DPDP Roles, explained simply

India's Digital Personal Data Protection Act. Who is who.

‹ General awareness

General awareness

A Privacy Policy alone is not DPDP compliance

A frequent assumption is that once an organisation has published a privacy policy on its website, it is DPDP compliant. It is one part of compliance, and often the smallest part.

A privacy policy tells people what you intend to do with their data. DPDP compliance is whether you can actually do it, and prove it. One is a paragraph. The other is a system.

Start with the document itself

What the Act actually requires is a notice under Section 5, given to the Data Principal, in clear and plain language, itemising the personal data and the purpose, and explaining how to withdraw consent, how to exercise rights, and how to complain to the Data Protection Board. A generic website privacy policy is not automatically that notice.

The document is only the visible part

Most of compliance is what the visitor never sees.

  • A lawful basis for each processing activity, either consent or a Section 7 legitimate use. A policy that describes processing you have no basis for is not compliance. It is a written record of the gap.
  • The ability to honour Data Principal rights in practice: access, correction, erasure, grievance redressal, and nomination. A policy that promises these without a working process behind it is a promise you cannot keep.
  • Reasonable security safeguards, and the ability to respond to a personal data breach, including the required intimation to the Board and to affected individuals.
  • Retention limits, and actual erasure once the purpose is served, not just a sentence saying you will.
  • A contract with every processor that handles personal data on your behalf.
  • Records that let you show all of the above, because under the Act accountability sits with the Data Fiduciary.

Here is the practical risk

The danger is not that you lack a document. It is that a polished policy can describe a standard you have not built. On inspection, a confident policy with no machinery behind it is worse than silence, because it documents the distance between what you promised and what you can do.

So before polishing the privacy policy, ask a different question.

If a Data Principal exercised every right this policy promises tomorrow, could we actually deliver, within the timelines, and show our records?

If the answer is no, the priority is not the wording. It is the system behind it.

In your experience, where is the widest gap between what privacy policies promise and what organisations can actually deliver: rights handling, breach response, or retention and erasure?

#DPDP #DPDPAct2023 #DPDPRules2025 #DataProtection #PrivacyLaw #IndiaLegal #Compliance

A privacy policy is just the tip. Compliance is the system. An infographic contrasting a published privacy policy with the underlying DPDP compliance machinery: lawful basis, data principal rights, security and breach response, retention and erasure, processor contracts, and records.
A privacy policy is the tip. Compliance is the system beneath it. Tap to enlarge.

Be DPDP ready before the deadline

We are preparing more than a dozen ready to use templates, including the Privacy Notice, Consent Notice, Data Retention and Erasure Policy, Security Safeguards Policy, Breach Response Procedure, Children's Data Policy, and the Data Processing Agreement. Drop your email and we will notify you when the assessment and templates go live.