Data Protection / DPDP

Startup DPDP: Data Map and Controls

CA Nikhil Gupta·June 2026·3 min readData Protection / DPDP

A privacy policy is not a data map and does not prove that every collection, use and vendor transfer is lawful.

Quick View

Owner

Privacy lead with business owners

Cadence

Quarterly and at product change

First control

Create a system-level data inventory.

Core evidence

Data inventory and flow diagram.

Why It Matters

The Digital Personal Data Protection framework applies through notified provisions and rules. Startups should check commencement dates before assuming that every obligation is simultaneously live.

Map each data field from collection to deletion: person, purpose, source, system, access, vendor, location, retention and security. Include employee, candidate, customer, user, vendor and website data.

Notices and consent should reflect the real product. Pre-ticked boxes, bundled unrelated purposes and inaccessible withdrawal routes create risk. Processing may also rely on other grounds permitted by law, which should be documented.

Control Framework

ControlWhat it coversOperating rule
CollectionField, person and source are identified.Collect only what the product needs.
PurposeBusiness and legal purpose is recorded.Avoid silent reuse.
SharingProcessors and third parties are mapped.Use contracts and access limits.
RetentionDeletion or legal retention rule is assigned.Test actual system deletion.

Action Checklist

  1. Create a system-level data inventory.
  2. Map notice and consent at collection points.
  3. Review processor and vendor contracts.
  4. Define retention and deletion schedules.
  5. Build rights and grievance workflows.
  6. Test high-risk access and exports.

Practical Example

A CRM stores customer phone numbers collected for delivery, but the marketing team exports them to an external campaign tool without a documented purpose or vendor review. The data map exposes the uncontrolled secondary use.

Evidence to Keep

  • Data inventory and flow diagram.
  • Notices and consent records.
  • Vendor and processor agreements.
  • Access-control reports.
  • Retention and deletion evidence.
  • Rights-request and grievance log.

Warning Signs

  • Copying a foreign privacy notice without matching the product.
  • Treating employee data as outside privacy control.
  • Keeping data indefinitely.
  • Allowing uncontrolled spreadsheet exports.
  • Assuming vendor responsibility replaces company accountability.

Management Decision

Prioritise high-volume, sensitive and externally shared data. Build controls into product design and procurement rather than fixing notices after launch.

Maintain a commencement tracker for the Act and Rules. The company should distinguish controls already legally effective from prudent controls implemented in advance.

Document the decision, owner, due date and evidence expected. A verbal explanation should be converted into a board note, approved working, contract amendment, portal acknowledgement or reconciliation before the item is treated as closed.

Rules, forms, thresholds and interpretations can change. The operating team should use the latest official source and the actual company facts instead of copying a control from another entity or prior year.

Monthly Review Test

Ask four questions: Is the obligation or accounting treatment applicable? Has the underlying transaction been completely recorded? Does the evidence agree with the books and portal? Has an independent reviewer challenged the exception?

The review should distinguish a timing difference from an error, a judgement from a missing document, and a control failure from a one-time operational delay. Repeated small exceptions deserve root-cause action because they often become material during audit, fundraising, notice or distress.

Exception Review

The operating record should connect the control stages—collection, purpose, sharing, retention—to the same transaction population. If the source list, accounting ledger, tax return, board record and management dashboard use different populations, the review can appear complete while exceptions remain outside the test.

Management should define an exception threshold, but the threshold must not hide repeated failures. A small error occurring every month can signal weak master data, unclear ownership or a broken interface. The reviewer should record root cause, immediate correction and preventive action separately.

Closure requires evidence. At minimum, the file should show who prepared the work, who reviewed it, which source documents were used, what differences remained and when the next follow-up is due. Screenshots without context or spreadsheets without source references are not a durable control record.

Map the actual data and money flows rather than relying on contract labels. Systems, vendors, user screens and bank accounts should agree with the legal role allocated in the contract; a platform cannot avoid regulatory responsibility through marketing terminology.

Incident and complaint data should feed the control review. Repeated consent withdrawals, failed settlements, customer complaints or access exceptions are evidence that the designed process is not operating as intended.

Frequently Asked Questions

Are all DPDP provisions effective at once? â–¼
No. Check notified commencement and transition dates for the relevant obligation.
Does consent solve every processing question? â–¼
No. The law recognises its own permitted grounds and requires purpose-specific analysis.
Is employee data included? â–¼
Personal data in employment systems requires mapping and control subject to the applicable framework.
Who owns the programme? â–¼
Business, product, security, HR, legal and finance share responsibility; one accountable leader should coordinate.