19 Jun 2026 · 9 min read
DPDP-readiness is rarely blocked by money. It is blocked by sequencing — teams try to fix everything in parallel, the work compounds, and three months in the consent banner is still 'in review'. A one-week sprint, with one job per calendar day, beats a quarter-long programme that never lands.
**Day 1 (Mon) — Inventory.** Open a spreadsheet and list every single piece of personal data your site touches. Forms (contact, demo, careers, newsletter), trackers (GA, Meta pixel, Hotjar, chat widgets), backend logs (server access logs, payment gateway, CRM, mailing list, support inbox). For each row, write the source, the destination, and the purpose. This is the document a Data Protection Board enforcement officer will ask for first — and the one most teams cannot produce.
**Day 2 (Tue) — Consent banner.** Ship the checkDPDP banner builder or a comparable DPDP-aware CMP (Complianz, CookieYes, Tsaaro). Default all non-essential categories to OFF, give Accept and Reject equal weight, add a persistent 'Manage cookies' link in the footer. Verify ownership with the HTML file method. Paste the embed script before the closing body tag. Re-test on mobile.
**Day 3 (Wed) — Privacy notice rewrite.** Replace your generic privacy policy with a Section 5 itemised notice. List every purpose by name, every category of data, the retention window, and the rights mechanism. Name a Grievance Officer (the founder works for an SMB), put the email and a 30-day SLA both in the notice and in the site footer. Use the template in the consent-notice guide.
**Day 4 (Thu) — Withdraw flow + DSR intake.** Add a single 'Manage cookies' link that re-opens the banner with the per-category toggles. Add a /rights page with a one-form intake for access, correction, erasure, nomination and grievance requests — that one form is the practical Section 11 fulfilment. Route submissions to the Grievance Officer inbox.
**Day 5 (Fri) — Security baseline.** HTTPS on every route (Cloudflare free tier does this in 15 minutes). Add the four headers that move you from Fail to Pass on most scanners: Strict-Transport-Security, Content-Security-Policy (start with `default-src 'self'` and widen as needed), X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin. 2FA on every admin login (WordPress, cPanel, Stripe, email). Verify on securityheaders.com.
**Day 6 (Sat) — Breach playbook + processor DPAs.** Write the one-pager: who declares an incident, who calls the Board within 72 hours, who notifies affected users, who handles the press response. From your Day 1 inventory, email each external processor (Mailchimp, GA, CRM, payment gateway) asking for their Data Processing Addendum. File the responses in a shared folder so they are findable in an audit.
**Day 7 (Sun) — Re-scan, document, ship.** Re-run the checkDPDP scanner. Take screenshots of the Pass results. Save the inventory, the playbook, the DPAs, the scanner report into one folder titled 'DPDP Evidence Pack — <quarter>'. That folder is what your team hands to a regulator, a customer security questionnaire, or your acquirer's due-diligence team. You will not be at 100/100 — you will be in the band where Section 33(2) treats you as cooperating, which is the bar that matters.
Total spend: zero rupees on tooling for an SMB stack, plus roughly 14 hours of focused work. The week-after work is incremental — DPIA, vendor onboarding upgrades, India-residency selection — but the seven-day sprint is what closes the visible exposure that scanners and enforcement officers see first.
Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.