Question: Are privacy notices provided to data subjects in clear, accessible language describing rights, purposes, and contact details?
Why This Matters
Transparent communication builds trust and fulfills legal obligations under DPDP and GDPR. Notices must be concise yet comprehensive.
Maturity
0 — Unaware
No privacy notice published.
No privacy notice published.
1 — Ad Hoc
Generic notice copied from templates.
Generic notice copied from templates.
2 — Defined
Organization-specific notice reviewed by Legal.
Organization-specific notice reviewed by Legal.
3 — Managed
Notices segmented for employees, customers, vendors.
Notices segmented for employees, customers, vendors.
4 — Integrated
Notices linked to register and dynamic updates.
Notices linked to register and dynamic updates.
5 — Optimized
Layered interactive notices with language localization.
Layered interactive notices with language localization.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Draft basic privacy notice for website. |
| 1 → 2 | Tailor to organization’s specific processing. |
| 2 → 3 | Add employee and vendor versions. |
| 3 → 4 | Link to register and contact DPO email. |
| 4 → 5 | Implement multi-layer notices with auto-update. |
Enablers
- People: DPO, Legal, Marketing Team
- Process: Notice draft → review → publish → update
- Technology: CMS / website platform
Evidence
- Published notices (URLs)
- Review approval records
- Change log
KPIs
- Number of notices reviewed annually
- Average time to update after policy change
- Number of languages supported
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| CMS | WordPress / Ghost | Easy notice hosting |
| Version control | Git | Track changes |
| Localization | DeepL API | Translate key sections |
Common Pitfalls
- Overly legalistic language
- Notices never updated
- Missing contact email or effective date
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27701 | 7.3 (Transparency) |
| DPDP Act 2023 | 6 (Notice to Data Principals) |
| GDPR | Art. 12–14 |
| NIST CSF 2.0 | GV.PO / ID.DP |
| NIRMATA Mapping | PD-Q04 ensures transparency to individuals. |