India’s Digital Personal Data Protection Act 2023 is often discussed as if it affects only large enterprises. The exposure is much closer and common for the organizations where sales teams use old CRMs, HR files reside on company drives, marketing campaigns are on WhatsApp, consumer data pours in through SaaS platforms, or even employees feed their confidential data into AI services without any consideration.
Compliance is not about whether your website has a privacy policy or not. The question is whether you can tell what personal data you possess, why it is there, where it is stored, who can see it, when it should be erased, and how it will be handled if anything untoward occurs.
If your organization deals with customer, employee, applicant, supplier, or distributor data, DPDPA will have its applications. There is always one rule that stays true: data outsourcing is not accountability, and a privacy policy without a data map is just branding.
Phase 1: Fix the Immediate Exposure
Map your data before starting anything else
Assign one person to take the lead on implementing DPDP. The first thing they should do is create an active inventory of:
- personal data collected
- where it was obtained
- the purpose for which it was collected
- on which systems it has been captured
- with whom it is shared
- for how long it will be retained
- if the data crosses international borders
This also includes all websites, CRMs, spreadsheets, shared drives, WhatsApp, HR files, CCTV videos, and all recorded calls.
Develop a new consent collection and recording process
Every point where there is a necessity to collect personal data needs to be re-evaluated for proper privacy notice. For example, checkout pages, form fields collecting an email or any other information, app permissions, new employee records, etc., must contain distinct notification language to advise the individual of their rights and how they may withdraw their consent.
Establish a complaint and rights process
All businesses, regardless of their size or budget, can develop an effective process for processing requests for access, correction, deletion, or complain about a violation of their rights. Provide a dedicated channel for individuals to submit such requests; develop a verification process to meet your business’ needs; keep a record of when the request is submitted, the date the request was fulfilled, and the status of any outstanding requests. It is equally important to train all employees who may encounter individuals making such requests to ensure that they are correctly processed and no request goes unfulfilled.
Get rid of things that you don’t need anymore
Many companies have years’ worth of old leads, inactive accounts, rejected CVs, and vendor contacts that they don’t know where they came from. This is usually the quickest way to improve privacy. Find the old data, separate it from the live operational records, update notices where there isn’t enough proof, and get rid of anything that doesn’t serve a purpose anymore.
Write down your basic security and breach response plans
Security measures that make sense are not just an IT issue; they are the main DPDP risk controls. Use role-based access controls, multi-factor authentication, patching, endpoint protection, and controlled vendor access. Before you need one, write an incident-response playbook.
Phase 2: Build Controls That Last
You need to note down all the instances when you are using people’s information. This is not a way to get out of asking for permission. For each time, you have to say what you are using the information for, when you do not need to ask for permission, and what you can and cannot do with the information.
You need to plan how you keep people’s information and when you delete it. The goal is not to delete everything as soon as possible. It is to keep the information that you need for as long as you need it and to have a good reason for keeping it. You have to decide how to keep information about potential customers, employee files, records that prove who people are, security camera footage, recordings of customer support calls, and records from vendors.
You need to keep an eye on the companies that you work with, the tools you use online, and how you use AI. You must review the contracts you have with these companies and add DPDPA clause to make sure they are only using the information for the reason you gave it to them and to make sure they will delete the information when you stop working with them. You must make rules for how your employees use AI tools. They should not be putting sensitive information like resumes, complaints, health data, or records that prove who people are, into systems that are not well-managed. This is one of the growing areas where companies are not managing people’s information properly.
Privacy failures at small businesses often occur through things like using shared passwords, reusing data just because “it’s there,” or simply adopting new tools without first reviewing them. By having role-appropriate training for sales, support, HR, finance, and IT with documentation and logs kept, you can turn your compliance into concrete evidence.
Phase 3: Maturing While You Grow
As your organisation grows, the manual controls you relied on initially will no longer be trustworthy. Set a regular review cycle for your data maps, notices, vendor controls, etc. Monitor if your compliance profile is impacted by your organization’s growth, shifts in the sector, or increased sensitivity of the data you process. Companies belonging to categories like fintech, health tech, ed tech, or high-volume B-C models will want to be maturing ahead of scale, rather than waiting until there has been a control gap.
Minimum Evidence Set for All Companies
At the end of a successful practical DPDA implementation, your company should be able to point to:
- An accountable internal stakeholder
- A live data inventory
- Collection point notices have been reviewed
- Logs of consent and withdrawal of consent
- Accessible rights and grievance procedures
- A retention strategy
- Assessment rules/criteria for both vendor and AI tools
- Baseline security controls
- An incident response playbook
- Training documentation
Closing Thought
The DPDP Act is not merely a law about paperwork. It is a law about how businesses work. A business that can show a current data map, a working rights process, a defensible deletion schedule, and proof of implementation; is in a much better position than one that relies on a generic privacy policy. This is true for both regulators and clients & partners who are asking the same questions again & again before they sign a deal.
IIRIS Consulting helps businesses all over India with everything from DPDP implementation to technology risk advice and compliance readiness checks. If you are seeking help, write to us at contactus@iirisconsulting.com
