## TL;DR Summary After 50+ DPDP compliance audits, we've identified 10 mistakes that appear in 80% of Indian businesses. The biggest offenders: bundled consent, ignored employee data, and treating compliance as a one-time project. Each mistake in this guide includes real cost implications and step-by-step fixes from our consulting experience. --- ## About the Author **Arpit Garg** *Founder & Chief Privacy Officer, Complynz* Arpit has conducted privacy audits for 50+ Indian organizations, identifying gaps that range from minor policy issues to potential ₹250 crore liability. His assessment frameworks have helped clients avoid regulatory action while reducing compliance costs. Connect on [LinkedIn](https://linkedin.com/in/arpitgarg). *This article is based entirely on real audit findings. Client details have been anonymized. AI helped organize the content; all examples are from actual engagements.* --- ## Why We Wrote This Guide Every month, we audit 4-5 organizations for DPDP compliance readiness. We've noticed the same mistakes appearing repeatedly—not because people are careless, but because these pitfalls aren't obvious until someone points them out. This guide shares the 10 most common issues we find, with real examples and practical fixes. --- ## Mistake #1: The Generic Privacy Policy Problem ### What We See Organizations copy-paste privacy policies from the internet or competitors, ending up with documents that don't match their actual data practices. ### Real Example A retail chain had a privacy policy mentioning "sophisticated AI-powered personalization" when they actually just used basic email marketing. Meanwhile, their actual practice of sharing customer data with a delivery partner wasn't mentioned at all. ### Why This Matters - **Regulatory Risk:** Policy ≠ practice is an automatic violation - **Customer Trust:** 67% of Indian consumers now read privacy policies (Nielsen 2024) - **Penalty Exposure:** Up to ₹50 crore for misleading notices ### How We Fix It **Step 1: Audit Reality First** Before touching the policy, document what you actually do: - What data do you collect? - Who do you share it with? - How long do you keep it? **Step 2: Rewrite for Honesty** | Stop Writing | Start Writing | |--------------|---------------| | "We may process data for various purposes" | "We use your email to send order updates and promotional offers" | | "We implement industry-standard security" | "We encrypt your data and require passwords for access" | **Step 3: Keep It Current** Review policy quarterly. Update within 30 days of any practice change. --- ## Mistake #2: The "Accept All" Consent Trap ### What We See Single checkbox for all data processing. "I agree to terms, privacy policy, and marketing communications." Users must accept everything or use nothing. ### Real Example An EdTech platform required students to consent to "data sharing with partner institutions and marketing communications" to access course materials. When we audited, we found 0% of users would have consented to marketing if given a choice. ### Why This Matters - **Invalid Consent:** DPDP Act requires unbundled, specific consent - **Customer Friction:** 40% abandon signup when consent feels forced - **Penalty:** Up to ₹50 crore per violation instance ### How We Fix It **Step 1: Separate Essential from Optional** ``` Required (to use service): ☑ Order processing and delivery Optional (your choice): ☐ Marketing emails about new products ☐ Personalized product recommendations ☐ Sharing with partner brands ``` **Step 2: No Penalty for Refusal** Users who decline optional processing must still receive full service for essential functions. **Step 3: Individual Consent Records** Track each consent separately, not just "agreed to everything on [date]." --- ## Mistake #3: The Consent Withdrawal Maze ### What We See Getting consent is a one-click process. Withdrawing consent requires finding a buried settings page, navigating 5 screens, or emailing customer support. ### Real Example A fintech app made signup a 30-second process. Opting out of marketing required: Settings → Account → Privacy → Communication Preferences → Wait 72 hours for email confirmation → Click confirmation link. Users gave up halfway. ### Why This Matters - **Direct Violation:** DPDP Act says withdrawal must be as easy as giving consent - **Regulatory Scrutiny:** Consent withdrawal complaints are easy