CDMP Fundamentals • 100 Questions • 90 Minutes
← Back to DPDP Act 2023 (India)
🔍 Phase 0 2-4 weeks

Phase 0: DPDP Readiness Assessment

Before diving into implementation, assess where the organisation stands today. This phase maps the current data landscape, identifies gaps against DPDP requirements, and builds the business case for compliance investment. Many Indian organisations — especially mid-sized ones — have never conducted a privacy assessment, so expect to start from scratch.

🎯 Objectives

  • Understand the organisation's current data processing activities and personal data holdings
  • Identify whether the organisation is likely to be classified as a Significant Data Fiduciary
  • Map current privacy practices against DPDP Act requirements to identify gaps
  • Build an executive-level business case for compliance investment
  • Establish a compliance project team and governance structure

Personal Data Discovery

Conduct a systematic sweep across all databases, file shares, cloud storage, SaaS applications, and paper records (that may be digitised) to identify where personal data of Indian citizens resides. Use data discovery tools, database schema analysis, and stakeholder interviews. Focus on identifying: what personal data is collected, where it is stored, who has access, and how long it is retained.

🎓 Beginner's Note

If you have never done a data discovery exercise, start by listing every application and database your client uses. For each one, ask: Does it contain any data that can identify a living person? If yes, it is in scope.

💡 Consultant Tips

  • Start with databases and CRMs — they typically hold the most personal data
  • Do not forget email inboxes, shared drives, and WhatsApp groups — Indian businesses commonly share customer data through informal channels
  • Check with HR for employee data — often the largest volume of personal data
  • Look for Aadhaar numbers, PAN numbers, and bank details — these are high-sensitivity items under Indian context

DPDP Gap Assessment

Compare current practices against each requirement of the DPDP Act. Create a gap register with columns for: DPDP Requirement, Current State, Gap Description, Risk Level, and Remediation Effort. Cover all major areas: consent management, notice requirements, data principal rights fulfilment, security safeguards, breach notification readiness, children's data handling, cross-border transfers, and grievance redressal.

🎓 Beginner's Note

A gap assessment is simply: what does the law require, and does the organisation do it today? For each DPDP requirement, mark it as Green (compliant), Amber (partially compliant), or Red (non-compliant). This gives leadership a clear visual of the compliance posture.

💡 Consultant Tips

  • Use the compliance checklist in this playbook as your baseline
  • Rate each gap as Critical, High, Medium, or Low based on penalty exposure
  • Most organisations will have significant gaps in consent management and data principal rights fulfilment
  • Pay special attention to children's data — many organisations do not even check user age

SDF Classification Analysis

Evaluate whether the organisation is likely to be designated as a Significant Data Fiduciary by the Central Government. Consider the volume of data processed, number of Data Principals affected, sensitivity of data, and the organisation's market position. If SDF designation is likely, plan for additional obligations from Day 1.

🎓 Beginner's Note

Think of SDF as the 'big leagues' of data protection compliance. If your client is a large company processing lots of personal data, they will likely be in this category and need to do more (DPO, DPIA, audits) than smaller companies.

💡 Consultant Tips

  • If the organisation processes data of more than 1 million Data Principals, assume SDF designation is possible
  • Financial institutions, telecom companies, e-commerce platforms, and healthtech companies are prime SDF candidates
  • Even if not designated initially, plan for SDF obligations as a stretch goal — it demonstrates maturity
  • The government will notify SDF criteria through Rules — monitor for updates

Stakeholder Mapping and Executive Briefing

Identify all internal stakeholders who will be impacted by DPDP compliance: Legal, IT, HR, Marketing, Customer Service, Product, and the Board of Directors. Conduct an executive briefing to explain the DPDP Act, the gap assessment results, the penalty exposure, and the recommended compliance roadmap. Secure budget and executive sponsorship.

🎓 Beginner's Note

You need a senior executive champion for this project to succeed. Without top-level support, compliance initiatives stall when they require cross-departmental changes. Present this as both a risk mitigation and business opportunity.

💡 Consultant Tips

  • Lead with penalties — Rs 250 Crore gets executive attention immediately
  • Show specific gaps and their penalty exposure in rupee terms
  • Identify a C-level sponsor (ideally CEO, CFO, or General Counsel)
  • Frame compliance as a competitive advantage — 'DPDP-ready' will become a market differentiator

Third-Party and Vendor Assessment

Inventory all third parties (vendors, partners, processors) with whom personal data is shared. Assess each vendor's DPDP readiness. Under the Act, the Data Fiduciary is responsible for the actions of its Data Processors, so vendor risk is your client's risk.

🎓 Beginner's Note

Make a list of every company your client sends personal data to. For each one, ask: Do they protect the data adequately? Do our contracts require them to? Under DPDP, if a vendor has a data breach with your client's data, your client is liable.

💡 Consultant Tips

  • Request DPDP compliance attestations from all vendors processing personal data
  • Pay special attention to cloud providers, payment processors, and marketing platforms
  • Review existing contracts for data protection clauses — most will need updating
  • Create a vendor risk tiering system: Tier 1 (processes large volumes), Tier 2 (moderate), Tier 3 (minimal)

📦 Phase Deliverables

Personal Data Inventory Report — comprehensive register of all personal data holdings
DPDP Gap Assessment Report with risk-rated findings and remediation recommendations
SDF Classification Analysis and recommendation
Executive Briefing Deck with business case and budget request
Third-Party Data Sharing Register
Project Charter with timeline, milestones, roles, and governance structure
← Back to DPDP Act 2023 (India)