Step 01 - Conduct a Gap Assessment
For many organizations, the Digital Personal Data Protection Act (DPDPA), 2023 may feel complex at first. But compliance begins with a few structured steps.
The goal is to create a framework where personal data is collected, processed, and stored in a way that respects the rights of individuals and meets the legal requirements of the Act.
Step 1: Conduct a Gap Assessment
A gap assessment is the starting point. It is a review of your current data handling practices compared against the requirements of the DPDPA.
- Identify what types of personal data you currently collect (customer, employee, vendor, partner).
- Review how that data is stored, used, and shared.
- Compare these practices with the obligations under DPDPA, such as providing clear notices, limiting retention, and reporting breaches.
The outcome will show where your organization is already compliant and where changes are needed.
A retail e-commerce company may discover that it collects more customer data than necessary (such as storing passport numbers when only PAN is required for billing). The gap assessment will highlight this excess collection as a compliance issue.
A gap assessment is the foundation of compliance. Without it, organizations risk overlooking weaknesses that may lead to breaches, penalties, or reputational harm.