How legal and ops teams should divide privacy work
- Use this page to tighten how legal and ops teams should divide privacy work with owners and dates.
- Connect narrative to systems: where data lives, who can export it, what breaks on delete.
- Add evidence habits (logs, tickets) so audits do not rely on memory.
- Bookmark official resources for statutory text; stay skeptical of unattributed claims.
- Use the compliance portal to chain the next guide when this section is done.
Privacy programs get weird fast when legal owns everything and ops owns nothing. They also break when ops runs everything and legal only appears after a complaint, contract dispute, or risky product launch. The healthier model is simple: legal defines the boundaries and reviews risk; operations runs the machine.
Why this division matters under DPDP
DPDP-related work is not one task. It includes public notices, collection design, rights handling, grievance response, vendor review, retention practice, internal records, and edge-case judgment. Those are different muscles. Legal teams are usually best at interpretation and risk calls. Ops teams are usually best at process, timing, handoffs, and closure discipline.
When these roles are blurred, one of two things happens: either every routine task gets stuck waiting for a lawyer, or risky issues get handled by whoever happened to see the ticket first.
A practical default split
Legal owns
- Interpreting obligations and exceptions
- Approving position statements and escalation rules
- Reviewing high-risk complaints, incidents, and novel product issues
- Supporting contract and enterprise diligence commitments
- Defining when outside counsel is needed
Ops owns
- Request intake, routing, and tracking
- SLA management and follow-up
- Maintaining SOPs, trackers, and working documentation
- Coordinating engineering, support, product, and vendor action
- Closing the loop and preserving records of action
Who should own common privacy tasks?
| Task | Primary owner | Secondary support |
|---|---|---|
| Drafting escalation rules | Legal | Ops |
| Running the rights-request queue | Ops | Legal for exceptions |
| Approving public privacy-language changes | Legal | Ops, product, marketing |
| Documenting actual workflow steps | Ops | Legal reviews fit |
| Vendor review process upkeep | Ops / procurement | Legal for contract terms and edge cases |
| Complaint triage | Ops | Legal once thresholds are met |
| Novel feature review | Product + legal | Ops for implementation readiness |
What legal should not be forced to do
- Manually chase every ticket owner for updates
- Act as the help desk for standard deletion or correction requests
- Maintain the operational record of which systems were touched
- Answer repetitive diligence questions that could be handled from a verified pack
What ops should not be forced to guess
- Whether an exemption, exception, or conflicting obligation applies
- How to answer a hard complaint that may create legal exposure
- Which contract promise the company can safely make
- How to interpret a new product use case with unclear privacy consequences
The handoff that matters most
The most valuable privacy handoff is not from legal to ops once a year in a training deck. It is the ongoing translation of principle into playbook. Legal should define what the rule means, what counts as an exception, and what must be preserved for defensibility. Ops should turn that into a queue, an SOP, a checklist, a ticket state, and a recurring review.
A lean-team model when you do not have both functions fully staffed
Small companies may not have dedicated privacy counsel or a formal operations team. In that case, do not pretend the split does not exist. Assign the roles anyway. One person can wear the legal-adjacent hat and another can wear the process-owner hat, but the work still needs separate modes: interpretation and execution.
Useful artifacts for the legal-ops boundary
- Escalation matrix. Clear rules for when ops can proceed and when legal must review.
- Approved standard responses. Reduce reinvention for routine user and customer questions.
- SOP library. Ops-run, legal-reviewed, versioned, and linked to system owners.
- Issue log. Track repeat edge cases that may require a policy update or formal legal position.
- Diligence pack. One verified source for enterprise customer privacy answers.
Official and higher-authority references
The law sets the duties. The company still needs an operating model that matches its actual systems, contracts, and team shape.
Read next
Informational only, not legal advice.