DPDP Compliance Checklist for Indian Businesses

The Digital Personal Data Protection Act, 2023 imposes specific, enumerated obligations on every entity that processes personal data of individuals in India. Compliance is not a matter of interpretation. It is a matter of implementation.

This checklist maps the five primary compliance areas to their statutory references. Each item represents a discrete obligation. An unchecked item is an open exposure. Treat this document as an operational audit tool: walk through it quarterly, assign ownership to each line item, and track remediation to closure.

If an item requires deeper understanding, linked references are provided for each section.

1. Consent Management (Section 6)

Section 6 of the DPDP Act establishes consent as the legal basis for processing personal data. Consent must be free, specific, informed, unconditional, and unambiguous. Pre-ticked boxes, bundled consent, and implied consent do not meet the statutory threshold.

• Consent is collected through a clear, affirmative action by the Data Principal
• Each processing purpose has its own separate consent request
• Consent notice is provided in English and at least one language listed in the Eighth Schedule of the Constitution
• Consent notice specifies: (a) the personal data being collected, (b) the purpose of processing, and (c) the right to withdraw
• No personal data is processed before valid consent is recorded
• Consent records are stored with timestamps, version references, and the exact notice shown at the time of collection
• Consent withdrawal mechanism is as accessible as the consent collection mechanism
• Withdrawal of consent triggers cessation of processing and downstream data deletion within the prescribed period
• Consent infrastructure is tested for edge cases: partial withdrawal, re-consent after withdrawal, consent for new purposes on existing data

For the full treatment of consent architecture under the Act, see Consent Management Under the DPDP Act.

2. Data Principal Rights (Sections 11-14)

The Act grants Data Principals four categories of rights. These are not optional features. They are statutory entitlements that your systems must be engineered to fulfil within prescribed timelines.

• Data Principals can request a summary of all personal data being processed and the processing activities associated with it (Section 11)
• A defined process exists for identity verification before honouring any rights request
• Correction and erasure requests can be received, logged, and executed (Section 12)
• Data Principals can nominate another individual to exercise their rights in case of death or incapacity (Section 14)
• Grievance redressal mechanism is published and accessible, with a designated contact point
• All rights requests are acknowledged and resolved within the timelines prescribed by the Rules
• Responses to rights requests are logged with audit trails for regulatory inspection
• The grievance redressal process has an escalation path and does not dead-end at a generic support inbox

For implementation guidance on each right, see Data Principal Rights Under the DPDP Act.

3. Data Fiduciary Obligations (Sections 8-10)

Sections 8 through 10 define the baseline obligations of a Data Fiduciary. These apply regardless of organisation size, industry, or processing volume. Significant Data Fiduciaries carry additional obligations designated by the Central Government.

• Personal data is processed only for the purpose for which consent was obtained, or for a legitimate use specified in the Act
• Data retention is limited to the period necessary for the stated purpose; data is erased when the purpose is fulfilled
• A Data Protection Officer (DPO) is appointed if the organisation is designated as a Significant Data Fiduciary
• Periodic Data Protection Impact Assessments (DPIA) are conducted if designated as a Significant Data Fiduciary
• An independent data auditor is appointed if required by the designation order
• Reasonable security safeguards (encryption, access controls, logging) are implemented to protect personal data from breach, loss, or unauthorised access
• All Data Processors engaged by the Fiduciary operate under a written contract with defined processing instructions, security requirements, and breach notification obligations
• Processing records are maintained in a format that can be produced for regulatory inspection
• Purpose limitation is enforced programmatically: data collected for purpose A cannot drift into use for purpose B without fresh consent
• Data deletion workflows are automated and auditable, not dependent on manual intervention

For the complete obligation framework, see Data Fiduciary Obligations Under the DPDP Act.

4. Breach Notification (Section 9(6))

The Act requires every Data Fiduciary to notify the Data Protection Board and each affected Data Principal in the event of a personal data breach. The notification obligation is triggered by any breach, not only breaches above a certain severity threshold.

• A breach detection system is in place with defined triggers and monitoring coverage
• An incident response plan exists, is documented, and has been rehearsed at least once in the last 12 months
• The notification workflow to the Data Protection Board is defined, with responsible personnel identified by name and role
• The notification workflow to affected Data Principals is defined, including communication channels and templates
• Notification timelines comply with the periods prescribed in the Rules (once notified)
• Breach records include: nature of breach, data affected, Data Principals impacted, remedial actions taken, and timeline of response
• Post-breach review is conducted to identify root cause and prevent recurrence
• Third-party Data Processors are contractually required to notify the Fiduciary of any breach without delay

For detailed breach notification architecture, see Breach Notification Requirements Under the DPDP Act.

5. Children’s Data Protection (Section 9)

Section 9 imposes heightened obligations for processing personal data of children (individuals below 18 years). The Act prohibits certain categories of processing entirely and requires verifiable parental consent for all other processing.

• Age verification mechanisms are implemented before collecting data from any individual who may be a minor
• Verifiable consent of a parent or lawful guardian is obtained before processing a child’s personal data
• No tracking, behavioural monitoring, or targeted advertising is conducted on children’s data
• No processing is undertaken that is likely to cause detrimental effect on the well-being of a child
• Data processing activities involving children are reviewed separately during impact assessments
• If the organisation is exempt from parental consent requirements by government notification (e.g., for verified safe processing), the exemption order is documented and the conditions are strictly followed
• Children’s data is stored with additional access restrictions and shorter retention periods than adult data
• All third-party processors who may receive children’s data are contractually bound to the same protections

For the full children’s data protection framework, see Children’s Data Protection Under the DPDP Act.

Using This Checklist

This is not a one-time exercise. Compliance is a maintained state, not an achieved milestone. The recommended operating cadence:

Quarterly: Walk through every item. Assign an owner to each unchecked item. Set a remediation deadline.

After any system change: Re-evaluate items in Sections 1 and 3. New features, new data collection points, and new third-party integrations introduce new consent and processing obligations.

After any incident: Re-evaluate Section 4 in its entirety. If your breach response took longer than expected, the checklist will show you where the gap was.

Annually: Conduct a full audit against this checklist with your legal counsel and DPO. Document the results. The Data Protection Board will expect evidence of ongoing diligence, not a single compliance certificate from 2024.

Assess Your Current Position

If you want to know where your organisation stands today, run a structured gap assessment before attempting remediation. Prioritising without a baseline leads to wasted effort on low-risk items while critical exposures remain open.

Run a free Gap Assessment →