Interactive Puzzle · Privacy Governance

Privacy Governance
Sudoku

Fill the 4×4 grid so every row, column, and 2×2 box contains exactly one Policy, Control, Role, and Activity. A puzzle that stress-tests your GRC mental model.

5 min 4×4 grid · 8 cells to fill
Prepared by CreativeCyber · Privacy Intelligence Series

Why GRC Practitioners Think in Four Dimensions

Every privacy governance framework — DPDP Act 2023, ISO 27701, NIST Privacy Framework — organises its requirements around four fundamental GRC elements. Master these four and you can map any regulatory requirement to an actionable obligation without a consultant.

The four elements appear in every privacy governance architecture. When an RBI examiner asks "how do you ensure third-party data processors comply with your DPDP obligations?" — a well-structured answer covers all four. A missing element is a finding.

The Four Elements

P
Policy
The written commitment — what the organisation will and won't do with personal data. Includes Privacy Policy, DPDP Consent Notice, Data Retention Policy, Vendor DPA template.
C
Control
The technical or administrative safeguard that enforces the policy. Includes encryption, access controls, consent management system, breach detection tooling, audit logging.
R
Role
The human or organisational accountability — who owns the obligation. Includes DPO, Grievance Officer, Data Steward, System Owner, CISO, Board Privacy Committee.
A
Activity
The operational process that implements the control. Includes DPIA reviews, annual consent audits, vendor risk assessments, data principal rights intake workflows, breach notification drills.

The Sudoku Rule

In a well-governed privacy programme, every governance domain must be covered by all four elements — no domain can rely on just a policy without controls, roles without activities, or controls without accountability. That constraint is identical to the sudoku rule: no repetition, full coverage in every dimension.

  • Every row must contain one P, one C, one R, and one A
  • Every column must contain one P, one C, one R, and one A
  • Every 2×2 box (top-left, top-right, bottom-left, bottom-right) must contain one P, one C, one R, and one A
  • Grey cells are pre-filled — they are the regulatory mandates you cannot change
  • Click any empty cell → select an element → solve the grid
ELAPSED TIME
00:00
P
R
A
C
A
C
R
P
🏆
Puzzle Solved!
Apply this framework to real risk quantification

RiskSage maps Policy, Control, Role, and Activity gaps to quantified cyber risk — using FAIR methodology calibrated for Indian BFSI regulatory frameworks including SEBI CSCRF and RBI DPSC.

Explore RiskSage →
Related Articles
Interactive · DPDP Act 2023
DPIA Threat-to-Control Mapper — match 8 threats to §§ controls
Interactive Quiz · DPDP Act
Data Principal Rights Quiz — 10 scenario-based §§ questions
SEBI CSCRF · GRC
SEBI CSCRF Maturity Assessment: The Practitioner's Survival Guide
Risk Quantification · CISO
FAIR Model: How a CISO Won a ₹5Cr Security Budget During Cuts