Evidence Overview

During DPDPA compliance assessments, assessors verify specific evidence to confirm that requirements are met. This article provides the top 40 evidence items assessors actually look for and test.

Evidence Principle

For each control area, assessors look for three types of evidence: (1) Policy/procedure documentation, (2) Implementation evidence showing the control exists, and (3) Operating evidence showing the control works over time.

Governance Evidence (Items 1-8)

1. Privacy Governance Charter

What assessors verify:

  • Document exists and is approved by management
  • Defines accountability for DPDP compliance
  • Establishes roles and responsibilities

2. Privacy Role Assignments

What assessors verify:

  • Named individuals assigned to privacy roles
  • Job descriptions include privacy responsibilities
  • Organisation chart shows privacy function

3. Grievance Officer Designation

What assessors verify:

  • Grievance officer formally designated
  • Contact details published (website, notices)
  • Process for handling grievances documented

4. Privacy Policy Document

What assessors verify:

  • Approved internal privacy policy exists
  • Covers all DPDP requirements
  • Version controlled and distributed

5. Processing Activity Register

What assessors verify:

  • Comprehensive register of processing activities
  • Includes purpose, data types, recipients
  • Regularly updated (evidence of updates)

6. Data Retention Schedule

What assessors verify:

  • Retention periods defined by data type/purpose
  • Evidence of retention enforcement
  • Deletion/anonymisation records

7. Privacy Training Records

What assessors verify:

  • Training program exists
  • Attendance records (who, when)
  • Training content appropriate to roles

8. Management Review Records

What assessors verify:

  • Privacy discussed at management level
  • Meeting minutes showing privacy items
  • Decisions and action items tracked

Notice Evidence (Items 9-14)

9. External Privacy Notice

What assessors verify:

  • Notice contains all required elements
  • Available in required languages
  • Accessible before/at data collection

10. Notice Version History

What assessors verify:

  • Archive of previous notice versions
  • Change log documenting updates
  • Notification to principals of changes

11. Collection Point Notices

What assessors verify:

  • Notices at each collection point (forms, apps)
  • Specific to purpose of collection
  • Screenshots or documentation of placement

12. Employee Privacy Notice

What assessors verify:

  • Separate notice for employee data
  • Covers HR processing purposes
  • Distribution evidence (acknowledgement)

13. Multi-Language Notices

What assessors verify:

  • Notices in applicable scheduled languages
  • Translation accuracy (spot check)
  • Language selection mechanism

14. Notice Legal Review

What assessors verify:

  • Legal review of notice content
  • Sign-off from legal/privacy counsel
  • Periodic review schedule

15. Consent Collection Mechanism

What assessors verify:

  • Screenshots of consent UI/UX
  • Unticked by default (not pre-selected)
  • Clear affirmative action required

16. Consent Database/Records

What assessors verify:

  • System captures consent records
  • Records include who, what, when, how
  • Sample consent records reviewed

17. Granular Consent Options

What assessors verify:

  • Separate consent for different purposes
  • Optional processing clearly optional
  • Service not denied for refusing optional consent

18. Consent Withdrawal Mechanism

What assessors verify:

  • Withdrawal option exists and accessible
  • Easy as giving consent
  • Screenshots/walkthrough of withdrawal process

19. Withdrawal Processing

What assessors verify:

  • Sample withdrawal requests processed
  • Processing stopped after withdrawal
  • Timeline for processing withdrawal

20. Children's Age Verification

What assessors verify:

  • Age verification mechanism
  • How children are identified
  • Rejection of under-age without parental consent

21. Parental Consent Records

What assessors verify:

  • Parental consent collection process
  • Verification of parental authority
  • Sample parental consent records

22. Children's Data Controls

What assessors verify:

  • No tracking/behavioural monitoring of children
  • No targeted advertising to children
  • Technical controls enforcing restrictions

Rights Evidence (Items 23-28)

23. Rights Request Intake

What assessors verify:

  • Request channels published and accessible
  • Request form or process documented
  • Acknowledgement sent upon receipt

24. Identity Verification Process

What assessors verify:

  • Process to verify requester identity
  • Appropriate to sensitivity of data
  • Not excessive barrier to rights

25. Rights Request Log

What assessors verify:

  • Log of all rights requests
  • Receipt date, type, response date, outcome
  • Sample requests reviewed end-to-end

26. Response Time Metrics

What assessors verify:

  • Responses within required timelines
  • Extension justified where applicable
  • Metrics tracked and reported

27. Sample Response Letters

What assessors verify:

  • Response templates appropriate
  • Sample actual responses reviewed
  • Complete and accurate responses

28. Grievance Handling Records

What assessors verify:

  • Grievance log maintained
  • Resolution process followed
  • Escalation to Board if unresolved

Security Evidence (Items 29-34)

29. Security Policy

What assessors verify:

  • Information security policy exists
  • Covers personal data protection
  • Approved and distributed

30. Access Control Evidence

What assessors verify:

  • Role-based access to personal data
  • Access provisioning/deprovisioning process
  • Sample access review records

31. Encryption Evidence

What assessors verify:

  • Encryption at rest configuration
  • Encryption in transit configuration
  • Key management practices

32. Security Testing

What assessors verify:

  • Vulnerability assessments performed
  • Penetration test reports
  • Remediation of findings

33. Security Monitoring

What assessors verify:

  • Logging and monitoring in place
  • Log retention appropriate
  • Alert handling process

34. Third-Party Security

What assessors verify:

  • Security requirements in processor contracts
  • Processor security assessments
  • Ongoing monitoring evidence

Breach Evidence (Items 35-40)

35. Breach Response Plan

What assessors verify:

  • Documented breach response plan
  • Roles and responsibilities defined
  • 72-hour notification process

36. Breach Response Team

What assessors verify:

  • Team roster with contact details
  • 24/7 availability arrangements
  • Authority to act

37. Notification Templates

What assessors verify:

  • Board notification template ready
  • Principal notification templates
  • Pre-approved language

38. Breach Register

What assessors verify:

  • Breach log maintained (even if empty)
  • Near-miss tracking
  • Lessons learned documentation

39. Breach Drill/Exercise

What assessors verify:

  • Tabletop exercise conducted
  • Exercise records and outcomes
  • Improvements implemented

40. Processor Breach Notification

What assessors verify:

  • Contract requires processor notification
  • Timeline for processor notification
  • Tested or exercised with processors
DPDP India Audit Evidence