Data Protection Compliances 

Start by conducting a Data Audit to map all personal data you collect, store, and share (especially from customers, employees, vendors). Then:

• Draft a Privacy Policy tailored to Indian law

• Build a Consent Management System

• Update contracts with DPDP-compliant clauses

• Nominate a Grievance Officer and designate internal compliance roles

We assist in executing this end-to-end through a DPDP Compliance Pack.

You must:

• Execute a Data Protection Consent + Notice with all Indian employees

• Localise your Employee Data Policy for India

• Include a lawful purpose and retention clause

• Review global HR tech tools for Indian data compliance

• Update your internal training and SOPs to align with Indian law

We provide a DPDP-compliant Employee Privacy Toolkit with everything ready to roll out.

You should enter into a Data Processing Agreement (DPA) or add a DPDP clause in your Master Services Agreement (MSA) if:

• You process data on behalf of the client

• You act as a data fiduciary using third-party processors The DPA must define responsibilities, cross-border data handling, breach notification, and deletion protocols. We draft watertight, India-ready DPAs.

Key clauses to include:

• Compliance with Indian privacy laws (DPDP, IT Act, etc.)

• Indemnity for data breaches or non-compliance

• Data breach notification timelines (within 72 hours or less)

• Audit and inspection rights for clients or partners

• Retention and deletion obligations post-termination

We tailor these to your vendor, client, or partner agreements for risk coverage.

Consent must be free, specific, informed, and unambiguous. You should:

• Use granular opt-ins, not default “I agree” checkboxes

• Log timestamped records of consent

• Allow easy withdrawal of consent

• Update your Privacy Notice to reflect processing purposes

We offer templated Consent Language + Privacy Notices for HR, websites, and platforms.

Yes. Each data subject category requires a tailored Privacy Notice:

• Employee Privacy Policy (for HR data)

• Customer-facing Privacy Policy (for platforms/websites)

• Vendor/partner data clauses in MSAs or NDAs

We draft customised, DPDP-ready policies for each audience and review existing ones for compliance gaps.

Yes, but only to countries approved by the Indian government (a whitelist is expected). Until then, include in your contracts:

• Cross-border transfer clauses

• Data localisation fallback options

• Appropriate security representations from third parties

You must ensure that these vendors:

• Sign a Data Processing Agreement (DPA)

• Host data in permitted geographies

• Have security certifications (ISO 27001, SOC2, etc.)

• Allow audits if requested

We review third-party tools for legal risk and prepare SaaS onboarding templates to mitigate liability.

Include a clause specifying that Indian law governs and that disputes be resolved in Indian courts or arbitration centers (like Mumbai, Bangalore, or Delhi). For MNCs, this helps centralise data-related disputes and ensures the DPDP Act applies.

You must:

• Draft a Data Breach Response Policy

• Appoint a Grievance Officer or internal breach response team

• Train your staff on breach escalation

• Set protocols for notifying the Data Protection Board and affected individuals

We provide a ready-to-implement incident response SOP aligned with the DPDP Act.