How to Use This Checklist

A complete DPDP Act compliance checklist: 42 items, 8 categories

This checklist covers every core obligation under the Digital Personal Data Protection Act 2023 and the DPDP Rules 2025. Work through each section with your legal, IT, and operations teams. Items are saved automatically in your browser — you can return to continue where you left off.

Who should own each section
Legal / Compliance
Sections 1, 3, 4, 7, 8
IT / Security
Sections 5, 6
Product / Engineering
Sections 2, 4
Procurement
Section 7
Your progress
0 / 42 complete
01 Data Mapping & Inventory 5 items
Map all personal data your organisation collects, stores, and processesInclude data from customers, employees, prospects, and website visitors. Identify the source of each data type and where it is stored.
Document the purpose for each category of personal data collectedThe DPDP Act requires lawful purpose limitation. Each processing activity must have a documented, specific purpose — generic entries like "business use" are insufficient.
Identify all Data Processors (third-party vendors) handling personal data on your behalfInclude cloud providers, payroll processors, CRM vendors, marketing platforms, analytics tools, and any other third party that accesses personal data.
Map any cross-border data transfersIdentify which personal data flows outside India, to which countries, and through which vendors. The DPDP Act allows the government to restrict transfers to specific countries.
Classify personal data by sensitivity levelDistinguish standard personal data from sensitive categories (financial data, health data, children's data). Higher-sensitivity data requires stronger controls under the Act.
02 Consent Framework 5 items
Audit all data collection touchpoints for consent complianceReview your website, mobile app, registration forms, checkout flows, email sign-ups, and any other point where personal data is collected from individuals.
Ensure consent is obtained separately for each distinct purposeA single bundled consent for "all uses" does not comply. Consent for marketing must be separate from consent for service delivery, which must be separate from consent for analytics.
Implement a consent withdrawal mechanism as easy as giving consentIf consent was given with one click, it must be withdrawable with one click. Hidden unsubscribe flows or multi-step withdrawal processes do not comply with Section 6(4).
Store consent records with timestamp, version of notice, and specific purposeYou must be able to demonstrate that consent was obtained, when it was obtained, which version of your privacy notice was shown, and what specifically was consented to.
Obtain verifiable parental consent before processing data of individuals under 18Section 9 requires verifiable parental consent for children's data. The DPDP Rules specify the verification mechanism. This applies to any product or service that minors may use.
03 Privacy Notice 5 items
Draft a clear, plain-language privacy notice in English (and in vernacular languages if your users require it)Section 5 requires the notice to be in clear, plain language. Legalese-heavy notices that obscure what is actually happening with personal data do not comply.
Ensure the notice is provided before or at the time of data collection — not buried in termsThe notice must be presented at the point of collection, not linked from the footer or buried three clicks deep. It must be visible and accessible before the individual provides data.
Notice must include: what data is collected, why, how it will be used, and how rights can be exercisedAll four elements are mandatory. A notice that explains what is collected but not how to exercise rights, or why it is collected but not how it will be used, is incomplete.
Include contact details of the Data Fiduciary and your grievance officerIndividuals must have a named point of contact to raise concerns. The grievance officer's name and contact details must be published and must respond within the prescribed timeline.
Make the notice accessible at every collection touchpoint — not just the website footerIf you collect data via an app, a CRM form, a sales call recording, or a customer support chat, the privacy notice must be accessible at each of those points.
04 Data Principal Rights 5 items
Implement an access request process — users can request a copy of their personal dataSection 11 gives every Data Principal the right to request a summary of their personal data and the processing activities carried out. You must fulfil this request within the prescribed timeline.
Implement a correction and completion request processSection 12 gives individuals the right to correct inaccurate personal data. You must have a mechanism to receive such requests, verify them, and make corrections within the prescribed timeframe.
Implement a data erasure / right to be forgotten processWhen a Data Principal withdraws consent or when processing is no longer necessary, they can request erasure. You must have a deletion workflow that also notifies your Data Processors to delete the data.
Implement a nomination process for deceased or incapacitated individualsSection 14 allows Data Principals to nominate another person to exercise their rights in case of death or incapacity. You need a mechanism to register, verify, and honour such nominations.
Set up a grievance redressal mechanism with a published response timelineSection 13 requires a published grievance redressal mechanism. The Grievance Officer must respond to complaints within the prescribed period (expected to be 30 days under the Rules).
05 Security Safeguards (Section 8(5)) 6 items
Implement role-based access controls — least privilege, need-to-knowOnly personnel who need access to personal data to do their jobs should have it. Access should be revoked immediately upon role change or departure. Privileged access should be logged and reviewed.
