Trusted by Global Companies


Head of Infrastructure and Security

Leading Financial Services Company in India

Checkmate DPDP Compliance Process

A Trusted Solution for Companies and Privacy Professionals.

On August 24, 2017, privacy became a fundamental right under the Indian Constitution, (Article 21 [Right to Life & Liberty]). In a continued effort to safeguard individuals and the processing of their personal data, the Indian Parliament enacted the Digital Personal Data Protection Act of 2023 on August 11, 2023.

The DPDP Act 2023 outlines the rights of data principals, collection and processing of personal data and penalties for non-compliance of obligations.
Here is a step-by-step process of getting DPDP compliant.

Step 1: Appoint a DPO and publish the business contact information

“Assisted Data Protection with our International Expert Team“

Under the DPDP, businesses are required to make their business contact information publicly accessible to respond to inquiries from Data Principals. This is why working with an external data protection delegate may be agreat option, since it guarantees the independence under which a DPO has to act according to different data protection laws.

Borneo offers DPO-as-a-service and you can count on our international legal team, specialized in privacy and data protection. They are always available for questions and doubts and will provide you with a fully personalized solution.


Step 2: Map Data Flows and Generate Reports

Understand your Sensitive Data Footprint

Adhering to DPDP Act principles, organizations must be fair and transparent with their data handling actions and must enforce data minimization and retention policies.

Borneo simplifies and automates the process of creating 100% real-time maps of your company's data flows for a detailed and visual identification of the data your organization processes, who is responsible and how it is transferred internally or externally.

We help you to minimize the risks of non-compliance and to comply with all the privacy requirements by triggering automated notifications workflows for the data minimization and retention policies.


Step 3: Automate Security Controls

Easy Identification and Management of TOMs and Security Safeguards

The DPDP Act requires organizations to take appropriate technical and organizational security safeguards to protect personal data against unauthorized access, use, disclosure, alteration, or destruction.

You will have access to a library of hundreds of handy templates based on various common standards like our Borneo favorites, RBI Guidelines, ISO27001, ENISA, and many more.

You can identify already implemented TOMs with an easy check and identify missing ones that have to be implemented.


Step 4: Automate DPIAs and Risk Assessments

Carry out a Preventive Analysis before the Treatment of your Data

Along with nominating a DPO, the DPDP Act obligates organizations to undertake periodical DPIA and audits, conducted by significant data fiduciaries only, to evaluate compliance with the Act.

All aspects of a data protection impact assessment (DPIA) required are described in detail by our platform so that you can easily meet the requirements.

Our visualization makes it easy to understand and assess influencing factors. You can see exactly the threats to which personal data may be exposed, the risk probability, and the damage that can occur.

Once the risks are identified, Borneo selects the probability, impact, and level of the risks detected. Borneo then suggests the security recommendations your company should follow and lists the tasks that the company must perform to mitigate the risks detected.


Step 5: Data Breach Notification

Optimize your Data Breach Management

In the event of a data breach, organizations are required to inform the Board and each affected individual.

Enhance your privacy and compliance teams through integration with Slack, Jira and EventBridge. This ensures they receive real-time notifications to remediate critical violations.

Build a register to document all past data breach cases, allowing you to download reports and be prepared for further investigations such as due diligence or audits.


Step 6: Draft a Privacy Notice

Adapted to Legislative Changes and your Business Needs

To obtain valid consent in accordance with the DPDP Act, you need to make sure that the data principals are “informed.” This requires data fiduciaries to provide data principals with a privacy notice.

Borneo provides the necessary level of legal protection as we support you in drafting the appropriate privacy notice and terms and conditions of use and contracting.

Automatic policy generation and updates, auto generate policies based on templates customized for your business.


Step 7: Meet Cookie Compliance

Adapted to Legislative Changes and your Business Needs

The DPDP Act places emphasis on consent, including the usage of cookies.

Borneo is able to automatically analyze your website or app to identify what data the cookies collect, to know what tools are in use and to be able to detect any data processing that is carried out.

Our team of international data protection experts can also advice you on cookie banner compliance with the DPDP Act.


Step 8: Monitor and Track Consent

Stay up-to-date and Increase User’s Trust

Consent of Data Principals, once given, has to be regularly monitored by Consent Managers. They have to enable data principals to give, manage, review, and withdraw their consent, through a transparent, user-friendly platform.

In Borneo’s platform, each person responsible has all their data protection related tasks, with legal documentation if needed, in their personal tab on the dashboard, sorted by priority and due date.

Borneo sends alerts of legal changes, regular reviews, data management requirements, deletion, and so on, to ensure you are compliant with DPDP.


Step 9: Assess Third Parties & Manage Vendor Risk

Keep control of all your Data Recipients

Under the Act, personal data may be transferred to third countries, provided that the transfer is not prohibited by the Government. However, any stricter localization requirements imposed under other Indian laws will continue to apply.

Vendor risk management is a part of implementing appropriate security safeguards on personal data. Discover recipients with Borneo, to add them automatically and maintain a real-time list for easy assessment of third parties and vendors.

With the help of the integrated recipient registry on Borneo, you can easily categorize and validate your third-party providers, attach the required legal safeguards for data transfers to your recipients and make sure that your external service providers and third parties are also held accountable.


Step 10: Automate Consumer Access Requests

Automated and Visual Map of your Company’s Data

In exercising their Rights to be Informed, Access, Rectification, Erasure, of Grievance Redressal, and/or to Nominate, Data Principals may request for details of the processing activities related to their personal data.

With our platform, you will receive a recommended list of the most common processing activities. You can manage data workflows in which you know exactly what information to enter and where.

Borneo’s automated processing reports are available for submission to authorities and management.


Step 11: Implement a procedure to redress the grievances of Data Principals

Automate the Process of Rectification & Deletion Requests

Data Principals have the option to submit access requests and, in certain instances, lodge grievances related to processing activities.

Borneo can generate a record of all your data processing activities with one-click, so it’s easy to keep up to date and prove compliance when needed.


Step 12: Appoint an Independent Data Auditor

Determine the Treatment Requirements of the Personal Data you Handle

Appointing an independent data auditor is crucial for conducting regular audits to verify the adherence to the aforementioned procedures and compliance with the DPDP Act.

Borneo’s data protection audit helps you identify the needs of the data being processed specific to your company, as treatments/processes will differ depending on the type of data being treated and what you intend to do with it. Borneo also equips you with easy export of Audit ready reports.


Choose real-time data protection. Choose Borneo.

Manage risk, increase trust, and accelerate innovation across your entire data ecosystem.