1. Know your data (discovery & inventory)
You cannot protect or account for data you cannot see. Start by discovering where personal data lives across databases, cloud storage, SaaS apps and files.
- Inventory every system that stores or processes personal data
- Classify personal and sensitive data, including India-specific identifiers (PAN, Aadhaar, bank account, IFSC, UPI ID, GSTIN)
- Map each data category to a processing purpose and a lawful basis
2. Establish lawful, purpose-bound consent
- Capture granular, purpose-specific consent — not blanket acceptance
- Present notice in clear language and in the applicable Indian language(s)
- Make withdrawal as easy as giving consent, and ensure it propagates downstream
- Generate a verifiable, tamper-evident consent artifact for every action
3. Enable Data Principal rights
- Access to a summary of personal data and processing activities
- Correction, completion, updating and erasure
- Right to nominate another to exercise rights on death or incapacity
- Grievance redressal with clear SLAs and escalation
4. Maintain records & governance
- Keep Records of Processing Activities (RoPA) current
- Run DPIAs for higher-risk processing
- Define and enforce retention and deletion schedules
- Appoint a DPO / grievance officer and publish contact details
5. Prepare breach response
- Detect, classify and log personal data breaches end to end
- Notify the Data Protection Board and affected Data Principals in the prescribed form and timelines
- Keep an immutable breach register with root cause and remediation
6. Prove it (audit readiness)
- Maintain a tamper-evident audit trail of access and processing
- Produce compliance reports suitable for the Data Protection Board
- Re-scan periodically to catch drift as systems change
This guide is educational and general in nature — it is not legal advice. Confirm specific obligations against the DPDP Act, 2023, the DPDP Rules, 2025 and any sectoral regulations that apply to you.