Privacy Compliance · DPDPA · GDPR · CCPA
CCPA / GDPR / DPDPA Compliance Services
Global Privacy Compliance Backed by Legal Expertise
Data privacy law is the most rapidly evolving area of regulation globally — and non-compliance carries financial penalties, regulatory investigation, and reputational harm. SIRI Law LLP’s integrated privacy compliance practice combines qualified legal counsel with certified privacy engineers to build compliance programmes that satisfy India’s DPDPA, Europe’s GDPR, and California’s CCPA simultaneously — without creating three separate, contradictory programmes.
What It Is & Why It Matters
CCPA / GDPR / DPDPA Compliance Services: The Essentials
India’s Digital Personal Data Protection Act, 2023 (DPDPA) imposes obligations on every organisation that processes personal data of Indian data principals — including consent requirements, Data Fiduciary obligations, breach notification, data localisation (for significant data fiduciaries), and a grievance redress mechanism. Penalties reach ₹250 crore for serious violations.
The EU General Data Protection Regulation (GDPR) applies to any organisation processing personal data of EU data subjects — regardless of where the organisation is based. Indian businesses with EU customers, employees, or users must comply. GDPR violations can result in fines up to €20 million or 4% of global annual turnover.
California’s CCPA/CPRA applies to businesses that meet specific thresholds and process California residents’ personal data — including Indian businesses selling to California. All three frameworks share core principles (lawfulness, purpose limitation, data subject rights, breach notification) but differ in specific requirements. We design a single integrated programme that satisfies the strictest applicable requirement in each area.
Privacy compliance is not a one-time project — it is an ongoing operational programme that must adapt to legal changes, business changes, and technology changes. The key is building a sustainable, documented, and auditable programme — not a collection of policies that sit on a server and are never used.
The most common privacy compliance failure we see is organisations that have privacy policies but no operational processes to back them up — no way to actually respond to data subject rights requests, no documented legal basis for processing activities, and no breach response plan that has ever been tested.
AI systems create new privacy compliance challenges — training data consent, inference data use, automated decision-making obligations, and the right to erasure from training datasets. We specifically advise on AI-era privacy compliance that addresses these emerging obligations.
Scope of Services
What Our Engagement Covers
- DPDPA, 2023 gap assessment and compliance roadmap
- GDPR gap assessment — Articles 5–49 applicable controls
- CCPA/CPRA compliance assessment
- Multi-jurisdiction privacy law gap analysis
- Personal data mapping and data flow documentation
- Records of Processing Activities (RoPA) development
- Legal basis analysis for all processing activities
- Consent architecture design and implementation advisory
- Privacy notice and policy drafting — DPDPA, GDPR, CCPA
- Data Protection Impact Assessments (DPIAs) for high-risk processing
- Cross-border data transfer mechanisms — SCCs, BCRs, adequacy decisions
- Vendor Data Processing Agreement (DPA) templates and negotiation
- Data subject rights handling procedures — access, erasure, portability
- Breach notification workflows — CERT-In, Data Protection Board, GDPR 72hr
- AI data governance — training data, inference, DPDPA/GDPR AI obligations
- Employee data privacy policies and monitoring framework
- Significant Data Fiduciary obligations advisory (DPDPA Schedule)
- Data localisation requirements advisory
Our Engagement Process
How We Work — Step by Step
Initial Scoping & Assessment
We conduct a gap assessment against the applicable framework, define the engagement scope, and produce a prioritised remediation roadmap with timeline and effort estimates.
Programme Design
We design the compliance programme — control framework, documentation structure, evidence requirements, and governance processes — tailored to your organisation.
Implementation Advisory
We advise on implementing each required control — working alongside your technical and operational teams to build controls that are practical and auditable.
Internal Audit & Validation
We conduct an internal audit or readiness assessment — identifying any remaining gaps before the formal certification or attestation process begins.
Certification / Attestation Support
We support the formal audit or assessment — managing auditor queries, providing evidence, and resolving findings on the day.
Post-Certification Advisory
After certification, we provide ongoing support — surveillance audit preparation, change management, and regulatory update advisory.
Typical engagement timeline varies by organisation size and existing control maturity.
