Q2 - What steps should a company take first to begin compliance?

The Digital Personal Data Protection Act, 2023 (DPDPA) introduces new duties for how organizations collect, process, store, and erase personal data. While formal enforcement will begin once notified by the Central Government, companies should start compliance work immediately to avoid last-minute risk and ensure smooth readiness.

1. Map All Personal Data and Processing Activities

Begin by identifying:

What categories of personal data you collect (e.g., employee, customer, vendor data).
Where that data is stored — systems, servers, cloud, third-party processors.
How and why the data is processed, shared, or transferred.

This creates a data inventory forming the foundation for compliance.

Implement clear, verifiable consent collection for each purpose of processing.
Review privacy notices and ensure they state:
- The purpose of data collection.
- The categories of personal data processed.
- Rights of the Data Principal and grievance channels.
Ensure mechanisms for withdrawal of consent are as easy as giving it.

3. Assign Roles and Responsibilities

Designate a Data Protection Officer (DPO) if you expect to be classified as a Significant Data Fiduciary.
Appoint an internal compliance lead to oversee day-to-day data-protection tasks.
Train senior management and key departments on DPDPA obligations.

4. Review Contracts with Data Processors

Under Section 8(2), processing by third parties must happen only under a valid contract.

Insert clauses on confidentiality, security controls, and breach reporting.
Require processors to erase data when the purpose is fulfilled or consent withdrawn.

5. Implement Technical and Organisational Safeguards

As required by Section 8(4)–(5):

Adopt access-control systems, encryption, and network-security standards.
Define incident-response and breach-notification procedures.
Maintain evidence of risk assessments and security audits.

6. Build a Grievance-Redressal System

Under Section 13, every Data Fiduciary must have a readily available grievance-handling process.

Appoint a grievance officer and publish their contact details.
Define SLAs for response times and escalation before matters reach the Data Protection Board.

7. Plan for Data Retention and Erasure

As per Section 8(7):

Retain personal data only as long as necessary for the specified purpose or legal requirement.
Implement automated deletion or anonymisation once the purpose is fulfilled.

8. Conduct a Gap Assessment and Prepare Policies

Document:

Data-protection and privacy policy.
Breach-response policy.
Consent and grievance-handling SOPs.
DPIA and audit procedures (if applicable).

Regularly update these as DPDPA rules and notifications evolve.

Example

A mid-sized fintech firm starts by mapping customer and employee data, updates its consent forms and retention schedule, and trains its staff on new rights and breach-reporting obligations.
When enforcement begins, the company already meets core compliance expectations.

Referenced Provisions:

Section 8(1)–(7) – General obligations of Data Fiduciaries.
Section 13 – Grievance-redressal requirements.
Section 10(2) – Additional duties for Significant Data Fiduciaries.
Schedule – Penalty framework for non-compliance.

1. Map All Personal Data and Processing Activities​

2. Establish Lawful Grounds and Consent Mechanisms​

3. Assign Roles and Responsibilities​

4. Review Contracts with Data Processors​

5. Implement Technical and Organisational Safeguards​

6. Build a Grievance-Redressal System​

7. Plan for Data Retention and Erasure​

8. Conduct a Gap Assessment and Prepare Policies​