DPDP Act Compliance Checklist for Businesses (India)

Introduction

The Digital Personal Data Protection Act, 2023 requires businesses to demonstrate practical control over personal data. Compliance is not limited to having a privacy policy. A business should be able to show how personal data is collected, used, shared, secured, retained, deleted, and how Data Principal rights are handled.

This checklist sets out the key legal and operational controls that businesses should typically assess under the DPDP framework.

1. Applicability and Classification

Legal basis: Sections 2, 3, 10 and 17, DPDP Act, 2023

The first step is to identify how the organisation fits within the DPDP framework. Most businesses collecting customer, employee, vendor, or website user data will qualify as Data Fiduciaries if they decide the purpose and means of processing personal data.

The organisation should check:

  • Whether it is a Data Fiduciary under Section 2(i)
  • Whether it acts as a Data Processor under Section 2(k)
  • Whether it may qualify as a Significant Data Fiduciary under Section 10
  • Whether Section 3 applies due to processing of personal data of individuals in India
  • Whether any exemption under Section 17 is being relied upon

Section 17 exemptions should be used cautiously. They are limited in scope, and most private businesses, startups, SaaS platforms, and service providers should not assume that exemptions apply without clear legal reasoning.

2. Governance, Accountability and Internal Responsibility

Legal basis: Sections 8 and 10, DPDP Act, 2023

DPDP compliance requires clear internal ownership. A business should know who is responsible for consent management, data access, breach response, vendor oversight, retention, deletion, and grievance handling.

The organisation should ensure:

  • Clear assignment of privacy responsibility across legal, IT, security, HR, product, and business teams
  • A grievance redressal mechanism under Section 8(9)
  • A defined escalation process for privacy complaints and breach incidents
  • Senior management visibility for high-risk data processing
  • Appointment of a Data Protection Officer where required under Section 10(2)(a)

For Significant Data Fiduciaries, the framework should also include an independent data auditor, periodic compliance audits, Data Protection Impact Assessments, and corrective action tracking.

3. Data Mapping, Inventory and Processing Records

Legal basis: Section 8, DPDP Act, 2023

A business cannot comply with DPDP obligations unless it knows what personal data it holds, where it is stored, and how it moves. Data mapping supports consent management, erasure requests, breach response, vendor governance, and audit readiness.

The data inventory should cover:

  • Categories of personal data collected
  • Source of collection
  • Purpose of processing
  • Storage location
  • Access points
  • Vendors or processors involved
  • Retention period
  • Cross-border transfers, where applicable

The inventory should be updated whenever new tools, vendors, data fields, processing purposes, or integrations are introduced.

4. Consent and Privacy Notice Compliance

Legal basis: Sections 6 and 7, DPDP Act, 2023; Rule 3, DPDP Rules, 2025

Consent under Section 6 must be free, specific, informed, unconditional, and unambiguous. The privacy notice should therefore be clear, standalone, and not hidden inside general terms and conditions.

The notice should clearly state:

  • What personal data is collected
  • The specific purpose of processing
  • Rights available to Data Principals
  • Grievance contact details
  • How consent can be withdrawn

Where the user base is multilingual, the notice should generally be made available in relevant languages so that Data Principals can meaningfully understand the purpose and scope of processing.

The organisation should avoid pre-ticked boxes, bundled consent, implied consent, passive acceptance, and vague purpose wording. Withdrawal of consent under Section 6(4) should be as easy as giving consent.

Consent records should be maintained to show the date, purpose, notice version, and withdrawal history. Where the processing purpose materially changes, fresh notice and, where required, fresh consent should be obtained.

5. Data Principal Rights Compliance

Legal basis: Sections 11 to 14, DPDP Act, 2023

The DPDP Act gives individuals enforceable rights over their personal data. These rights must be supported by working processes, not only mentioned in the privacy policy.

The organisation should enable:

  • Right to access information under Section 11
  • Right to correction and erasure under Section 12
  • Right to grievance redressal under Section 13
  • Right to nominate under Section 14

For erasure requests, the organisation should consider user-centric safeguards where appropriate, such as prior notice or an opportunity to retain or export data before deletion. This should be treated as good compliance practice, not as a rigid timeline unless specifically prescribed.

For nomination, systems should allow designation of a nominee, verification of nominee identity, and activation of nominee rights upon death or incapacity of the Data Principal.

All requests and responses should be logged with the date of request, verification steps, action taken, and closure status.

6. Security Safeguards and Technical Controls

Legal basis: Section 8(5), DPDP Act, 2023; Rule 6, DPDP Rules, 2025

Section 8(5) requires Data Fiduciaries to implement reasonable security safeguards to prevent personal data breaches. These safeguards should be proportionate to the nature, volume, and sensitivity of personal data processed.

The organisation should implement:

  • Encryption or tokenisation for data at rest and in transit
  • Role-based access control
  • Multi-factor authentication for privileged access
  • Identity and Access Management controls
  • Active monitoring for suspicious access or unusual data movement
  • Periodic vulnerability assessments, penetration testing, and security audits
  • Backup and business continuity mechanisms

Security controls should also extend to processors, vendors, cloud systems, APIs, and SaaS tools where personal data is handled.

