The tool previously stated that the Saudi PDPL "does not provide a general legitimate interests balancing test as an open-ended basis." This was accurate for the original 2021 law but incorrect for the current amended text. Royal Decree M/148 (27 March 2023) introduced legitimate interests as a valid lawful basis for non-sensitive personal data, subject to a balancing condition that the LI must not override data subject rights. This basis does not apply to sensitive personal data. The sa1 question text, help text, remediation guidance, the DPDPA vs GDPR divergence table, and terms.html Section 3 have all been updated to reflect the amended law.

The ae2 help text previously stated "Rights must be exercisable free of charge" as a firm legal requirement. A review of the primary text (Federal Decree-Law No. 45/2021 and Cabinet Resolution No. 33/2022) confirmed that no explicit provision equivalent to GDPR Art. 12(5) mandating free exercise of rights appears in the UAE PDPL. This has been corrected: the claim is now framed as best practice aligned with the GDPR model, pending explicit UAEDO guidance. The terms.html UAE PDPL accuracy note has been updated correspondingly.

An earlier draft analysis had suggested that "core obligations are operative from the Rules notification date." Research against multiple credible sources confirmed that this was incorrect. Sections 3-17 of the DPDPA (including notice, consent, fiduciary obligations, data principal rights, security, breach notification, SDF obligations, penalties, and enforcement powers) only come into force 18 months from the notification date, i.e., 13 May 2027. The enforcement banner on index.html correctly reflects this. The analysis has been corrected in the project documentation.

The tool previously described DPDPA breach notification as a single "72-hour DPAB notification" (mirroring GDPR Art. 33). This was inaccurate. The final DPDP Rules 2025 establish a two-step regime under Rule 7. Step 1 ("without delay"): the Data Fiduciary must simultaneously notify (a) every affected Data Principal under Rule 7(1) with a full description of the breach, likely consequences, mitigation steps, and contact details; and (b) the DPAB under Rule 7(2)(a) with an initial brief description of the breach nature, extent, timing, location, and likely impact. Step 2 (within 72 hours): the Data Fiduciary must provide the DPAB a detailed follow-up report under Rule 7(2)(b) covering causes, mitigation measures, findings on the responsible party, remedial steps, and a summary of Data Principal notifications sent. The 72-hour window governs the detailed follow-up report to the DPAB only. The d15 question and help text, g10 help text, the Breach Notification Scope divergence entry, the breach.html India FW_DATA deadlines and checklists, and the compare.html breach notification cell have all been updated to reflect the correct two-step structure.

The tool previously stated the Brazil LGPD breach notification deadline as "2 business days (preliminary RAI)" with a "30 business day supplementary report," both attributed to "ANPD Resolution CD/ANPD No. 2." All three were incorrect. The correct governing instrument is ANPD Resolution CD/ANPD No. 15/2024 (approved 24 April 2024, published 26 April 2024, in force immediately). Under Resolution No. 15/2024, the standard timeline is 3 business days from confirming personal data was affected. Where full details are unavailable within that window, a preliminary notice must still be filed within 3 business days, to be supplemented within 20 working days. Small processing agents (as defined by the unrelated Resolution CD/ANPD No. 2/2022, which concerns exemptions for small agents) have a doubled deadline of 6 business days. Resolution CD/ANPD No. 2/2022 is not a breach notification regulation. The br6 question, help text, and remediation guidance in index.html; the Brazil FW_DATA deadlines and checklists in breach.html; the breach notification cell in compare.html; and the terms.html accuracy note have all been corrected.

The tool previously cited an "AED 20,000,000 maximum for serious violations" attributed to Cabinet Resolution No. 33/2022. This figure cannot be verified against the primary text of Federal Decree-Law No. 45/2021 or Cabinet Resolution No. 33/2022, and is inconsistent with authoritative secondary sources. Multiple credible sources (Baker McKenzie, DLA Piper, Chambers and Partners, Advoke International, CookieYes) consistently report the UAE PDPL administrative fine as ranging from AED 50,000 to a maximum of AED 5,000,000, with repeat violations potentially doubled to AED 10,000,000. The AED 20,000,000 figure does not appear in the UAE PDPL Decree-Law itself; the law defers the specific penalty schedule to a Cabinet decision. All UAE penalty references across index.html, breach.html, compare.html, and terms.html have been corrected to AED 5,000,000 maximum.

New interactive breach response tool covering 8 frameworks (DPDPA, GDPR, UK GDPR, Saudi PDPL, LGPD, Singapore PDPA, Thailand PDPA, UAE PDPL). Features: live countdown timers per framework (updating every second), Singapore-specific determination-time input (legally distinct from discovery time), per-framework phase-by-phase checklists with checkboxes, progress tracking, and auto-generated plain-text incident record for breach registers. All processing in-browser, nothing transmitted.

