Building a Privacy Program from Scratch for DPDP Compliance
A structured approach to building a data protection program that meets the DPDP Act 2023 requirements. From gap assessment through operational compliance in 90 days.
Most Businesses Do Not Have a Privacy Program. The DPDP Act Requires One.
The DPDP Act 2023 does not simply require businesses to stop doing harmful things with data. It requires them to build operational systems that demonstrate ongoing compliance. A privacy policy page on your website is not a privacy program. An internal email about “being careful with data” is not a privacy program.
A privacy program is a documented, operational framework that governs how your organisation collects, processes, stores, and deletes personal data. Building one from scratch is a structured project, not a vague initiative.
Phase 1: Assessment (Weeks 1-2)
Understand Your Current Position
Before building anything, measure where you stand. The assessment phase answers three questions:
-
What personal data do you collect? Audit every data collection point: forms, APIs, third-party integrations, cookies, SDKs, manual processes. Document the categories of data collected at each point.
-
Why do you collect it? Map each data element to a stated business purpose. If you cannot articulate why a piece of data is collected, you may be violating the data minimisation principle.
-
Where does it go? Trace data flows from collection through processing, storage, sharing, and eventual deletion. Include internal systems, cloud services, third-party processors, and any cross-border transfers.
The DPDP Gap Assessment provides a structured starting point. It evaluates your organisation across five compliance areas and produces a prioritised action list.
Data Inventory
Create a data inventory documenting:
| Field | Description |
|---|---|
| Data element | Name, email, phone, Aadhaar, etc. |
| Collection point | Website form, API, in-person, third party |
| Purpose | Order fulfilment, marketing, analytics, etc. |
| Legal basis | Consent, legitimate use (specify which) |
| Storage location | Database, cloud service, third-party system |
| Retention period | 30 days, 1 year, until purpose fulfilled |
| Third-party sharing | CRM, analytics, payment processor |
| Cross-border transfer | Yes/No, destination country |
This inventory is the foundation of every subsequent compliance activity. Without it, you cannot demonstrate compliance to the Data Protection Board.
Phase 2: Gap Analysis (Weeks 2-3)
With the data inventory complete, compare your current practices against the Act’s requirements:
Consent Infrastructure
- Do you have valid consent mechanisms for each processing activity?
- Can users withdraw consent as easily as they gave it?
- Are consent records timestamped and immutable?
Data Principal Rights
- Can you fulfil information requests within prescribed timelines?
- Do you have a process for correction and erasure requests?
- Is there a grievance redressal mechanism that Data Principals can access?
Data Fiduciary Obligations
- Are you practising purpose limitation and data minimisation?
- Do you have documented retention policies with deletion triggers?
- Are security safeguards proportionate and documented?
Breach Response
- Do you have a breach notification procedure that meets the Act’s timeline requirements?
- Can you identify and assess a breach within hours?
- Are your Data Processor contracts updated with breach notification obligations?
Children’s Data
- If you serve users under 18, do you have age verification and parental consent mechanisms?
- Are tracking and targeted advertising disabled for identified minors?
Each gap identified becomes a work item with a priority level and an owner.
Phase 3: Policy Framework (Weeks 3-4)
Draft the foundational documents that govern your privacy program:
Privacy Policy (External)
A clear, plain-language document that tells Data Principals:
- What data you collect and why
- How you process and store it
- Their rights under the DPDP Act
- How to contact you or file a grievance
This is a legal document. Have it reviewed by counsel familiar with the DPDP Act.
Data Protection Policy (Internal)
An internal operational document that defines:
- Roles and responsibilities for data protection
- Procedures for handling personal data
- Rules for data access, sharing, and deletion
- Incident response procedures
- Training requirements
Data Retention Schedule
A documented schedule specifying retention periods for each category of personal data, the legal basis for retention, and the deletion trigger (purpose fulfilment, consent withdrawal, time period expiry).
Data Processing Agreements
Contracts with every third-party Data Processor that define:
- Scope and purpose of processing
- Security requirements
- Breach notification obligations
- Data deletion on termination
- Audit rights
Phase 4: Technical Implementation (Weeks 4-8)
Build or deploy the technical infrastructure required by your gap analysis:
Consent Management System
- Purpose-specific consent capture at every collection point
- Withdrawal mechanism with immediate processing halt
- Immutable consent records with cryptographic timestamps
- API support for future Consent Manager interoperability
Rights Fulfilment Workflow
- Intake channel for Data Principal requests (web form, email, or both)
- Identity verification process
- Data discovery across all systems
- Response generation and delivery
- Audit trail for every request
Security Controls
- Encryption at rest and in transit
- Access controls with least-privilege principles
- Logging and monitoring for breach detection
- Regular vulnerability assessments
Data Deletion Pipeline
- Automated deletion triggers based on retention schedule
- Verification that deletion propagates to all systems and processors
- Deletion confirmation records
Phase 5: Operationalise (Weeks 8-12)
Training
Train every employee who handles personal data on:
- The DPDP Act’s key requirements
- Your internal data protection policy
- Their specific responsibilities
- How to recognise and report a potential breach
Testing
Run tabletop exercises covering:
- A Data Principal exercising their right to information
- A consent withdrawal request
- A personal data breach requiring notification
- A request from the Data Protection Board
Monitoring
Establish ongoing monitoring for:
- Consent collection rates and withdrawal patterns
- Rights request volumes and response times
- Security incident detection
- Data retention compliance
The 90-Day Milestone
At the end of 90 days, your organisation should have:
- A complete data inventory
- Documented policies and procedures
- Operational consent management
- A functioning rights fulfilment process
- Breach response procedures tested through simulation
- Staff trained on their responsibilities
This is not the end of the privacy program. It is the operational baseline. Compliance is an ongoing state, not a project with a finish line.
Start with the Assessment
The free DPDP Gap Assessment takes 10 minutes and gives you a personalised compliance report. It identifies your specific gaps across all five compliance areas and provides a prioritised action list. Start there.