A borrowed privacy policy says little about the operation beneath it. Takelegal begins with the personal data itself: where it comes from, why it is used, who can access it, which systems or vendors receive it, how long it is kept, and what happens when a person makes a request. India's Digital Personal Data Protection framework has phased commencement, so current provisions and rules need review at the time of the work. Sector, employment, consumer, contract, cybersecurity, and cross-border issues may also require separate specialist input. The coordination work connects fact gathering, decisions, documents, and implementation owners. Independent counsel or security professionals provide regulated or specialist work under their own engagements. The policy has to describe the practice, not stand in for it.
Build a data map people recognise
The useful map begins with business events: a prospect submits a form, an employee joins, a customer opens an account, a vendor provides support, or a user asks for deletion. For each event, it records the personal data involved, source, purpose, system, location, access, recipient, retention, and owner. The map should include spreadsheets, shared drives, messaging tools, support systems, and manual exports, not only the main product database. Uncertain flows are marked for investigation. Technical and business teams review the same record because each sees different parts of the process. Counsel and security professionals then have a factual basis for their work. The map also shows where a notice, contract, permission, retention rule, or control no longer reflects what the business actually does.
- Business event and data source
- Purpose, system, and access
- Vendor or other recipient
- Retention and accountable owner
Align notice, choice, and practice
A privacy notice should describe the current practice in language a person can understand. Purpose decisions, notice content, consent or another applicable basis, the withdrawal route, request process, and internal owner must agree with one another. Independent counsel reviews the current legal framework and the company's facts. Product screens, sales forms, employee processes, and vendor flows should tell a consistent story. A pre-ticked box or broad statement cannot repair an undisclosed use. The business also needs to decide what happens when a person declines an optional use or withdraws consent for a consent-based purpose. Rights and duties depend on the provisions in force and the role the company performs. The operating process should make a valid request visible, verifiable, and capable of completion within the applicable requirements.
- Purpose and audience for each notice
- Choice and withdrawal path
- Request verification and ownership
- Product behaviour consistent with the text
Control vendors and movement
A vendor can receive personal data through hosting, support, analytics, payroll, recruitment, communications, security, or ordinary file sharing. For each material provider, the register identifies its role, data, purpose, location, access, subcontractors, retention, return or deletion process, and incident duties. Procurement, security, privacy, and commercial owners should agree on the fact set before independent counsel reviews contract terms. Cross-border processing and sector restrictions require current professional assessment where relevant. The company also needs an offboarding plan. Cancelling a subscription does not prove that exported files, backups, support copies, or administrator access have been handled as intended. The register should name the internal owner and the event that triggers another review.
- Provider role and personal data involved
- Processing location and access
- Subcontractor and incident terms
- Return, deletion, and offboarding evidence
Prepare for incidents and product change
Privacy controls need a route for suspected loss, unauthorised access, misdirected disclosure, system compromise, or misuse. The incident plan names the contact tree, initial fact record, evidence-preservation steps, decision authority, communication owner, and route to independent legal and security professionals. Notification duties and timing require current advice based on the facts and rules in force. The business should avoid premature certainty while still acting quickly to contain harm. Product changes need similar discipline. A new feature, vendor, data source, artificial-intelligence use, or retention practice can invalidate an old map and notice. A short privacy review at the design stage is cheaper than explaining a hidden flow after launch. Changes are recorded with the decision, owner, and documents that need updating.
- Incident contact and decision tree
- Initial facts and evidence preservation
- Independent legal and security review
- Change trigger for map and notice updates
Primary sources and further reading
- MeitY: Digital Personal Data Protection Act, 2023
- MeitY: Digital Personal Data Protection Rules, 2025 and enforcement materials
Rules and procedures change. Check the current official source and obtain advice for the facts of your matter.