wins for regulators - **Penalty:** Up to ₹50 crore ### How We Fix It **Same Effort Rule:** If consent took 1 click, withdrawal should take 1 click. | Channel | Consent | Withdrawal | |---------|---------|------------| | Email | Subscribe button | One-click unsubscribe | | SMS | Reply YES | Reply STOP | | App | Toggle on | Toggle off (same screen) | | Web | Checkbox | Preference center | --- ## Mistake #4: The Employee Data Blind Spot ### What We See Intense focus on customer data. Meanwhile, HR systems contain sensitive employee information with minimal protection: biometrics, health records, bank details, performance reviews. ### Real Example A 500-employee company invested ₹15 lakhs in customer consent management. Their HR system stored Aadhaar numbers in plaintext, had no access logging, and retained data of ex-employees for 15+ years "just in case." ### Why This Matters - **Same Liability:** Employee data has identical protection requirements - **Higher Sensitivity:** Often includes health, biometric, financial data - **Same Penalties:** No discount for internal vs. external data ### How We Fix It **Step 1: Include HR in Data Inventory** | Employee Data | System | Purpose | Retention | |---------------|--------|---------|-----------| | Bank details | Payroll | Salary | Active + 7 years | | Aadhaar | HRMS | Identity verification | Delete after verification | | Biometrics | Attendance | Access control | Active employment only | | Medical records | Insurance | Benefits | As required by insurer | **Step 2: Update Employment Contracts** Include privacy notice covering all employee data processing. **Step 3: Apply Same Standards** Whatever controls you have for customer data, apply to employee data. --- ## Mistake #5: The Vendor Assumption Error ### What We See "Our vendors are big companies, they must be compliant." No Data Processing Agreements. No security assessments. No oversight. ### Real Example A healthcare company processed patient records through a cloud CRM. No DPA existed. When we checked, the CRM stored data on US servers (potential cross-border issue), retained data indefinitely (retention violation), and had no breach notification clause. ### Why This Matters - **Shared Liability:** You remain responsible for vendor actions - **Breach Amplification:** 60% of breaches involve third parties (Verizon 2024) - **Full Penalties:** "Our vendor did it" is not a defense ### How We Fix It **Step 1: Vendor Inventory** List every vendor who touches personal data: - Cloud providers (AWS, Azure, GCP) - SaaS tools (CRM, marketing, analytics) - Payment processors - HR software - Logistics partners **Step 2: Assess & Contract** Essential DPA clauses: - Processing only per your instructions - Security obligations matching yours - 72-hour breach notification - Audit rights - Data deletion on termination **Step 3: Ongoing Monitoring** Annual vendor reviews. Quarterly for high-risk vendors. --- ## Mistake #6: Reactive Security ### What We See Security investments only after incidents. "We've never had a breach" becomes justification for minimal controls. ### Real Example A retailer stored 2 lakh customer records with no encryption, shared admin passwords among 15 staff, and had no backup verification. After a ransomware attack, they spent ₹35 lakhs on recovery—5x what proper security would have cost. ### Why This Matters - **Average Breach Cost:** ₹17.9 crore in India (IBM 2024) - **Regulatory Penalty:** Up to ₹250 crore - **Customer Loss:** 65% leave after a breach ### How We Fix It **Priority Security Controls:** | Priority | Control | Cost | Impact | |----------|---------|------|--------| | 1 | MFA for all users | ₹0-50K | Prevents 99% of account takeovers | | 2 | Encryption at rest | ₹1-3L | Protects breached data | | 3 | Access logging | ₹50K-2L | Enables investigation | | 4 | Regular backups | ₹50K-1L | Ransomware recovery | | 5 | Penetration testing | ₹2-5L | Finds vulnerabilities first | --- ## Mistake #7: No Data Retention Policy ### What We See Data accumulates forever. Customer records from 2010. Emails from departed employees. Backups from three acquisitions ago. ### Real Example During an audit, we found a company storing data from 500,000 former customers—some from 15 years ago. When asked about retention policy: "Storage is cheap." ### Why This Matters - **Increased Attack Surface:** More data = more breach exposure - **DPDP