Static reference table comparing all 9 frameworks across 9 dimension categories: Enforcement and territorial scope, Lawful bases (including legitimate interests availability per framework), Data subject rights and response deadlines, Breach notification (authority timeline and individual threshold), Children's data, DPO requirements, Cross-border transfers, Sensitive data, Penalties and ROPA. Horizontally scrollable with sticky row-label column and jump-to-section navigation.

Live countdown to 21 material deadlines across all 9 frameworks. Hero stats (deadlines this year, within 12 months, beyond 12 months, total tracked). Framework and category filters. Timeline grouped by year. Passed deadlines in a collapsible section. Covers: DPDPA phased commencement (3 dates), CPPA Regs Arts. 9/10/11 (6 dates), DUAA 2025 commencement dates, LGPD ANPD SCC mandate, EU AI Act high-risk obligations, and reference dates for in-force frameworks.

Profile page with practice area cards, specialist expertise depth, engagement types (assessment, documentation, incident response, automation, training, retainer), frameworks covered grid, and contact CTAs. Functions as the primary conversion path for tool users who want to engage for professional legal advice.

Version history and legal accuracy log. Provides transparency on what changed, why, and which primary sources were used to verify corrections. Signals active maintenance to practitioners evaluating the tool's reliability.

The May 2027 enforcement countdown used new Date('2027-05-13') which browsers parse as UTC midnight, causing the countdown to resolve to 12 May 2027 for users in timezones ahead of UTC (including IST at UTC+5:30). Fixed by specifying the date as 2027-05-13T00:00:00+05:30 (IST midnight).

Clicking "Start Over" from the results page reset sector selection but left jurisdiction chips, data type checkboxes, SDF checkboxes, organisation name, and website URL populated from the previous session. All fields now reset cleanly to their initial state.

A str_replace operation that inserted the new Saudi PDPL LI divergence entry consumed the opening {topic: line of the subsequent Singapore children's data entry, causing an Uncaught SyntaxError: Unexpected token ':' in the browser console. Fixed by reinserting the missing opening line. Node.js --check syntax validation confirms zero errors.

All six pages (index, breach, compare, calendar, about, changelog, terms) now share a consistent navigation bar in the header. The active page is highlighted. Breach Playbook and Compare Frameworks links also appear in the index.html header framework tags row for quick access without scrolling.

Added a new entry to the DPDPA vs GDPR divergence table documenting the convergence of the Saudi PDPL towards GDPR on the legitimate interests basis following the 2023 amendment, while noting the remaining differences in scope (non-sensitive data only) and elaboration of the balancing test.

Saudi PDPL accuracy note updated to document the 2023 LI amendment. UAE PDPL accuracy note updated to flag the "free of charge" limitation. Last Updated date updated to 31 March 2026.

10 questions covering lawful basis, privacy notice (Arts. 13-14), consent, DSR handling (Arts. 15-22), DPO, ROPA, DPIA, international transfers (Arts. 44-49), special category data (Art. 9), and breach notification (Arts. 33-34). DPDPA vs GDPR divergence table with 15 comparison topics added.

10 questions covering at-collection notice, consumer rights (Know, Delete, Correct, Opt-out, Limit SPI, Non-discrimination), Do Not Sell/Share and GPC compliance, VCR response timelines, Sensitive PI, service provider contracts, retention, and the new CPPA Final Regulations (Arts. 9/10/11, finalized 22 Sep 2025).

6 questions covering lawful basis and consent, data subject rights (access, correction, erasure, objection), privacy notice, sensitive personal data (Art. 23 criminal liability), cross-border transfers, and breach notification (72-hour SDAIA notification, Implementing Regs Art. 24).

7 questions covering Art. 7 lawful basis (10 bases), Art. 18 rights (9 rights), privacy notice and Encarregado, sensitive data (Art. 5(II) / Art. 11), Encarregado appointment obligation, breach notification (3 business days per ANPD Resolution CD/ANPD No. 15/2024; supplementary report within 20 working days), and cross-border transfers (ANPD SCC model clauses mandatory from Aug 2025, per Resolution CD/ANPD No. 19). Note: the initial v2.0 implementation incorrectly cited 2 business days under Resolution No. 2 — this was corrected in v3.0.

5 questions covering Consent and Notification Obligations (Secs. 13, 18), Access/Correction/Portability (Secs. 21-22, Part VIB), Protection Obligation (Sec. 24), Mandatory Breach Notification (Sec. 26D — 3 calendar days from determination, not discovery), and DPO designation / Retention Limitation (Secs. 11A, 25). Key distinction from GDPR highlighted: 3-calendar-day clock starts from determination.

