Q2 - What steps should a company take first to begin compliance?

Answer

The most logical starting steps are:

• Data Mapping – Identify what personal data you collect, where it is stored, who accesses it, and how it is used.

  Example

  A retail chain should map whether it collects only names and phone numbers or also Aadhaar details for loyalty programs.

Answer

• Consent Frameworks – Ensure that consents are clear, informed, and easily withdrawable.

  Example

  An insurance company must separate consents for policy processing vs. marketing.

Answer

• Appoint a Grievance Officer – Provide contact details for complaints.

  Example

  A stock broking firm can appoint its compliance officer to this role.

Answer

• Security Safeguards – Apply encryption, access controls, backups, and monitoring.
  Example

  A hospital chain must ensure patient records are encrypted and not accessible to all staff.

Answer

• Training Employees – Make staff aware of data handling responsibilities.
  Example

  In an e-commerce warehouse, workers should not be allowed to copy customer addresses onto personal devices.

These are the building blocks of compliance before moving into advanced requirements like audits and DPIAs (for SDFs).