Privacy Policies, Internal SOPs, and Codes of Practice: What Organisations Often Miss

Introduction 

Organisations often believe that drafting a privacy policy or publishing a code of practice is enough to demonstrate compliance. In reality, these documents are only the visible part of a much larger framework. While written policies are crucial, but it should be backed by operational discipline, which includes internal SOPs, governance structures, and monitoring mechanisms that determine whether privacy commitments are truly lived out or remain aspirational.  

According to recent research, only 9% of Indian organisations report having a thorough understanding of the Digital Personal Data Protection (DPDP) Act, indicating a readiness gap. Over 80% of organisations have not updated their privacy policies or started implementing the Act's provisions end-to-end, which reflects this limited understanding and the slow adoption rate. The lack of alignment between these documents and operational realities puts organisations at risk of investigation by the Data Protection Board of India, with penalties up to ₹250 crores, besides reputational risks and loss of trust with data subjects. It is not incidental to the compliance process to understand what these documents must state, how they must work, and the typical pitfalls that organisations fall into. 

Privacy Policies and the Statutory Notice Requirement 

The legal provision marked as the Section 5 of the DPDP Act requires that every request for consent from a data principal must be accompanied by, or preceded by, a notice issued by the data fiduciary. This notice is mandatory, not optional. The notice must contain information about three very important aspects to the data principal: the personal data and the purpose for which the data fiduciary intends to process the data; the manner in which the data principal can exercise rights under Sections 6(4) and Section 13 of the DPDP Act; and the manner in which the data principal can file a complaint with the Data Protection Board of India.   

Rule 3 of the DPDP Rules 2025 spells out this requirement in minute detail. The notice must be easily comprehensible, separate from other information, and in plain language. The notice must allow the data principal to provide “specific and informed” consent. This is a requirement that will be strictly construed by the Board and the courts. 

Common Organisational Oversights 

Organisations often omit essential components in their privacy policies and related governance documents. Frequently, they articulate broad purposes such as “to improve services” or “to enhance user experience” without clarifying the specific processing activities involved. For example, a data fiduciary collecting location data from a mobile application must specify whether the data is processed for real-time service delivery, analytics, feature improvement, or third-party advertising. Each distinct purpose necessitates separate, granular consent. Consolidating these purposes into a single consent request contravenes the requirement for specificity.

Second, sometimes organisations do not clearly specify the categories of personal data collected. Data subjects must be informed precisely about the types of data collected, such as name, email address, phone number, biometric data, health information, financial data, or behavioural data. Indeterminate language such as “information you provide” does not meet the statutory standard. 

Third, many privacy policies do not adequately address data retention and deletion. Policies should specify the justification for retention and the procedures for secure deletion once retention requirements are fulfilled. Rule 8 of the DPDP Rules requires secure deletion or anonymisation of data after the retention period expires. Organisations that state data is retained “for as long as needed” without defining this term or outlining deletion procedures fail to comply with both the statutory framework and Rule 8. 

Fourth, organisations often omit or insufficiently describe grievance redressal mechanisms. Section 13 of the DPDP Act requires data fiduciaries to provide an accessible grievance redressal mechanism, and Rule 14 mandates a response within 90 days. However, many compliance frameworks reference grievance redressal superficially, without including contact details such as email addresses, phone numbers, or online complaint portals. The mechanism must be functional and accessible. 

Fifth, Rule 9 of the DPDP Rules obligates data fiduciaries to publish the business contact details of the DPO or the responsible individual. When organisations designate a DPO but do not disclose their contact information, data subjects are unable to exercise their right to seek information regarding data processing. This failure severely undermines compliance oversight. 

Transparency and Section 4: The Policy-Practice Gap 

Section 4(1) of the DPDP Act establishes the foundational principle that a person may process personal data only in accordance with the Act and for a lawful purpose, with consent, or for certain legitimate uses. This provision imposes two distinct obligations: the processing must be lawful (no processing for purposes expressly forbidden by law), and the processing must be transparent (the data principal must be informed of what is being processed and why).   

Transparency is implemented through privacy notices and ongoing communication between the data fiduciary and data subjects. The DPDP Act requires transparency to be a continuous process, providing accessible information about personal data handling beyond the initial point of consent. 

The Disconnect Between Policy and Operations 

Organisations often develop comprehensive privacy policies that articulate transparency principles, yet these principles are not consistently operationalised. For example, a data fiduciary may declare in its policy that personal data is processed solely for specified purposes and that secondary use requires separate consent. However, operational systems may automatically derive secondary purposes from primary data collection without initiating additional consent requests. Similarly, a health application may collect location data for emergency services, but the operational system may subsequently use that data for advertising recommendations without obtaining renewed user consent. 

This gap between policy and practice constitutes a violation of Section 4(1) and Sections 5–6. It indicates to the Data Protection Board that the organisation lacks effective operational governance, that its policies are disconnected from actual business practices, and that accountability is not genuine. 