Encrypt personal data at rest and in transitPersonal data stored in databases, files, or backups must be encrypted. Personal data transmitted between systems, over the internet, or to third parties must use TLS/HTTPS at minimum.
Implement Data Loss Prevention (DLP) controlsDLP tools monitor and prevent unauthorised transfers of personal data via email, USB, cloud uploads, or other channels. This is a specific technical safeguard cited in Section 8(5) compliance guidance.
Set up breach detection, monitoring, and alertingYou cannot notify a breach you did not detect. Implement logging, anomaly detection, and alerting so that any unauthorised access to personal data is flagged immediately — not discovered weeks later.
Conduct regular security assessments and penetration testsSection 8(5) requires reasonable security practices. Regular external security assessments are evidence of those practices. Assessments should cover systems, applications, and processes that handle personal data.
Verify that your Data Processors have adequate security measures in placeYou remain responsible for personal data even when it is processed by a third party. Review your vendors' security certifications, conduct due diligence, and include security obligations in all contracts.
06 Breach Notification Readiness 6 items
Establish a documented incident response procedure for personal data breachesYour incident response plan must specifically address personal data breaches — not just general IT incidents. It must include clear steps from detection through containment, assessment, and notification.
Identify and document the team responsible for breach response and notificationName the individuals responsible for assessing severity, making notification decisions, drafting communications, and liaising with the Data Protection Board. Every team member must know their role.
Prepare a notification template for the Data Protection Board of IndiaThe DPDP Rules prescribe the format for breach notifications to the Board. Prepare and pre-approve a template so it can be sent within 72 hours — not drafted from scratch during an incident.
Prepare a notification template for affected Data PrincipalsAffected individuals must also be notified "in the prescribed manner." Pre-approved language and delivery method (email, SMS, in-app) reduces delays during an already-stressful incident.
Set an internal target of 72 hours from detection to notificationThe DPDP Rules are expected to require notification to the Data Protection Board within 72 hours of becoming aware of a breach — matching the GDPR standard. Treat this as your internal SLA.
Maintain a breach registerLog every breach — even those below the notification threshold — with date, nature, scope, assessment, and outcome. This demonstrates accountability to the Data Protection Board if ever audited.
07 Data Processing Agreements 5 items
Review all existing contracts with third-party Data Processors for DPDP compliance clausesExisting vendor contracts — cloud providers, HR tools, analytics platforms, marketing tools — likely predate the DPDP Act and will need amendments to include data protection obligations.
Ensure contracts specify that processors may only process data as per your instructionsSection 8(2) makes you responsible for ensuring your Data Processors only process personal data as instructed. Contracts must explicitly restrict processors from using your data for their own purposes.
Include data protection obligations in all new vendor contracts before signingBuild DPDP compliance clauses into your standard vendor contract template. Any new vendor who will handle personal data must agree to these obligations before you share data with them.
Verify that your processors will notify you of any breach without delayYour processors must contractually commit to notifying you immediately upon discovering a breach involving your data — giving you the time you need to meet your own notification obligations.
Include data deletion / return obligations at end of contractWhen a vendor relationship ends, contracts must specify that the processor deletes or returns all personal data. Include a verification mechanism — a signed confirmation of deletion.
08 Records & Documentation 5 items
Maintain a Record of Processing Activities (RoPA)Document every processing activity: what data is processed, for what purpose, on what legal basis, who has access, how long it is retained, and whether it is shared with third parties. This is your primary accountability document.
Document the legal basis for each processing activityUnder the DPDP Act the primary basis is consent, but other bases exist (contractual necessity, legitimate uses notified by the government). Each processing activity must cite its legal basis.
Maintain accessible records of all consents obtainedConsent records must be producible on demand — from the Data Protection Board, from a Data Principal exercising their access right, or from your internal audit team. Archive them for the duration of the relationship plus any legally required retention period.
Implement a data retention policy and delete data when no longer neededThe DPDP Act prohibits retaining personal data beyond the purpose for which it was collected. Define and enforce retention periods for each data category, and automate deletion where possible.
Review and update all privacy documentation at least annuallyPrivacy notices, consent forms, the RoPA, and vendor contracts must reflect current practices. Annual review catches any drift between documented processes and actual operations — a common audit finding.
Significant Data Fiduciary — Additional Requirements

