Step 05 - Building Internal Policies for DPDPA Compliance
Once the initial foundation is in place (gap assessment, data mapping, privacy notices, and appointing officers), the next step is to create internal policies.
These policies act as a rulebook for your organization — guiding employees, partners, and systems on how personal data must be handled.
The Digital Personal Data Protection Act (DPDPA), 2023 requires that organizations put these policies in place to demonstrate accountability.
1. Data Retention and Deletion Policy
The DPDPA requires that personal data must not be stored longer than necessary. Every organization must define how long data is kept and when it will be erased or anonymised.
- Define retention periods for customer, employee, and vendor data.
- Ensure automatic deletion or anonymisation after the purpose is served.
- Document legal exceptions (e.g., SEBI rules may require brokers to keep financial data for seven years).
A bank must retain KYC records for 10 years after account closure under RBI rules. After that period, the data must be securely deleted.
2. Breach Response and Notification Policy
Under Rule 7, organizations must notify the Data Protection Board and affected individuals of any breach within 72 hours.
A breach policy ensures the organization knows exactly how to respond.
- Define what constitutes a data breach (unauthorized access, accidental disclosure, ransomware attack).
- Create a breach response team (IT, legal, compliance, communications).
- Prepare draft templates for breach notifications to the Board and customers.
- Conduct breach simulation exercises (“fire drills”).
If an e-commerce platform discovers that 50,000 customer credit card records were leaked, the breach policy ensures it immediately triggers alerts, investigates, contains the incident, and files a formal notification to the Board within 72 hours.
3. Information Security Policy
The DPDPA obliges every Data Fiduciary to implement reasonable security safeguards. An information security policy documents those safeguards and assigns responsibilities.
- Password and access control requirements.
- Encryption of sensitive data (financial, health, identification numbers).
- Employee awareness training against phishing and insider threats.
- Regular vulnerability assessments and penetration testing.
A pharmaceutical company conducting clinical trials must encrypt patient data, restrict access to authorized staff, and conduct regular security testing to prevent leaks of sensitive health information.
4. Consent Management Policy
Consent is the cornerstone of the DPDPA. Organizations must have a clear internal process for capturing, managing, and withdrawing consent.
- Define how consent will be collected (digital forms, app interfaces, Consent Managers).
- Ensure records of consent are securely stored and retrievable.
- Set procedures for processing consent withdrawal requests quickly.
A social media platform must have systems in place so that if a user withdraws consent for targeted advertising, the platform stops processing such data without delay.
5. Vendor and Third-Party Data Processing Policy
If personal data is shared with vendors (cloud providers, payroll companies, logistics partners), the organization remains responsible.
- Maintain contracts with data protection clauses (purpose limitation, security safeguards, liability for breaches).
- Audit high-risk vendors periodically.
- Keep records of data shared with each vendor.
A crypto exchange outsourcing KYC verification to a third-party service provider must ensure that the vendor applies the same security and privacy standards required under the DPDPA.
Why Internal Policies Are Critical
These policies create a culture of compliance.
They also serve as evidence during audits or investigations that the organization has taken reasonable steps to meet its obligations.
Without written policies, even well-intentioned practices may fail to demonstrate compliance to regulators.
Documented policies are mandatory under the DPDPA. They protect the organization from penalties, audits, and reputational damage, and prove that compliance is systematic, not ad hoc.