DPDP Compliance Checklist
12-Step Guide for Indian Corporates
The Digital Personal Data Protection Act 2023 applies to every company that processes digital personal data in India — from listed multinationals to two-person startups. Compliance is not optional, and penalties reach Rs.250 crore for security failures alone. Yet most Indian companies have not begun systematic compliance preparation.
This checklist provides 12 concrete, sequenced steps to achieve DPDP compliance. Each step includes what to do, why it matters, and how to document your work for the Data Protection Board. By Advocate Subodh Bajpai, Senior Partner at Unified Chambers and Associates.
12-Step DPDP Compliance Checklist
Appoint a DPDP Compliance Lead
Designate a senior executive as the DPDP compliance lead. For Significant Data Fiduciaries (SDFs), this must be a formally appointed Data Protection Officer based in India. For other companies, a Chief Privacy Officer, General Counsel, or CISO can anchor the compliance programme. The lead must have direct access to the board of directors and authority to allocate budget for compliance measures. Without executive sponsorship, compliance programmes fail — data protection is not merely an IT function.
Conduct a Comprehensive Data Mapping Exercise
Map every category of personal data your organisation collects, processes, and stores. For each data category, document: the source (collected directly from the individual, from a third party, or generated internally); the legal basis for processing (consent or legitimate use under Section 4); the purpose of processing; who has access (internal roles, external vendors); where the data is stored (on-premises, cloud, country); the retention period; and whether the data is transferred cross-border. This data map is the foundation of all subsequent compliance steps. Use a structured framework — a spreadsheet is insufficient for large enterprises. Consider deploying a data discovery tool for automated scanning of databases and file systems.
Implement Consent Management Infrastructure
The DPDP Act requires that consent be free, specific, informed, unconditional, and unambiguous (Section 6). Deploy a consent management platform (CMP) that: presents consent requests in clear, plain language; captures granular consent per purpose (not bundled consent); records timestamps and the specific version of the notice the individual consented to; allows withdrawal of consent as easily as it was given (Section 6(6)); and propagates consent withdrawal to all downstream systems and third-party processors. Pre-ticked consent boxes, consent buried in terms of service, and consent obtained through dark patterns are invalid under the Act.
Rewrite Privacy Notices to DPDP Standards
Section 5 requires Data Fiduciaries to provide a clear, detailed notice to every Data Principal at the time of collecting their data. The notice must state: the personal data being collected, the purpose of processing, the manner in which the Data Principal can exercise their rights (access, correction, erasure, grievance), and how to lodge a complaint with the Data Protection Board. The notice must be in English or any language in the Eighth Schedule of the Constitution. Review and rewrite all existing privacy policies, cookie notices, app permissions, and in-app disclosures to meet these requirements. Do not copy-paste GDPR privacy policies — DPDP has distinct requirements.
Establish Data Principal Rights Fulfilment Workflow
Data Principals have enforceable rights under DPDP: the right to access a summary of their personal data and processing activities (Section 11); the right to correction and erasure (Section 12); the right to nominate a person to exercise rights in case of death or incapacity (Section 14); and the right to grievance redressal (Section 13). Build internal workflows to receive, verify identity, process, and respond to these requests within the timeline that will be prescribed in the rules. Log every request and response. Failure to respond is a breach of the Act and can trigger penalty proceedings.
Deploy Reasonable Security Safeguards
Section 8(5) requires Data Fiduciaries to implement "reasonable security safeguards" to prevent data breaches. The Rs.250 crore penalty — the highest under the Act — targets this obligation. At minimum: encrypt personal data at rest and in transit (AES-256, TLS 1.3); implement role-based access controls with least-privilege principle; deploy multi-factor authentication for all administrative access; conduct quarterly vulnerability assessments and annual penetration testing; establish a Security Operations Centre (SOC) or engage a managed security service; and implement Data Loss Prevention (DLP) controls. Document all security measures — if a breach occurs, you must demonstrate that your safeguards were "reasonable" given the nature and volume of data processed.
Build a Breach Response and Notification Framework
Section 8(6) mandates notification to the Data Protection Board and affected Data Principals in the event of a personal data breach. Failure attracts up to Rs.200 crore penalty. Build a breach response framework: designate a breach response team with clear roles (legal, IT, communications, executive); define what constitutes a "personal data breach" in your organisation context; create notification templates pre-approved by legal counsel; establish escalation protocols from detection to Board notification; conduct tabletop exercises quarterly to stress-test the framework. The notification timeline will be prescribed in the rules — expect it to be within 72 hours of becoming aware of the breach, consistent with global standards.