Violation:** Must delete data when purpose is fulfilled - **Discovery Costs:** Old data complicates legal matters ### How We Fix It **Step 1: Define Retention** | Data Type | Retention | Reason | |-----------|-----------|--------| | Active customers | While active | Service provision | | Former customers | 2 years post-departure | Business need | | Transaction records | 7 years | Tax law | | Marketing leads | 1 year if no engagement | Consent validity | | Employees | 5 years post-exit | Labor law | **Step 2: Automate Deletion** Set up systems to flag and delete data at retention expiry. **Step 3: Don't Forget Backups** Retention applies to backups too. Implement backup rotation. --- ## Mistake #8: Rights Request Chaos ### What We See Customer asks for their data. Request bounces between departments. No one knows the process. Response takes 60 days. Information is incomplete. ### Real Example A bank received an access request. It took 45 days to respond because nobody knew which systems contained the customer's data. The response missed data from 3 systems entirely. Customer complained to regulator. ### Why This Matters - **Regulatory Complaints:** Rights violations are easy to prove - **Reputation Damage:** Customers share bad experiences - **Penalty Risk:** Significant fines for rights failures ### How We Fix It **Step 1: Designate Ownership** - Create privacy@company.com - Assign clear owner with authority - Define escalation path **Step 2: Document Process** | Day | Action | |-----|--------| | 1 | Acknowledge receipt | | 2-3 | Verify identity | | 4-7 | Gather data from all systems | | 8-14 | Review and prepare response | | 15-21 | Deliver response | **Step 3: Prepare Templates** - Identity verification request - Access response - Correction confirmation - Deletion confirmation --- ## Mistake #9: Privacy as IT Project Only ### What We See Privacy compliance delegated to IT. Legal, HR, Marketing, Operations not involved. Technical controls without governance. ### Real Example IT implemented encryption and access controls. Meanwhile, Marketing continued buying customer lists from data brokers, HR stored resumes indefinitely, and Sales shared customer data via personal WhatsApp. ### Why This Matters - **Incomplete Coverage:** IT can't fix business processes - **Cultural Failure:** Privacy not embedded in decisions - **Ongoing Violations:** Technical controls don't stop behavioral issues ### How We Fix It **Step 1: Cross-Functional Committee** | Role | Contribution | |------|--------------| | DPO (Chair) | Coordination, expertise | | IT | Technical controls | | Legal | Regulatory interpretation | | HR | Employee data practices | | Marketing | Customer data practices | | Operations | Process compliance | **Step 2: Embed in Business Processes** - Privacy review for new projects - Data questions in vendor onboarding - Privacy section in product requirements --- ## Mistake #10: One-Time Compliance Mindset ### What We See Compliance treated as a project with an end date. "We did DPDP compliance in 2024, we're done." ### Real Example A company spent ₹20 lakhs on DPDP readiness in 2024. Two years later: no policy updates, 15 new systems not assessed, 8 new vendors without DPAs, zero training for 200 new employees. ### Why This Matters - **Compliance Drift:** Gaps accumulate over time - **New Risks:** Business changes create new exposures - **Regulatory Changes:** Rules evolve, you must adapt ### How We Fix It **Continuous Compliance Schedule:** | Activity | Frequency | Owner | |----------|-----------|-------| | Consent monitoring | Weekly | Marketing | | Rights request tracking | Monthly | DPO | | Security log review | Monthly | IT | | Vendor compliance | Quarterly | Procurement | | Policy review | Annually | Legal | | Full audit | Annually | DPO | --- ## Conclusion These 10 mistakes appear in 80% of our audits. The good news: every one is preventable with awareness and proper planning. **Start Fixing Today:** 1. Audit your consent practices 2. Review vendor agreements 3. Include employee data in scope 4. Establish ongoing governance --- ## Sources & References 1. Digital Personal Data Protection Act, 2023 - MeitY 2. IBM Cost of a Data Breach Report, 2024 3. Verizon Data Breach Investigations Report, 2024 4. Our internal audit data (50+ assessments, 2022-2026) --- *Last Updated: February 2026* *[Contact us for compliance guidance →](/contact)*