5 questions covering Sec. 24 lawful basis (6 bases), Sec. 26 sensitive data (10 categories, THB 3M max fine), Secs. 30-36 rights (7 rights, 30-day SLA), Sec. 37 breach notification (72 hours to PDPC Thailand), and Secs. 40-41 DPO and data processor contracts. Age of majority in Thailand noted as 20 (Thai civil law).

6 questions covering UK GDPR lawful basis and DUAA 2025 Recognised Legitimate Interests Schedule (in force 5 Feb 2026), UK privacy notice and SAR stop-the-clock (DUAA 2025 codification), UK ADM framework (DUAA 2025 shift from Art. 22 prohibition to safeguards-based approach), international transfers (IDTA, "not materially lower" TRA standard), ICO registration / DPO / ROPA, and PECR / cookie compliance (DUAA 2025 analytics exemption).

4 questions covering lawful basis and consent, data subject rights (5 rights), breach notification (72-hour target, Art. 17), and cross-border transfers (UAEDO adequacy list and contractual safeguards). Penalty figures corrected in v3.0: maximum administrative fine is AED 5,000,000.

10 sector profiles (HealthTech, FinTech/BFSI, EdTech, E-commerce, SaaS, Social Media/OTT, HR Tech, LegalTech, Government, Other). Each profile includes weight boosts for sector-elevated risk areas, a narrative sector risk note, elevated obligation categories, and cross-references to sector-specific regulatory frameworks (RBI, IRDAI, DISHA, UGC, etc.).

Maps each DPDPA question to the corresponding Schedule item and penalty ceiling. Computes total maximum statutory exposure from identified violations. Displays per-provision penalty breakdown and the full s.33 Schedule table. Non-DPDPA frameworks display their penalty tiers in narrative notes.

SVG-based interactive heat map plotting each identified gap by likelihood of violation and regulatory impact. Dots colour-coded by risk level (Critical/High/Medium). Hover tooltips show framework and category. Numbered gap index below the map.

Automatically sorts identified gaps into 30-day (Critical), 60-day (High), and 90-day (Medium/Low) remediation buckets. Each item shows the framework, category, question, and statutory provision.

Full compliance report exportable as a branded PDF: score, sector profile, penalty exposure, framework scores, gap cards with remediation steps, roadmap, and disclaimer. Generated entirely client-side via jsPDF; no data transmitted.

Structured comparison of 15 key legal divergences between frameworks covered in the assessment, extended in v2.0 to include UK GDPR vs EU GDPR (ADM and transfer standard), Brazil LGPD vs GDPR (lawful basis count), Thailand PDPA vs GDPR (penalty structure), and DPDPA vs Singapore PDPA (children's data age threshold).

The tool correctly documents DPDPA s.16 as a restriction/blacklist model (transfers permitted by default unless the Central Government restricts specific countries), not a whitelist. No restriction list has been notified. Sector-specific localization rules (RBI, SEBI, IRDAI) noted as independently applicable.

The tool correctly notes that the DPDP Rules 2025 do not prescribe a specific number of days for access (s.11) or correction/erasure (s.12) requests. Only grievance redressal is capped at 90 days (Rule 14(3)). This is a common source of error in secondary commentary.

The 3-calendar-day Singapore PDPA notification window runs from the date the organisation determines the breach is notifiable, not from discovery. This operationally significant distinction is correctly reflected in the sg4 question help text, breach notification divergence entry, and the Breach Response Playbook Singapore section.

The tool correctly notes that DPDPA s.7 provides a closed list of 9 specific scenarios, not an open balancing-test legitimate interests equivalent. This distinction is elaborated in both the divergence table and question help text. Consent is effectively the only basis for most commercial data processing under DPDPA.

The ANPD SCC mandate effective 23 August 2025 (Resolution CD/ANPD No. 19) is correctly reflected. Note: the breach notification timeline was initially implemented as 2 business days under Resolution No. 2, which was incorrect. The correct regime under ANPD Resolution No. 15/2024 is 3 business days, corrected in v3.0. See the v3.0 Legal Accuracy Corrections section for the full correction record.

15 questions covering the Digital Personal Data Protection Act 2023: notice and consent (ss.5-6), data principal rights (ss.11-14), fiduciary obligations (s.8), security safeguards (s.8(5)), children's data (s.9), SDF obligations (s.10), cross-border transfers (s.16), and breach notification (s.8(6)). DPDPA penalty schedule mapping (s.33) with per-provision penalty ceilings. Sector-specific scoring for 10 sectors. Step-based UI with organisation profile, assessment, and results.

All assessment logic, scoring, and report generation runs entirely in the browser using vanilla JavaScript. No server, no database, no user account, no cookies (except Google Fonts CDN). All inputs are discarded when the browser tab is closed. This architectural decision is documented in terms.html and the results disclaimer.