Data Policies & Governance Frameworks

At a minimum, most businesses need a privacy policy (external, informing users and customers how their data is handled), an internal data governance or data management policy, a data retention policy, a data breach or incident reporting policy, and a cookie policy if you operate a website. Depending on your business, you may also need a data subject rights request procedure, a data processing addendum for your vendor contracts, a confidentiality policy, and a data storage policy. The specific set of policies depends on your industry, the volume and sensitivity of data you handle, and the jurisdictions in which you operate. We help businesses build a policy framework that is proportionate to their risk profile.

Under the DPDP Act, a notice to individuals must specify the personal data being collected, the purpose of processing, and how individuals can exercise their rights including the right to withdraw consent. Under the GDPR, a privacy policy must additionally specify the legal basis for processing, data retention periods, details of cross-border transfers, the identity and contact details of the data controller and DPO, and the right to lodge a complaint with a supervisory authority. A well-drafted privacy policy is clear, specific, and written in plain language. Generic or copy-pasted privacy policies are a compliance risk and erode user trust.

A Data Processing Addendum (DPA) is a contractual agreement between a Data Fiduciary (or controller under the GDPR) and a Data Processor that sets out the terms on which the processor handles personal data on behalf of the controller. It specifies the scope and purpose of processing, security obligations, sub-processing restrictions, data breach notification requirements, audit rights, and data return or deletion obligations on termination. A DPA is legally required under the GDPR when you engage any third party to process personal data on your behalf. Under the DPDP Act, the Data Fiduciary remains accountable for the processor’s actions, making a robust DPA commercially essential even apart from regulatory requirements.

At a minimum, data policies should be reviewed annually and updated whenever there is a material change in your data processing activities, a change in applicable law or regulation, a data breach or near-miss incident, or a significant change in your technology stack or business model. The DPDP Rules and the GDPR both expect organisations to maintain current and accurate documentation. Outdated policies are not just a compliance gap; they create operational confusion and undermine your position in the event of a regulatory inquiry or litigation.