These 5 additional items apply only to organisations designated as Significant Data Fiduciaries (SDF) by the Central Government — based on volume of data, sensitivity, or national security relevance. If you have not been notified of designation, monitor for announcements expected in 2026.

SDF Significant Data Fiduciary Obligations 5 items
Appoint a Data Protection Officer (DPO) based in IndiaThe DPO must be a senior employee or equivalent responsible for ensuring compliance with the DPDP Act. Their name and contact details must be published on your website and provided to the Data Protection Board.
Conduct a Data Protection Impact Assessment (DPIA) for high-risk processing activitiesA DPIA systematically assesses the privacy risks of a processing activity before it begins. SDFs must conduct DPIAs and, in some cases, consult with the Data Protection Board before proceeding with high-risk processing.
Appoint an independent data auditor for periodic compliance auditsSDFs must have their data processing operations periodically audited by an independent auditor. Audit findings must be addressed and records maintained for the Data Protection Board's review.
Maintain algorithmic accountability records for automated decision-makingIf your organisation uses algorithms or AI systems that process personal data to make decisions affecting individuals, you must maintain records of how these systems work and how bias and accuracy are assessed.
Comply with any data localisation requirements notified for your sectorThe government may restrict cross-border data transfers for specific categories of data. SDFs in regulated sectors (finance, health, telecom) should monitor for sector-specific localisation mandates.
Frequently Asked Questions

DPDP compliance checklist — common questions

A DPDP Act compliance checklist is a structured list of actions an organisation must complete to comply with India's Digital Personal Data Protection Act 2023. A complete checklist covers 8 key areas: data mapping, consent framework, privacy notice, data principal rights, security safeguards, breach notification readiness, data processing agreements, and records and documentation — totalling approximately 42 action items for most organisations.
Download the PDF version of the DPDP compliance checklist free from nxgsecure.com/nxgsecure-resource?r=dpdp → — enter your name and work email and the PDF is sent to your inbox immediately. The PDF version includes a gap assessment worksheet and a 90-day roadmap that the interactive version here does not.
DPDP compliance typically takes 4–9 months for SMEs starting from scratch, and 9–18 months for large enterprises with complex data ecosystems. The longest phases are data mapping (underestimated by most organisations) and implementing consent mechanisms across all products and touchpoints. Given the May 2027 deadline, organisations starting in mid-2025 still have comfortable runway — but should not delay further.
The 42 core items apply to all organisations that process digital personal data in India — from startups to large enterprises. The 5 Significant Data Fiduciary items are additional and apply only to organisations formally designated as SDFs by the Central Government. Some items may have limited scope for certain organisations — for example, the cross-border data transfer mapping is relevant only if your vendors store data outside India.
The DPDP Act does not have a blanket fine for "not completing the checklist" — penalties are assessed per violation. The highest penalty is ₹250 crore for failure to implement adequate security safeguards that results in a personal data breach. Failure to notify the Data Protection Board of a breach carries up to ₹200 crore. Failure to fulfil data principal rights requests can also attract penalties. See the full penalty table on our DPDP Act page →
The DPDP Act is conceptually similar to the GDPR but differs in several important ways: (1) It currently relies primarily on consent as the legal basis for processing, rather than GDPR's six bases; (2) It applies only to digital personal data — paper records are not in scope; (3) Significant Data Fiduciary designations are made by the government rather than self-assessed; (4) The Data Protection Board of India is the sole enforcement authority; (5) Penalties are lower than GDPR's €20 million / 4% of global turnover. Organisations already GDPR-compliant will find the DPDP Act familiar but should not assume full equivalence.

Don't guess where you stand on DPDP compliance — get it assessed

Free 45-minute session. Written gap report covering all 42 checklist items. Yours to keep whether you work with us or not.

Book Free DPDP Gap Assessment →