To operationalise transparency, data fiduciaries must maintain contemporaneous records of processing activities, establish immutable audit trails for all material actions involving personal data, implement mechanisms for rapid retrieval of processing information in response to data subject requests, and proactively communicate material changes in processing to data subjects. Organisations that cannot retrieve information promptly demonstrate a misalignment between their systems and transparency principles. 

Internal SOPs: The Missing Operational Anchor 

Whilst privacy policies articulate principles at a high level, internal standard operating procedures must translate those principles into step-by-step operational workflows. The DPDP Act requires data fiduciaries to operationalise several critical workflows through documented procedures: Section 8 of the DPDP Act requires organizations to implement reasonable security safeguards. Then, Rule 6 requires security safeguards including encryption, access controls, and audit logging; Rule 7 establishes the 72-hour breach notification timeline; Rule 8 mandates secure data deletion upon retention expiry; and Rule 14 requires grievance redressal within 90 days.  

These requirements are not one-time implementations but ongoing operational obligations. Many organisations document these requirements in policy yet fail to translate them into operational SOPs. 

Common SOP Failures 

Organisations frequently establish internal SOPs addressing these operational requirements yet fail to operationalise them in practice. Common failures include: SOPs exist but are not implemented (breach notification procedures sit on a file server whilst breach response teams respond ad-hoc); SOPs are centralised but teams are siloed (IT Security detects a breach but Legal is unaware until 48 hours later, compressing the 72-hour window); SOPs lack automation (data deletion requires manual identification of data nearing expiry); SOPs are not aligned with third-party responsibilities (processors hold personal data indefinitely); and SOPs are not reviewed or updated (static documents become obsolete as regulations evolve).  

Organisations must ensure that documentation is not only established but also implemented, monitored, and regularly reviewed. The Data Protection Board will assess compliance by verifying the existence of SOPs and evaluating operational evidence of adherence to these documented procedures. 

Codes of Practice – The Accountability Framework 

Section 40 of the DPDP Act authorises the Central Government to issue codes of practice that establish compliance standards. These codes are designed to translate the Act’s abstract principles into concrete, verifiable standards. While comprehensive codes of practice have not yet been published by the Central Government, organisations may choose to develop internal codes that interpret the DPDP Act and Rules into sector-specific operational standards. Such internal codes can help establish accountability and demonstrate diligence, but formal compliance will ultimately be assessed against the provision of the Act, and the Rules, and any Government issued codes of practice. 

Organisational Oversights 

One recurring challenge is that organisations often fail to integrate their internal codes of practice into the broader compliance framework. If those internal standards are ignored or inconsistently applied, accountability can be weakened which will ultimately lead to high enforcement risk. Another oversight is the tendency to leave codes static. Organisations often fail to align their codes with evolving regulatory guidance. A code developed earlier may not reflect requirements introduced in the DPDP Rules 2025.   

Finally, organisations often underestimate the evidentiary role of codes. In the event of a breach, the Data Protection Board can assess whether the organisation complied with its own documented practices and whether those practices reflect statutory duties. Therefore, a well‑structured and consistently enforced code of practice can strengthen organisational accountability. 

Data Subject Rights: The Operationalisation Challenge 

Sections 11–14 of the DPDP Act establish critical rights for data principals. These include rights such as the right to access information about their personal data and its processing; the right to correct, complete, or update their data; the right to erasure of their data; and the right to grievance redressal. These rights are enforceable obligations. Data fiduciaries must establish mechanisms enabling data principals to exercise these rights. Rule 14 specifies that fiduciaries must respond to rights requests within 90 days. 

The Evidence Gap 

A significant oversight by organisations is the failure to recognise that data subject rights cannot be fulfilled without comprehensive data visibility. If an organisation cannot identify the location of personal data, track its sharing, or ensure its deletion across all systems, it cannot adequately respond to data subject requests. 

Common evidence gaps include unstructured data outside core systems (emails, shared drives, archived documents); data shared with third parties without tracking mechanisms; backup and archival systems without deletion procedures; and limited visibility into algorithmic processing. Organisations frequently cannot explain what processing occurred or how to reverse it, preventing meaningful response to data subject access requests. 

Conclusion 

Privacy policies, SOPs, and codes of practice support governance only when they connect legal requirements to actual operations. When these documents are not aligned with practice, such as when policies require transparency but systems do not provide it, SOPs are ignored, or codes of practice are unenforceable, they indicate governance failure rather than compliance. 

The DPDP Act expects these documents to promote accountability among data fiduciaries. Employees should understand and consistently apply privacy obligations. Third-party processors must adhere to fiduciary standards. Data subjects should trust that their rights are protected, and the Data Protection Board should be able to enforce accountability using documented standards. Organisations that treat privacy policies, SOPs, and codes as formalities and disregard them risk regulatory scrutiny, financial penalties, and reputational harm. In contrast, organisations that integrate these documents into daily operations, maintain up-to-date compliance records, and foster a privacy by design culture demonstrate a genuine commitment to data integrity and respect.