Certified Engineers
Our Team Holds
CCSPCISMCIPPECEHOSCPCISSPCPENTISO 27001 LAIntegration Advantage
Our compliance engagements are backed by qualified legal counsel — ensuring your programme satisfies both technical certification requirements and legal obligations under DPDPA, IT Act, and sector-specific regulation.
Benefits & Deliverables
What You Get from This Engagement
Multi-Jurisdiction Assessment
Holistic gap assessment across DPDPA, GDPR, and CCPA — identifying the highest compliance bar in each area and designing a single programme that satisfies all frameworks.
Data Mapping
Personal data inventory and data flow mapping — the foundation of every effective privacy compliance programme. You cannot protect what you cannot find.
Legal Basis & Consent Architecture
Legal basis analysis for every processing activity and consent architecture design for activities requiring consent — including layered consent for AI data use.
Documentation Programme
Complete documentation library — privacy notices, RoPA, DPIAs, data retention schedules, DPA templates — drafted by qualified privacy lawyers.
Data Subject Rights
Operational procedures for handling access, erasure, correction, portability, and objection requests — including escalation procedures and response templates.
Breach Response
Tested breach notification workflow — CERT-In (6 hours), Data Protection Board, GDPR supervisory authority (72 hours) — with legal strategy integrated from the first moment of detection.
Ongoing Advisory
Monthly regulatory monitoring, quarterly compliance reviews, and DPDPA rule update advisory as delegated legislation and Data Protection Board guidance develops.
Multi-Jurisdiction Gap Report
Compliance status across DPDPA, GDPR, and CCPA — with prioritised remediation roadmap and legislative update tracking.
Privacy Policy & Notice Suite
Legally accurate, plain-language privacy notices — website, app, employee, vendor — in formats required by each applicable framework.
Records of Processing Activities
Complete RoPA document — all processing activities, legal bases, data categories, retention periods, and international transfer mechanisms.
DPIA Reports
DPIAs for all high-risk processing activities — documented, risk-assessed, and signed off by the appropriate authority.
DPA Template Library
Vendor DPA templates for different vendor risk tiers — controller-processor and controller-controller arrangements.
Breach Response Playbook
Tested breach notification workflow with notification templates for each applicable framework and regulatory authority.
Frequently Asked Questions
Does GDPR apply to us if we are an Indian company?
GDPR applies to any organisation that: (a) has an establishment in the EU, or (b) processes personal data of EU data subjects in connection with offering goods/services to them, or monitoring their behaviour within the EU. If your SaaS product has EU users, if you market to EU residents, or if you process EU employee data, GDPR likely applies to you — regardless of where your servers or company are located. We advise on applicability and compliance obligations.
What are the key differences between DPDPA and GDPR?
Both share core principles but differ significantly in: legal basis (DPDPA heavily emphasises consent; GDPR recognises six lawful bases); territorial scope; data subject rights (DPDPA has fewer explicit rights currently); enforcement (DPDPA uses a Data Protection Board; GDPR uses supervisory authorities in each member state); and AI-specific provisions. DPDPA also reserves significant provisions for delegated legislation that is not yet finalised.
How do we handle a data subject’s request to erase their data from our AI training dataset?
This is one of the most complex questions in current privacy law. The GDPR right to erasure (and equivalent obligations likely under DPDPA) applies to personal data used in AI training. For data used in model weights, ‘erasure’ may require model retraining or unlearning techniques. We advise on a risk-based approach — documenting consent at training time, maintaining training data records, and advising on technical and legal responses to erasure requests targeting AI training data.
We process data under DPDPA, GDPR, and CCPA. Do we need three separate programmes?
No — an integrated programme is both possible and more effective. We start by mapping all processing activities and identifying the strictest applicable requirement in each area. The resulting programme typically satisfies all three frameworks with modest additional effort beyond the most demanding baseline. We build integrated documentation — a single privacy policy that satisfies all three frameworks, a single ROPA, and a unified data subject rights process.
Ready to Start Your CCPA Journey?
All engagements begin with a complimentary scoping call. Let us understand your environment and propose the right approach.
Also see: Cybersecurity GRC · Data Privacy Law