Statement of Work (SOW): DPDPA Consulting for Client

1. Objective

The objective of this engagement is to assist Client in assessing, aligning, and implementing compliance measures with the Digital Personal Data Protection Act (DPDPA) 2023, ensuring robust data protection, minimal regulatory risk, and operational readiness.

2. Scope of Work

Phase 1: Current State Assessment

•        Conduct stakeholder interviews across functions (HR, IT, Legal, Sales).

•        Understanding PII data across business processes and IT systems.

•        Identify personal data processed (customers, employees, vendors).

•        Assess current data protection controls against DPDPA requirements.

•        Deliverable: DPDPA Gap Assessment Report.

Phase 2: Perform Privacy Impact Assesment (PIA)

Evaluate the potential risks and impact of processing personal data. 

Data Classification & Inventory

•        Build a personal data inventory covering:

o   Type of data processed (sensitive/personal).

o   Purpose, legal basis, storage location, and retention.

•        Classify data based on risk and regulatory criticality.

•        Deliverable: Data Inventory & Classification Matrix.

Phase 3: Compliance Framework Design

•        Define roles and responsibilities: Data Fiduciary, Consent Manager, etc.

•        Design consent management, grievance redressal, and data subject rights procedures.

•        Develop a DPDPA-aligned privacy policy.

•        Develop a DPA (Data Protection Agreement) with vendors or suppliers.

•        Identify cross-border transfer risks and develop controls.

•        Deliverables:

o Draft Policies & Procedures

Phase 4: Controls Implementation Support

•        Support in implementing technical & organizational controls:

o Consent mechanisms o Data retention & deletion processes o Data breach notification procedures

•        Advisory integration with existing systems (CRM, HRMS, ERP).

•        Deliverable: Implementation Roadmap & Control Register

Enable data principal rights

•        The right to know what personal data is being processed by a Data Fiduciary, the processing activities undertaken concerning such personal data, and the identities (and not just categories) of all other Data Fiduciaries and data processors to whom the personal data has been shared.

•        The right to correction, completion (i.e., complete any incomplete data), updating, and erasure of personal data for the processing of which the Data Principal has previously given consent.

•        The right to grievance and redress for any act or omission of the Data Fiduciary regarding the performance of its obligations relating to the Data Principal’s personal data.

•        The right to nominate any other individual to exercise the Data Principal’s rights in the event of death or incapacity.

Incident Response and Reporting

• Develop an incident response plan to address data breaches promptly. Establish a reporting mechanism to inform relevant authorities and should conduct regular compliance audits to check adherence to DPDPA requirements.

Monitor and Audit Employee Access to Personal Data

• Regularly review and audit access to personal data to ensure compliance with the DPDPA. Conduct periodic privacy audits to identify and address potential vulnerabilities.

Appoint a Data Protection Officer (DPO) or Privacy Officer

• Designate a DPO responsible for ensuring DPDPA compliance, managing data audits, and serving as a point of contact for grievance redressal. Ensure that the DPO has the necessary knowledge and expertise in data protection laws and practices.

Phase 5: Training & Awareness

• Conduct role-based training (Leadership, Legal, IT, HR, Operations).

• Awareness sessions on DPDPA obligations and individual responsibilities.

• Deliverable: Training Material & Attendance Logs

Phase 6: Audit & Readiness Assessment (Optional)

• Conduct mock audits and evidence reviews.

• Identify gaps in documentation or control execution.

• Provide a readiness scorecard and executive summary.

• Deliverable: DPDPA Compliance Readiness Report

3. Timeline

• Phase 1: Assessment  Duration: 2 weeks

• Phase 2: Inventory: Duration: 2 weeks

• Phase 3: Framework : Duration: 3 weeks

• Phase 4: Implementation: Duration: 4 weeks

• Phase 5: Training: Duration: 1 week

• Phase 6: Audit: Duration: 1 week

4. Key Assumptions

•        Client will provide timely access to key personnel and documentation.

•        IT and legal teams will actively participate in data flow workshops.

•        This is a consulting engagement; implementation is advisory in nature unless otherwise agreed.

5. Out of Scope

•        Implementation of third-party tools or platforms.

•        Remediation of identified IT security gaps unless separately scoped.

6. Confidentiality

All data shared during the engagement will be handled in strict confidence and used solely for the purpose of compliance assessment and advisory.