Legal Policies & Breach Management
The DPDP Act requires you to maintain an accurate, published privacy policy, a formal process for reporting data breaches to the Data Protection Board of India (DPBI), and a Record of Processing Activities (RoPA) documenting every way you handle personal data. The Legal module in the Admin Dashboard handles all three.
Navigate to: Admin Dashboard > Legal
| Tab | What it does |
|---|---|
| Legal Policies | Auto-generate a privacy policy and terms of service from your data discovery scan. Version them, publish them, and run a DPDP gap analysis against them. |
| Breach Management | Log and manage data breach incidents. Generate the 6-hour initial report and 72-hour detailed report required by the DPDP Act for DPBI notification. |
| RoPA | Record of Processing Activities. A structured register of every way you process personal data, who is responsible, what legal basis applies, and what retention window you have set. |
Tab: Legal Policies
This tab has four inner views: Overview, Privacy Policy, Terms of Service, and Analyze Existing. The Overview shows the current publication status of both documents.
Privacy Policy
Privacy Labs generates a privacy policy from your data discovery scan. Because the policy is built from what your database actually contains, it is accurate by default and stays in sync as your data map changes.
The generated policy includes the sections the DPDP Act requires: what personal data you collect, the purpose of collection, the legal basis, how long you retain it, who you share it with, how users can exercise their rights, and your Grievance Officer's contact details.
Policy lifecycle
| Status | Meaning |
|---|---|
| Draft | Generated but not yet published. You can edit individual sections. |
| Published | Live version. Version number increments on each publish. A published date is recorded. |
| Archived | A previous version that has been superseded. Kept for audit purposes. |
How to generate and publish
- 1Run a database scan in Data & Audit first. The scan is the source of truth for what data you hold.
- 2Go to Legal > Legal Policies > Privacy Policy. Click Generate.
- 3The policy is created as a draft. Review each section and edit any that need adjustment.
- 4Click Publish. The policy version is incremented and the published date is recorded.
- 5Copy the published policy URL or the HTML embed to add to your website.
- 6If your data map changes (new tables, new columns), regenerate the policy. Existing manual edits are preserved where possible.
Output formats
The policy is available as rendered HTML, Markdown, and section-by-section JSON. Use the Copy button in the UI to get any format.
Terms of Service
Generated alongside the privacy policy. Uses your business information (name, address, jurisdiction) and the data categories from the scan to produce a compliant terms document. Same lifecycle (Draft, Published, Archived) and same workflow as the privacy policy above.
Analyze Existing
If you already have a privacy policy published elsewhere, paste it into the Analyze Existing view. The analyser checks it against DPDP Act requirements and produces:
- An overall compliance score (percentage of requirements met).
- A breakdown of every requirement: Met, Partial, or Missing.
- An explanation of what is missing from each failing requirement.
- Suggested additions to fix the gaps.
Tab: Breach Management
Breach incident fields
When you log a new breach, Privacy Labs captures the full set of information required for DPBI reporting:
| Field | Notes |
|---|---|
| Title | Short name for the incident (internal use). |
| Description | Narrative description of what happened. |
| Severity | Low, Medium, High, or Critical. |
| Breach nature | Unauthorized access, data exfiltration, accidental disclosure, ransomware, lost/stolen device, phishing, or other. |
| Breach extent | How much data was affected. |
| Breach timing | When it occurred and when it was discovered. |
| Breach location | Where the breach happened (system, server, etc.). |
| Data types involved | Names, emails, phones, financial, health, children's data, biometric, government ID (Aadhaar, PAN). |
| Estimated affected | Number of data principals potentially affected. |
| Confirmed affected | Updated once the investigation is complete. |
| Likely impact | What harm could result for data principals. |
| Consequences to principal | Specific impact description for the notification. |
| Mitigation measures | Steps taken immediately to contain the breach. |
| Safety advice | Advice given to affected individuals. |
| Cause description | Root cause analysis. |
| Person responsible | Internal accountability. |
| Remedial measures | Longer-term fixes being implemented. |
| Contact person | Name, email, phone of the internal point of contact for DPBI. |
| DPBI notified | Tracks initial (6-hour) and detailed (72-hour) notification status separately. |
| Principals notified | Whether affected individuals have been notified, and how many. |
Breach status lifecycle
Status advances linearly through the stages. Each transition is recorded in the incident timeline with a timestamp and the name of the person who made the change.
6-hour and 72-hour report templates
From a breach incident's detail page, use the Generate Report button to create either report:
6-hour initial report
Sent to DPBI within 6 hours of becoming aware of the breach. A shorter form covering what happened, what types of data were involved, what immediate steps were taken, and who the contact person is.
Pre-populated from the incident fields you entered. Export as PDF or copy the text.
72-hour detailed report
Full incident report sent to DPBI within 72 hours. Includes root cause, confirmed affected count, remedial measures, principal notification status, and a complete timeline of actions taken.
All fields from the 6-hour report plus the investigation findings. Export as PDF or copy the text.
Tab: RoPA
Record of Processing Activities. A register of every processing activity your organisation performs on personal data. Required under DPDP and international frameworks (GDPR Article 30 equivalent). The RoPA gives your DPO and legal team a single source of truth for what data flows exist and what governs them.
Creating a RoPA entry
Two ways to create entries:
- 1Seed from scan: Click "Seed from Latest DB Scan". Privacy Labs creates draft RoPA entries for each table identified in your data discovery scan. Each entry is pre-populated with the data categories, sensitivity level, and tables detected by the scanner.
- 2Manual entry: Click Add Activity and fill out the form. Use this for processing activities that happen outside your database (e.g. paper forms, email, third-party processors).
RoPA entry fields
| Field | Values / Notes |
|---|---|
| Name | Short name for the processing activity. Example: "User authentication", "Email marketing". |
| Description | What the activity does and why. |
| Status | Draft, Active, Suspended, Completed, Schema Removed. |
| Data categories | Personal identifiers, contact information, financial, health, biometric, children's data, behavioral, location, employment, government ID. |
| Legal basis | Consent, Legitimate use, Legal obligation, Vital interest, Public task. |
| Sensitivity level | Low, Medium, High, Critical. |
| Geographic scope | India only, Overseas, Both. |
| Processing method | Manual, Automated, or Combined. |
| Data location | On-premise, Cloud, or Hybrid. |
| Access control type | RBAC, ABAC, or Other. |
| Retention period | How long this data is kept. |
| Deletion method | Permanent delete, Anonymize, or Pseudonymize. |
| Review frequency | Monthly, Quarterly, Semi-annual, or Annual. |
| Processors | Third parties who process this data on your behalf (vendor name, optional vendor ID). |
Smart re-scan merge
When you run a new data discovery scan and re-seed the RoPA, Privacy Labs merges the new scan results into existing entries instead of overwriting them. Fields you have manually edited are preserved (tracked via a manuallyOverriddenFields list). This means you can keep the RoPA up-to-date without losing the legal-basis decisions and descriptions your team wrote.
Export
Export the full RoPA as CSV from the top of the tab. Use this for external audits, DPO reviews, or sharing with legal counsel.
Next up
With policies published and breach management in place, the Compliance Hub shows you a live composite score across all modules.
Compliance Hub