DPDP operational workflows: one hour, one day, one week

Audience: privacy owners, ops leads, legal-adjacent ICs, vendor managers · Last reviewed: March 2026

This page is a set of time-boxed drills—not a duplicate of the master checklist. Use it when leadership asks for momentum on a tight clock, or when you need a shared script before a tabletop exercise. Pair each block with templates, employee training, and official sources for substance your team can defend.

Quick definition: A time-boxed DPDP workflow is a bounded operational drill—rights intake, retention, vendor review, or incident prep—scoped to one hour, one day, or one week so teams ship evidence (owners, tickets, decisions) instead of endless planning. It complements the full checklist and rights / vendor worksheets.

On this page

• Rights intake and DSAR-style handling — 1 hour, 1 day, 1 week
• Retention and deletion drill — 1 hour, 1 day, 1 week
• Vendor onboarding privacy pass — 1 hour, 1 day, 1 week
• Incident preparedness runway — 1 hour, 1 day, 1 week
• Common questions (quick answers)

Rights intake and DSAR-style handling

Most teams already know the theory of data principal rights. The failure mode is operational fuzz: unclear intake, missing SLAs, and no proof of completion. These slices focus on executable choreography—not re-reading the statute.

Pair with: Access and correction workflows, Deletion requests, Escalation matrix, request-handling templates, employee awareness training.

If you only have one hour (rights handling)

1. Freeze the intake path. Decide the single channel (form, email alias, ticketing tag) and broadcast it to CS, HR ops, and marketing so duplicates stop multiplying.
2. Print a one-page triage script. Four bullets: request type, jurisdiction note if relevant, what you never do over chat (e.g., full dumps without checks), and escalation trigger.
3. Open three sample tickets from real-ish scenarios (access, correction, erasure) and time how long it takes to locate the owning system owner—no fixes yet, just mapping pain.
4. Log one gap you will fix this week (e.g., “no suppression flag in CRM”). Cross-link to grievance routing if complaints are mixed into rights mail.

If you only have one day

1. Run a tabletop with product, eng, and CS: one access request touching two systems, one deletion with a backup retention conflict, one correction where marketing also stores the field.
2. Define proportional identity checks for your risk profile—document the decision in your internal wiki and link out to counsel notes where edge cases live.
3. Publish internal SLAs (even provisional) and assign a DRI for breach of SLA. Tie evidence expectations to recordkeeping discipline.
4. Create a completion checklist item for “customer informed / ticket closed / log entry stored” so audits see a closed loop.

If you only have one week

1. Automate routing metadata in your ticket tool (request type, systems touched, lawful basis pointer) without over-collecting sensitive identity data in the ticket body.
2. Produce a systems map v1 for the top five rights-heavy systems; align with data mapping guidance.
3. Train frontline teams using awareness modules plus a 10-minute drill on phrasing that avoids promising timelines you cannot hit.
4. Schedule a quarterly replay referencing quarterly privacy review so rights handling does not decay after the initial push.

Retention and deletion drill

Retention work dies in spreadsheets that nobody updates. These drills aim for defensible decisions attached to owners and systems—not perfect taxonomies on day one. Ground context in retention and deletion checklist and the compliance portal for adjacent guides.

Pair with: Data mapping, internal SOPs, inventory worksheets, training for teams that trigger new collections.

If you only have one hour (retention)

1. List the top ten datasets by business heat (signup, billing, support, HR, analytics).
2. For each, answer three questions: why we keep it, shortest realistic retention if tomorrow were a clean slate, and what breaks if we delete early.
3. Flag “orphan data” where nobody can name an owner—assign temporary DRIs before engineering deletes anything.
4. Book a 45-minute legal/ops huddle only on the three highest-risk mismatches you surfaced.

If you only have one day

1. Convert the hour-one list into a retention table draft: dataset, purpose, legal/contractual holds (as counsel directs), system, deletion mechanism, validation evidence.
2. Spot-check production against the narrative: do backup policies, read replicas, or marketing exports contradict the stated period?
3. Align deletion triggers with rights handling so erasure tickets do not stall on “analytics also has a copy.”
4. Capture decisions in a versioned doc the way enterprise programs expect for diligence.

If you only have one week

1. Implement or schedule automated deletion jobs for at least two non-controversial datasets with clear acceptance tests.
2. Run a deletion rehearsal in staging: prove restores and logs behave as assumed under deletion playbook constraints.
3. Update notices where retention realities changed; cross-check notice quality rather than silently editing paragraphs.
4. Publish an internal FAQ for CS and ops on what to say when customers ask “how long do you keep X?”

Vendor onboarding privacy pass

Vendors expand blast radius faster than policy decks. This pass sequences contract, configuration, and evidence so procurement cannot mark a tool “done” while SSO scopes remain overbroad. Start from vendor and processor checklist and DPA review patterns.

Pair with: Subprocessor transparency, review sheets, training for buyers and IT, official materials when interpreting transfer or role questions.

If you only have one hour

1. Grab the last three vendor adds and verify a DPA or data processing terms file exists—not “in progress.”
2. Score access model: admin console, API tokens, exports—mark anything that allows bulk exfil without alerting.
3. Confirm subprocessors are visible or flagged as missing per your customer-facing commitments.
4. Open one ticket per vendor documenting highest-risk gap and single next owner.

If you only have one day

1. Run tiering: high-touch personal data vs operational metadata; route high tiers through security + legal jointly.
2. Validate data residency claims against actual region settings and failover architecture—console screenshots are not proof, but they start honest conversations.
3. Insert privacy review gates into onboarding templates (budget approval, SSO creation, prod data allowed or not).
4. Sync with engineering on log retention the vendor offers; logging often outlasts primary product data.

If you only have one week

1. Stand up a living vendor register linked to renewal dates, DPA versions, and last security review.
2. Automate renewals reminders that force a mini reassessment (subprocessors changed? new AI features?).
3. Publish an internal “red flags” list for procurement: vague subprocessors, unlimited liability carve-outs on security, or surprise model training language.
4. Align escalation to your escalation matrix so urgent vendor incidents do not start in casual DMs.

Incident preparedness runway

You are not building a Hollywood breach script; you are ensuring who gets paged, what gets preserved, and how customer comms stay factual. Tie exercises to complaint preparedness, penalties context, and your own security incident process.

Pair with: chapter map (Board and obligations clusters), runbook shells, role-specific training, compliance portal hub.

If you only have one hour (incidents)

1. Write the first six lines of a holding statement internal-only: what happened in neutral terms, what is confirmed vs unknown, next update time.
2. List legal, comms, security, product DRIs with backups if someone is offline.
3. Confirm where logs live that prove access paths and retention windows—many “personal data incidents” are actually logging gaps.
4. Book a 30-minute lead sync with explicit “no customer emails until this checkpoint.”

If you only have one day

1. Run a paper breach scenario involving a vendor misconfiguration and a delayed discovery window—stress-test honesty about detection lag.
2. Define evidence preservation steps that engineering can execute without destroying auditability.
3. Map regulator and data principal touchpoints at a high level; finalize wording with counsel before any external reuse.
4. Align customer success talking points with grievance pathways so angry users get consistent routing.

If you only have one week

1. Integrate privacy into the security/IR runbook so “close the ticket” cannot happen before privacy review on personal data categories.
2. Produce a post-incident learning template that asks control fixes, not only narrative.
3. Schedule a board/exec summary drill translating impact into business language without speculative fines.
4. Refresh training for on-call rotations with a five-minute “privacy pause” checklist drawn from SOP guidance.