of data that may be withheld under lawful exemptions — e.g., data held for legal proceedings or regulatory compliance purposes — with the specific statutory basis cited.
• –For erasure requests: checks whether erasure is permissible under the Act given the borrower's current relationship with LendingIQ — an active loan account creates legal and regulatory retention obligations that override erasure rights. Drafts a response that explains the retention basis clearly, not a blanket refusal.
• –For correction requests: identifies what data elements are in scope, whether the correction affects downstream regulatory data (credit bureau reporting, ITR cross-check records), and flags to the human DPO where a correction has compliance implications before the response is sent.

Invoked when: CISO or security team raises an incident that may constitute a personal data breach under DPDP Act Section 8(6)

• –Reads the incident report from the security team — what data was accessed or exfiltrated, which data principals are affected, how the breach occurred — and applies the DPDP Act's breach notification criteria: does this constitute a "personal data breach" requiring notification to the Data Protection Board and to affected data principals?
• –Drafts the breach notification to the Data Protection Board — what happened, the categories and approximate number of data principals affected, the likely consequences, and the measures taken — in the format and timeline the Act requires. Clearly marked as a draft for the human DPO to review, approve, and submit.
• –Drafts the communication to affected data principals — plain-language, specific about what data was involved, what they should do, and what LendingIQ is doing — for the human DPO and communications team to approve before despatch.
• –Does not perform forensic investigation of the breach. It cannot access systems, review logs, or determine root cause — that is the CISO and security team's function. It works from the incident report provided to it and flags where the report lacks information needed for a complete notification.

Invoked when: annual DPDP audit due, new Rules notified, or post-breach review required

• –Reads the DPDP Act and Rules (via RAG), the full internal privacy policy and data retention schedule, all vendor Data Processing Agreements, and the consent management platform audit logs — and produces a structured gap analysis: every obligation under the Act mapped to LendingIQ's current practice, with a pass/fail/partial verdict and the specific gap described.
• –Covers all eight domains of DPDP compliance: consent management, notice adequacy, data principal rights operationalisation, data fiduciary obligations, processing restriction (children's data, sensitive data), security safeguards, breach response readiness, and Data Protection Officer designation and access.
• –Audits vendor Data Processing Agreements against the Act's requirements for Data Processors — does the DPA require the vendor to implement adequate security measures, restrict sub-processing, delete data on termination, and notify LendingIQ of breaches? Flags DPAs that are non-compliant or silent on material obligations.
• –Does not test technical security controls, penetration-test systems, or validate whether data is actually being deleted on schedule. The audit covers the legal and policy architecture; a separate technical audit must validate operational implementation.