Implement Children's Data Protection Protocols
Section 9 imposes heightened obligations for processing data of persons under 18. You must: obtain verifiable consent from the parent or lawful guardian before processing any child's data; not undertake tracking, behavioural monitoring, or targeted advertising directed at children; and not process children's data in any manner that is likely to cause detrimental effect on their well-being. This applies to all companies — not just EdTech or gaming. If your app, website, or platform is accessible to persons under 18, you need age verification mechanisms and parental consent flows. The Rs.200 crore penalty for children's data violations signals that the legislature considers this a high-priority obligation.
Audit and Contract Third-Party Data Processors
Most data breaches originate with third-party vendors. Under the DPDP Act, the Data Fiduciary (your company) remains responsible for the processing activities of your Data Processors (vendors, cloud providers, analytics platforms). Audit all vendor contracts. Insert or amend Data Processing Agreements (DPAs) to include: defined scope and purpose of processing; obligation to process only on your instructions; mandatory security safeguards mirroring your own standards; breach notification obligations (vendor must notify you within hours, not days); sub-processor restrictions; audit rights; and data deletion obligations on contract termination. Conduct annual vendor security assessments.
Map and Secure Cross-Border Data Transfers
Section 16 restricts transfer of personal data to countries outside India. The Central Government will notify a list of countries to which transfer is prohibited. Additionally, the Government may prescribe conditions for transfer to permitted countries. Audit your data flows: identify every instance where personal data of Indian Data Principals leaves India — cloud hosting, analytics platforms, email service providers, CRM systems, parent company servers. For each cross-border flow, document the destination country, the purpose, and the safeguards applied. Be prepared to repatriate data or find India-hosted alternatives if a country is restricted. Non-compliance with transfer restrictions falls under the catch-all penalty of up to Rs.50 crore per contravention (Schedule Sl.7).
Conduct a Data Protection Impact Assessment
While DPIAs are mandatory only for Significant Data Fiduciaries, conducting a voluntary DPIA is the single most valuable exercise a company can undertake for DPDP readiness. A DPIA evaluates: the necessity and proportionality of data processing relative to the stated purpose; the risks to Data Principals (identity theft, financial loss, discrimination, reputational harm); the safeguards in place to mitigate those risks; and the residual risk after safeguards. A well-documented DPIA demonstrates reasonable care and serves as a defence document if the Data Protection Board conducts an inquiry. For processing activities involving sensitive data at scale, AI/ML profiling, or systematic monitoring, a DPIA is essential regardless of whether you are designated as an SDF.
Establish Ongoing Compliance Governance
DPDP compliance is not a one-time project — it is a continuous governance obligation. Establish: a quarterly privacy steering committee with representation from legal, IT, product, and business; annual privacy audits (internal or by external counsel); mandatory data protection training for all employees who handle personal data; update privacy notices whenever processing purposes change; review and refresh consent records when processing activities expand; monitor Central Government notifications for rule changes, SDF designations, and country restrictions; and retain compliance records for the period prescribed in the rules. Budget for ongoing compliance as a recurring operational expense, not a capital project.
Realistic Implementation Timeline
DPDP compliance is not a weekend project. For a mid-size enterprise (500+ employees, multiple data systems, third-party vendors), expect 6-12 months for full implementation. The timeline depends on the maturity of existing data governance: companies with ISO 27001 certification or existing GDPR compliance will move faster; companies with no prior privacy framework will need the full duration.
Assessment Phase
Appoint compliance lead. Complete data mapping. Conduct gap analysis against DPDP requirements. Prioritise remediation.
Implementation Phase
Deploy consent management. Rewrite privacy notices. Build rights fulfilment workflows. Upgrade security safeguards. Draft breach response plan.
Vendor and Transfer Phase
Audit third-party contracts. Execute DPAs. Map cross-border transfers. Implement children's data protocols.
Governance Phase
Conduct DPIA. Establish governance committee. Train all employees. Run breach simulation. Document compliance evidence.
Companies that have not started compliance preparation as of 2025 should engage specialised legal counsel immediately. The transition period after the rules are finalised will be insufficient for companies starting from zero. A structured compliance programme — led by experienced counsel, supported by technology, and sponsored by the board — is the only reliable path to readiness.
DPDP Compliance — Questions Answered
When do Indian companies need to be DPDP compliant?
Does the DPDP Act apply to small businesses and startups?
What is a Data Protection Impact Assessment (DPIA) under DPDP?
Can we use existing GDPR compliance for DPDP?
Is a Data Protection Officer mandatory under the DPDP Act?
What records must a company maintain for DPDP compliance?
Need Help With DPDP Compliance?
Unified Chambers advises Indian corporates on end-to-end DPDP compliance — from data mapping and consent architecture to breach response frameworks and Board proceedings. Advocate Subodh Bajpai available directly.