7. Personal Data Breach Notification and Incident Response

Legal basis: Section 8(6), DPDP Act, 2023; DPDP Rules; CERT-In Directions where applicable

A personal data breach may include unauthorised access, accidental disclosure, alteration, loss, or destruction of personal data. Breach notification should be made without delay in the prescribed manner.

The organisation should maintain a breach response workflow covering:

  • Detection
  • Containment
  • Investigation
  • Reporting
  • Remediation
  • Post-incident review

Internal escalation timelines should be defined for the security team, legal/compliance team, DPO or grievance officer, senior management, and vendor teams.

The organisation should maintain incident logs, root cause analysis, affected data records, mitigation steps, user notification records, and regulatory communication records. Where applicable, incident response should also align with CERT-In reporting obligations for covered cyber incidents.

8. Data Retention, Erasure and Logging

Legal basis: Section 8(7), DPDP Act, 2023; DPDP Rules, 2025

Personal data should not be retained indefinitely. Under Section 8(7), a Data Fiduciary is required to erase personal data once the purpose of collection is fulfilled or consent is withdrawn, unless retention is necessary for compliance with law.

The organisation should define:

  • Retention periods for each category of personal data
  • Deletion triggers, such as fulfilment of purpose, withdrawal of consent, closure of account, inactivity, or expiry of legal retention requirement
  • Whether data should be deleted, anonymised, or archived
  • Responsibility for approving and executing deletion
  • Method of recording deletion or anonymisation

Retention policies should apply across primary systems, backups, logs, cloud tools, SaaS platforms, and third-party processors.

Logs should generally be retained for a reasonable and defensible period, depending on regulatory expectations, audit needs, cybersecurity requirements, and business risk. Log retention should not become a way to retain personal data indefinitely without justification.

9. Third-Party Processors and Vendor Governance

Legal basis: Section 8(2), DPDP Act, 2023; Rule 6(f), DPDP Rules, 2025

A Data Fiduciary remains responsible for personal data even when processing is carried out by a vendor or Data Processor. This makes vendor governance a core part of DPDP compliance.

Before onboarding a vendor, the organisation should conduct due diligence on:

  • Security capability
  • Compliance posture
  • Breach history, where available
  • Sub-processor usage
  • Cross-border transfer exposure
  • Ability to support Data Principal rights and deletion requests

Vendor contracts should include:

  • Processing only on documented instructions
  • Data use limitations
  • Confidentiality obligations
  • Security safeguard requirements
  • Breach notification obligations
  • Data retention and deletion obligations
  • Audit or review rights
  • Restrictions on sub-processing

Vendor controls should not stop at contract signing. Organisations should periodically review high-risk vendors, especially where vendors handle large volumes of personal data, children’s data, financial data, health data, or data used for profiling or automated processing.

10. Children’s Data Protection

Legal basis: Section 9, DPDP Act, 2023

Children’s data is a high-priority compliance area under the DPDP Act. A child is generally treated as a person below 18 years of age, and processing such data requires stricter safeguards.

The organisation should ensure:

  • Age verification mechanisms are built where children may access the service
  • Verifiable parental consent is obtained before processing children’s personal data
  • Consent validation confirms that the person giving consent is a parent or lawful guardian
  • Parental consent records are maintained without collecting excessive identity data
  • Age-gating is used where appropriate

The organisation should restrict or avoid:

  • Behavioural tracking of children
  • Profiling of children
  • Targeted advertising directed at minors
  • Manipulative design practices affecting children
  • Processing likely to cause harm to children

If AI systems, recommendation engines, or automated decision-making tools interact with children’s data, the organisation should assess whether such systems may affect children’s privacy, autonomy, safety, or rights.

11. Cross-Border Data Transfers

Legal basis: Section 16, DPDP Act, 2023

Cross-border transfers should be reviewed carefully, especially where data is stored or processed through foreign cloud services, SaaS tools, support teams, or overseas group entities.

The organisation should identify:

  • Countries where personal data is stored or accessed
  • Foreign vendors or processors handling personal data
  • Cloud hosting locations
  • Remote access by overseas teams
  • Cross-border data flows through APIs or integrations

Transfers should be assessed against applicable government notifications and restrictions under Section 16. Where required, organisations should use contractual safeguards to ensure that foreign recipients maintain appropriate data protection and security standards.

The organisation should also maintain records of cross-border transfers, including the purpose of transfer, nature of data transferred, recipient entity, and safeguards applied.

12. Significant Data Fiduciary Obligations

Legal basis: Section 10, DPDP Act, 2023

Significant Data Fiduciaries are subject to enhanced compliance obligations. Even where formal designation has not yet occurred, organisations that process high volumes of personal data or use high-risk technologies should begin readiness planning.

An SDF framework should include:

  • Appointment of a Data Protection Officer
  • Appointment of an independent data auditor
  • Periodic compliance audits
  • Data Protection Impact Assessments
  • Corrective action tracking
  • Senior management or board-level reporting

Where the organisation uses AI, profiling, algorithmic systems, or automated decision-making, it should conduct risk assessments to evaluate whether such processing may adversely affect Data Principal rights.

