DPDPA Compliance Checklist for 2025: A Step-by-Step Guide for Indian Businesses

Every business that handles the personal data of Indian residents is now a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDPA). With the DPDP Rules 2025 operationalising the Act, compliance is no longer optional. This checklist breaks the journey into ten concrete steps.

1. Build a data inventory

Map every category of personal data you collect, where it is stored, how it flows, and who can access it. This Record of Processing Activities is the foundation everything else stands on.

2. Identify your legal basis

Under DPDPA, personal data may be processed on the basis of consent or certain legitimate uses (Section 7). Document which basis applies to each processing activity.

3. Publish a compliant consent notice

Section 5 requires a clear, itemised notice — in English and the languages of the Eighth Schedule — describing the personal data, the purpose, and how the Data Principal can exercise their rights and complain to the Data Protection Board.

4. Implement consent management

Consent must be free, specific, informed, unconditional and unambiguous. Critically, withdrawal must be as easy as giving consent (Section 6). A Consent Management Platform that logs every grant, change and withdrawal is the simplest way to prove this.

5. Operationalise Data Principal rights

Individuals can request access, correction, completion, updating and erasure of their data, and nominate someone to exercise rights on their behalf (Sections 11–14). Build a workflow with clear timelines.

6. Apply data minimisation and retention limits

Collect only what you need for the stated purpose, and erase personal data once that purpose is served (Section 8).

7. Implement reasonable security safeguards

Section 8(5) requires reasonable technical and organisational measures — encryption, access control, logging — to prevent a personal data breach.

8. Prepare a breach response plan

The DPDP Rules 2025 require notifying the Data Protection Board and affected Data Principals of a breach. Have an incident runbook ready before you need it.

9. Govern your processors

You remain accountable even when processing is outsourced (Section 8(2)). Flow DPDPA obligations down to every vendor through a Data Processing Agreement.

10. Handle children's and SDF obligations

If you process children's data, obtain verifiable parental consent and avoid tracking (Section 9). If you are notified as a Significant Data Fiduciary, appoint a Data Protection Officer, conduct Data Protection Impact Assessments, and commission independent audits (Section 10).

Penalty context: non-compliance can attract penalties of up to ₹250 crore per instance under the Schedule to the Act. Treat this checklist as a board-level priority.

Use the Data Adhikaar Readiness Assessment to benchmark where you stand today.