A DPDPA compliance checklist covers building a data inventory, fixing a lawful basis, issuing Section 5 consent notices, enabling easy consent withdrawal, honouring Data Principal rights, securing data under Section 8(5), running a breach-response plan, governing vendors with DPAs, and meeting children’s-data and SDF duties.
Complying with the Digital Personal Data Protection Act, 2023 (DPDPA) is less about a single policy document and more about standing up a repeatable operating capability. The Act sets the obligations; the Digital Personal Data Protection Rules, 2025 fill in the operational detail — how notices read, how consent is managed, how breaches are reported, and what extra duties significant organisations carry.
This checklist breaks DPDPA readiness into ten practical steps, mapped to the relevant sections of the Act. Work through them in order: the early steps (knowing what data you hold and on what basis) are prerequisites for everything that follows.
Use the sections as your audit map
Each step below references the controlling section — Section 5 for notices, Section 6 for consent, Sections 11–13 for rights, Section 8 for fiduciary duties, Section 9 for children, Section 10 for SDFs. Treat the section numbers as the headings for your internal evidence file.
Step 1 — Build a data inventory and RoPA
You cannot protect or account for data you have not mapped. Start by building a complete inventory of the digital personal data you process — what you collect, where it lives, who can access it, why you hold it, and who you share it with. This Record of Processing Activities (RoPA) is the foundation for every other obligation.
- 1Catalogue every system, application and third party that touches personal data.
- 2Record the categories of data, the data subjects, the purpose and the lawful basis for each flow.
- 3Map data sharing with processors and across borders.
- 4Keep the inventory live — review it whenever a new system or vendor is onboarded.
Step 2 — Establish a lawful basis for each purpose
Under the DPDPA, personal data may be processed only for a lawful purpose, on the basis of consent or one of the “legitimate uses” permitted by Section 7. For every processing activity in your inventory, confirm and document the basis you are relying on. Where you rely on a legitimate use, make sure it genuinely fits — most direct-to-customer marketing and analytics still requires consent.
Step 3 — Deploy a Section 5 consent notice
Section 5 requires that, on or before requesting consent, you give the Data Principal an itemised notice. The notice must describe the personal data to be collected and the purpose of processing, explain how the individual can exercise their rights and how to complain to the Data Protection Board, and be available in English or any language listed in the Eighth Schedule to the Constitution.
- Itemise the personal data and the specific purpose — no bundled, vague catch-alls.
- Explain how to exercise rights and how to withdraw consent.
- Provide the contact details for grievances and for the Data Protection Board.
- Offer the notice in English and the Eighth Schedule languages you serve.
Step 4 — Build consent management and easy withdrawal
Section 6 sets the standard for consent: free, specific, informed, unconditional and unambiguous, given through a clear affirmative action and limited to the data necessary for the stated purpose. Equally important, a Data Principal can withdraw consent at any time, and withdrawal must be as easy as giving it. Stand up a consent-management capability that records, time-stamps and lets users revoke consent — and consider a registered Consent Manager where appropriate.
Step 5 — Stand up a Data Principal rights workflow
Sections 11 to 13 give Data Principals enforceable rights that you must be able to honour quickly and consistently. Build a workflow that can receive a request, verify identity, action it within a reasonable period and log the outcome as evidence.
- Right to access information about personal data being processed (Section 11).
- Right to correction, completion, updating and erasure of personal data (Section 12).
- Right of grievance redressal through a readily available mechanism (Section 13).
- Right to nominate another individual to exercise rights in case of death or incapacity (Section 14).
Step 6 — Provide grievance redressal
Section 13 requires every Data Fiduciary to publish and operate a readily available grievance-redressal mechanism, and to respond within the period prescribed by the Rules. Publish a clear point of contact, track every grievance to closure, and only after exhausting your mechanism can a Data Principal escalate to the Data Protection Board — so a well-run desk reduces both complaints and regulatory exposure.
Step 7 — Enforce data minimisation, retention and erasure
Section 8 requires you to collect only the data necessary for the stated purpose and to erase personal data once the purpose is served and retention is no longer required by law. Define retention periods per data category, automate deletion where you can, and ensure that erasing data on the front end actually removes it from backups and downstream systems.
Step 8 — Implement reasonable security safeguards
Section 8(5) obliges you to protect personal data in your possession or control with reasonable security safeguards to prevent a breach — and it is the obligation carrying the highest penalty, up to ₹250 crore. Implement and document technical and organisational measures appropriate to the risk.
- Encryption, access controls and the principle of least privilege.
- Logging, monitoring and alerting on access to personal data.
- Regular backups, patching and vulnerability management.
- Contractual security obligations on every processor that holds your data.
Step 9 — Prepare a breach-response plan
A personal data breach must be reported to the Data Protection Board and to affected Data Principals, in the form and within the timeline set by the DPDP Rules 2025. Because speed and completeness are both penalty-relevant and explicitly weighed by the Board, prepare and rehearse a plan before you need it.
- 1Define detection, triage and escalation paths with named owners.
- 2Prepare notification templates for the Board and for affected individuals.
- 3Run tabletop exercises so the team can act inside the prescribed timeline.
- 4Capture timestamped evidence of detection, containment and notification.
Step 10 — Govern processors, children’s data and SDF duties
Three obligations sit on top of the core programme. Under Section 8(2) you may only engage a Data Processor under a valid contract, so put a data-processing agreement (DPA) in place with every vendor — you remain accountable even when processing is outsourced. Under Section 9, processing a child’s data (anyone under 18) requires verifiable parental consent and prohibits tracking, behavioural monitoring and targeted advertising directed at children. And if you are notified as a Significant Data Fiduciary (SDF) under Section 10, you must additionally appoint a Data Protection Officer based in India, appoint an independent data auditor, and carry out periodic Data Protection Impact Assessments and audits.
Accountability is not transferable
Outsourcing processing to a vendor does not outsource your liability. Without a valid Section 8(2) contract and oversight, a processor’s lapse becomes your penalty.
How do you keep DPDPA compliance current?
Compliance is a continuous capability, not a one-time project. Re-run your data inventory as systems change, refresh notices and consent flows when purposes change, re-test breach response periodically, and maintain continuous, timestamped evidence so you can demonstrate compliance whenever the Data Protection Board asks. Treat the ten steps above as a recurring cycle rather than a checklist you complete once.
Start with a free readiness assessment
Benchmark your programme against this checklist with a free DPDPA readiness assessment at /tools/dpdpa-readiness-assessment — it pinpoints your highest-risk gaps and returns a prioritised action plan.