DPIAs should generally assess:

  • Nature and purpose of processing
  • Risk to Data Principals
  • Use of sensitive or large-scale data
  • Automated decision-making impact
  • Mitigation measures
  • Residual risk after controls

Audit findings should be documented and linked to practical remediation steps, not merely stored as compliance records.

13. Training, Awareness and Internal Compliance Culture

Legal basis: Section 8, DPDP Act, 2023

DPDP compliance depends heavily on people and processes. Even strong policies can fail if employees do not understand how personal data should be handled.

The organisation should provide privacy and data protection training for:

  • Employees handling customer or user data
  • HR teams handling employee records
  • Marketing teams managing campaigns and consent
  • Product and engineering teams designing data flows
  • Security and IT teams managing access and incidents

Training should cover consent, Data Principal rights, breach reporting, vendor handling, data minimisation, security practices, and internal escalation procedures.

Training records should be maintained to show participation, completion, and coverage. In practice, this helps demonstrate that privacy compliance is embedded into organisational operations and not limited to legal documentation.

14. Transparency, Reporting and Public Accountability

Legal basis: Sections 6, 8 and 13, DPDP Act, 2023

Transparency is central to DPDP compliance. A business should ensure that Data Principals can easily understand how their personal data is processed and how they can exercise their rights.

The organisation should maintain and publish an updated privacy notice or privacy policy covering:

  • Categories of personal data collected
  • Purpose of processing
  • Consent withdrawal mechanism
  • Data Principal rights
  • Grievance redressal process
  • Contact details of grievance officer or DPO, where applicable

The organisation should also maintain internal documentation to demonstrate:

  • Lawful processing
  • Consent validity
  • Security measures
  • Vendor controls
  • Breach response readiness
  • Rights request handling

As a good compliance practice, larger organisations may publish periodic privacy or accountability summaries covering key privacy controls, audits, breach response readiness, and governance improvements. This should be done carefully and without disclosing sensitive security or personal data details.

15. Audit Readiness, Monitoring and Evidence Management

Legal basis: Sections 8 and 10, DPDP Act, 2023; Rule 6, DPDP Rules, 2025

DPDP compliance should be demonstrable through records, logs, reports, and internal controls. A business should be able to show not only that policies exist, but that they are actively followed.

The organisation should maintain audit-ready records of:

  • Consent notices and consent logs
  • Data mapping and processing records
  • Data Principal rights requests and responses
  • Vendor contracts and due diligence records
  • Security safeguards and access logs
  • Breach reports and remediation actions
  • Retention and deletion records
  • DPIAs and audit reports, where applicable

Monitoring should be continuous rather than occasional. Businesses should periodically review access controls, consent flows, vendor performance, breach readiness, retention practices, and grievance handling.

Logs should be retained for a reasonable and defensible period, depending on regulatory expectations, cybersecurity requirements, audit needs, and business risk. However, log retention should not result in unnecessary or indefinite storage of personal data.

16. Common Implementation Gaps

Practical compliance risk areas

Many organisations appear compliant on paper but face risk because controls are not implemented properly in practice. This section should be included because it makes the checklist more practical and useful for businesses.

Common gaps include:

  • Privacy notices that do not match actual data practices
  • Weak or incomplete consent tracking
  • Consent bundled with general terms and conditions
  • No clear process for withdrawal of consent
  • Poor vendor due diligence before onboarding processors
  • Vendor contracts missing breach, deletion, audit, or security obligations
  • No proper mechanism for Data Principal access, correction, erasure, or nomination requests
  • Data retained beyond purpose without justification
  • No clear deletion triggers or deletion logs
  • Over-reliance on Section 17 exemptions without legal reasoning
  • Children’s data collected without verifiable parental consent
  • AI or automated decision-making used without rights-impact assessment
  • Breach response plan existing only on paper, without internal escalation timelines
  • Lack of audit-ready evidence during regulatory review

This section helps businesses understand that DPDP compliance is not only about legal drafting. It also depends on whether systems, vendors, employees, and internal workflows actually support the obligations.

17. Penalties, Enforcement Risk and Regulatory Consequences

Legal basis: Schedule of Penalties, DPDP Act, 2023

The DPDP Act provides significant financial penalties for non-compliance. Businesses should treat privacy failures as legal, operational, and reputational risks.

Key penalty exposure may include:

  • Up to ₹250 crore for failure to implement reasonable security safeguards
  • Up to ₹250 crore for failure to notify personal data breaches as required
  • Up to ₹200 crore for breach of children’s data protection obligations
  • Up to ₹150 crore for non-compliance by Significant Data Fiduciaries
  • Up to ₹50 crore for failure to comply with directions of the Data Protection Board
  • Up to ₹10 crore for failure by a Consent Manager to comply with obligations

Penalty assessment may typically consider factors such as the nature and gravity of the breach, duration of non-compliance, repeated failures, mitigation steps taken, and whether the organisation acted responsibly after discovering the issue.

Apart from monetary penalties, regulatory action may also affect business operations. In serious cases, organisations may face directions relating to processing restrictions, deletion of unlawfully processed data, or other corrective measures.