Phase 1: Data Inventory & Consent Audit

Build a detailed, system-level personal data inventory and audit all existing consent mechanisms. This phase creates the foundational data map that everything else depends on. You cannot manage what you do not know you have.

🎯 Objectives

✓ Create a comprehensive Record of Processing Activities (ROPA) for all personal data
✓ Audit all existing consent collection mechanisms for DPDP compliance
✓ Map all data flows — internal and external — involving personal data
✓ Identify all instances of children's data processing
✓ Assess cross-border data transfer activities

Detailed Record of Processing Activities (ROPA)

For every system, database, and process that handles personal data, document: the categories of personal data, the purpose of processing, the legal basis (consent or legitimate use), retention periods, security measures, data flow destinations (internal and external), and whether children's data is involved. This is the master reference for your entire compliance programme.

🎓 Beginner's Note

ROPA is essentially a big table that says: For Process X, we collect Data Y, for Purpose Z, stored in System A, shared with Vendor B, kept for N months. If you have done data modelling, think of ROPA as an entity-relationship diagram but for privacy.

💡 Consultant Tips

● Use a structured spreadsheet or GRC tool — do not try to maintain ROPA in Word documents
● Interview process owners for each business function: HR, Finance, Sales, Marketing, Customer Support, IT
● Include automated processing: analytics pipelines, ML models, automated marketing, chatbots
● Map both structured data (databases) and unstructured data (documents, emails, chat logs)

Consent Mechanism Audit

Review every point where the organisation currently collects consent from individuals. This includes website forms, mobile app sign-ups, paper forms, phone-based consent, email opt-ins, and cookie banners. For each mechanism, assess: Is the consent free, specific, informed, unconditional, and unambiguous? Is there a clear notice preceding the consent? Can the individual withdraw consent easily?

🎓 Beginner's Note

Go through your client's website and app as if you were a customer. Sign up, create an account, make a purchase. At every step, note: Did they ask for my consent? Was the notice clear? Did I understand what I was consenting to? If you as a professional cannot answer yes, ordinary consumers certainly cannot.

💡 Consultant Tips

● Screenshot every consent interface for your audit file
● Check for dark patterns: pre-ticked boxes, confusing language, consent buried in T&Cs
● Verify that each consent is linked to a specific purpose, not a blanket consent
● Test the withdrawal process — try to actually withdraw consent and see how hard it is

Data Flow Mapping

Create visual diagrams showing how personal data flows through the organisation: from collection points, through processing systems, to storage locations, and out to third parties. Include cross-border transfers. This map is essential for understanding your data protection surface area and identifying control points.

🎓 Beginner's Note

Imagine you are tracking a single customer record from the moment it enters the organisation. Where does it go? Who touches it? Where does it end up? Draw that journey for each major data category. This is your data flow map.

💡 Consultant Tips

● Use tools like Visio, Lucidchart, or even simple diagrams — the format matters less than completeness
● Distinguish between data flows that cross organisational boundaries and internal flows
● Highlight cross-border transfers with a different colour — these need special attention
● Include shadow IT and informal channels (WhatsApp, personal email) — they are often the biggest risk

Children's Data Identification

Identify all processing activities that involve data of individuals under 18. Under the DPDP Act, this triggers strict additional requirements: verifiable parental consent, prohibition on tracking and targeted advertising, and prohibition on processing likely to cause harm to a child. Many organisations are unaware they process children's data.

🎓 Beginner's Note

Under 18 means even 17-year-olds are children under DPDP. If your client has any users who might be under 18 — and for consumer-facing businesses, they almost certainly do — you need a plan for children's data compliance.

💡 Consultant Tips

● Check if your client's services are used by anyone under 18 — education, gaming, social media, and entertainment companies are high risk
● Review age verification mechanisms (or lack thereof)
● If the client cannot confirm users are adults, assume children's data is present and plan accordingly
● India has a very young population — the under-18 demographic is massive, making this a critical area

Retention Schedule Development

For each category of personal data, define how long it must be retained and when it must be deleted. Align retention periods with both business needs and legal requirements (tax records, employment records, etc.). Under DPDP, data must be erased when the purpose is fulfilled and no legal retention requirement exists.

🎓 Beginner's Note

Retention schedule = a table that says 'Delete this type of data after X months/years.' It prevents data hoarding (keeping data forever 'just in case') which is both a privacy risk and a DPDP violation.

💡 Consultant Tips

● Start with legal requirements: Income Tax Act (8 years), Companies Act (8 years), GST (6 years), employment records (varies by state)
● For data retained only on consent, define purpose-based retention: 'data retained until order is delivered plus 30-day return window'
● Do not forget backup tapes and archives — these also contain personal data that must eventually be purged
● Create a retention schedule matrix: Data Category / Purpose / Legal Basis / Retention Period / Deletion Method

📦 Phase Deliverables

☐ Complete Record of Processing Activities (ROPA)

☐ Consent Mechanism Audit Report with findings and recommendations

☐ Data Flow Diagrams (internal and external, highlighting cross-border transfers)

☐ Children's Data Processing Register

☐ Data Retention Schedule Matrix

☐ Remediation Backlog with prioritised consent and notice fixes

← Back to DPDP Act 2023 (India)