Why You Need a DPDP Compliance Checklist
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data privacy law. With a compliance deadline of May 13, 2027, every organisation that processes personal data of Indian citizens — whether they're based in India or abroad — must comply.
The penalties are severe: up to Rs 250 crore per violation, with no materiality threshold. Even a single-record breach must be reported. Yet according to EY's 2025 survey, 83% of Indian companies haven't started their compliance journey.
This checklist breaks down every obligation into actionable items across six categories. Use it to audit your current state, identify gaps, and prioritise your compliance roadmap.
1. Consent Management (Items 1–7)
Consent is the cornerstone of the DPDP Act. Unlike the IT Act's vague "consent" requirements, the DPDP Act demands granular, informed, purpose-specific consent with easy withdrawal.
Checklist Items
- Item 1: Collect standalone consent before processing any personal data — not buried in Terms & Conditions
- Item 2: Consent must be free, specific, informed, unconditional, and unambiguous
- Item 3: Each processing purpose has a separate consent request (no bundling)
- Item 4: Consent withdrawal is as easy as giving consent (one-click)
- Item 5: Maintain a timestamped audit trail of every consent given and withdrawn
- Item 6: Re-obtain consent if the processing purpose changes
- Item 7: Consent records are stored for the lifetime of processing + 3 years
Common Gaps
Most companies fail on items 3 and 4. Bundled consent ("by signing up you agree to everything") is explicitly non-compliant. And requiring users to email support@ to withdraw consent violates the "as easy as giving" requirement.
How DPDP Comply helps: Our embeddable consent widget handles purpose-specific collection with one-click withdrawal, full audit trail, and automatic re-consent flows.
2. Privacy Notices (Items 8–12)
The DPDP Act requires a standalone privacy notice — separate from your privacy policy — that must be shown at or before the point of data collection.
Checklist Items
- Item 8: Standalone privacy notice exists (not just a privacy policy page)
- Item 9: Notice specifies every type of personal data collected
- Item 10: Notice lists each processing purpose and its legal basis
- Item 11: Notice is available in English + at least one scheduled Indian language
- Item 12: Notice is shown at or before the point of data collection (not discoverable only via footer link)
The Language Requirement
Section 5(1) of the DPDP Act requires notices in English and every language specified in the Eighth Schedule of the Constitution — that's 22 languages. In practice, providing notices in Hindi and the regional language(s) of your primary user base is the minimum expectation.
How DPDP Comply helps: Our AI notice generator creates legally-compliant notices in 9 Indian languages with one click, including PDF export for offline distribution.
3. Data Principal Rights (Items 13–18)
Data Principals (individuals whose data you process) have specific rights under the DPDP Act. You must have systems to fulfil these within prescribed timeframes.
Checklist Items
- Item 13: Self-service portal for data access requests (what data do you hold on me?)
- Item 14: Process for data correction requests (fix inaccurate data)
- Item 15: Process for data erasure requests (delete my data)
- Item 16: Grievance redressal mechanism with named officer
- Item 17: All requests fulfilled within 7 days of receipt
- Item 18: Nomination facility for deceased persons' data (allow nominees to exercise rights)
The 7-Day SLA
The 7-day response window is tight. Companies handling millions of records across dozens of systems cannot do this manually. You need automated data discovery and response workflows.
How DPDP Comply helps: Our data request portal automates the entire lifecycle — from self-service submission to verification, fulfilment, and audit trail — with built-in 7-day SLA tracking and escalation alerts.
4. Breach Management (Items 19–23)
The DPDP Act has the most aggressive breach notification requirements of any major privacy law — even stricter than GDPR's 72-hour window.
Checklist Items
- Item 19: Documented incident response plan exists and has been tested
- Item 20: Can notify CERT-In within 6 hours of discovering a breach
- Item 21: Can notify the Data Protection Board within 72 hours
- Item 22: Can notify affected individuals without unreasonable delay
- Item 23: Breach records maintained with root cause analysis and remediation steps
The Dual-Clock Challenge
Six hours to notify CERT-In is extraordinarily fast. For context, GDPR gives 72 hours, and most US state laws give 30-60 days. In a crisis, your team will be scrambling to contain the breach — not filling out forms.
Pre-built report templates, auto-populated from your incident data, are essential.
How DPDP Comply helps: Our breach management module tracks both clocks simultaneously, auto-generates CERT-In reports in the prescribed format, and sends escalation alerts as deadlines approach.
5. Security Safeguards (Items 24–27)
Section 8 of the DPDP Act requires "reasonable security safeguards" to prevent breaches. While the Act doesn't prescribe specific technical measures, the Data Protection Board will evaluate your safeguards when determining penalties.
Checklist Items
- Item 24: Encryption at rest (AES-256) and in transit (TLS 1.2+) for all personal data
- Item 25: Role-based access controls with multi-factor authentication
- Item 26: Regular security audits and vulnerability assessments
- Item 27: Access logging and monitoring for systems containing personal data
What 'Reasonable' Means
The Board will assess the volume and sensitivity of data, the state of the art in security, and the cost of implementation. For most companies, this means:
- Minimum: HTTPS everywhere, encrypted databases, RBAC, MFA for admin access
- Expected: Annual penetration testing, SIEM/log monitoring, incident response drills
- Best practice: ISO 27001 certification, SOC 2 Type II, bug bounty programme
6. Special Obligations (Items 28–30)
These apply to specific scenarios — children's data, cross-border transfers, and significant data fiduciaries.
Checklist Items
- Item 28: If processing data of individuals under 18: verifiable parental consent obtained, no tracking/behavioural monitoring, no targeted advertising
- Item 29: Cross-border data transfers only to countries not restricted by the Central Government (negative list approach)
- Item 30: If designated as a Significant Data Fiduciary (SDF): appoint a DPO, conduct periodic Data Protection Impact Assessments, annual audits by independent auditor
Children's Data — The Hidden Risk
India defines "children" as anyone under 18 — not 13 (like COPPA) or 16 (like GDPR). If your platform has any users under 18 — students, gaming users, social media users — you're subject to the strictest provisions.
The penalty for children's data violations is Rs 200 crore, and it's cumulative with other penalties. A breach involving children's data could trigger Rs 650 crore in combined exposure.
What to Do Next
Step 1: Take our free DPDP readiness assessment — it scores your organisation across all six categories in 3 minutes.
Step 2: Identify your top 3 gaps from this checklist and assign owners.
Step 3: Start with consent management — it touches every user interaction and is the most visible compliance requirement.
Step 4: Set up automated workflows for data requests and breach management — these have hard deadlines (7 days and 6 hours respectively) that you cannot handle manually at scale.
The DPDP Act deadline is May 13, 2027. There is no grace period, no phased implementation, and no materiality threshold for penalties. Start today.
Check your DPDP readiness in 3 minutes
12 questions, instant score, detailed category breakdown.