DPDPA Compliance Checklist 2026: Free Template for Indian Businesses
India's Digital Personal Data Protection Act, 2023 (DPDPA) is now actively enforced, and the Data Protection Board has begun issuing penalty orders. If you operate a website, app, or SaaS that collects personal data from anyone in India, you are a "Data Fiduciary" under this law and you are on the hook for fines of up to ₹250 crore. This 2026 checklist is the fastest way to understand exactly where you stand.
What changed in 2026
The DPDPA was passed in August 2023 and the supporting Digital Personal Data Protection Rules were notified in 2025. Phase 1 of enforcement (consent, notice, grievance officer, breach reporting) is now live for every business. Phase 2 (full Data Principal rights with strict response timelines) is being phased in. Significant Data Fiduciaries (SDFs) face the heaviest obligations including a Data Protection Officer (DPO) and Data Protection Impact Assessments (DPIAs).
For most Indian SMBs, the practical question in 2026 is no longer "will this apply to me?" but "what is the cheapest, fastest way to get to a defensible compliance posture?" That's what this checklist gives you.
The 15-point DPDPA compliance checklist
1. Map every byte of personal data you collect
Before you write a single privacy clause, list every field you collect: name, email, phone, address, IP address, device ID, location, payment data, support chat transcripts. Note where it is stored (Postgres, S3, Razorpay, Zoho, your CRM) and who has access. This inventory is the foundation for everything else. You cannot protect or delete data you don't know exists.
2. Establish a lawful basis for every collection
DPDPA recognises two lawful bases: consent (Section 6) and legitimate uses (Section 7 — employment, public interest, medical emergency, etc.). For most B2C businesses, consent is the only realistic basis. The consent must be free, specific, informed, unconditional, unambiguous, and given by a clear affirmative action — pre-ticked boxes and bundled consents are not valid.
3. Publish a DPDPA-compliant privacy notice (Section 5)
Your privacy policy must include: the categories of personal data collected, the specific purposes, the manner in which Data Principals can exercise their rights, the manner of grievance redressal, and the contact details of the DPO or person responsible. Use our free DPDPA generator to produce a notice that references the correct sections of the Act.
4. Implement granular consent capture and a consent withdrawal mechanism
You need an audit trail showing when the user consented, what they consented to, and the language shown. Section 6(4) requires that withdrawing consent be as easy as giving it — so a one-click "withdraw consent" link in your account settings or footer is non-negotiable.
5. Appoint a grievance officer (every Data Fiduciary)
Even small businesses must appoint a grievance officer whose contact details are published prominently. The officer must respond to user grievances within a reasonable time (typically interpreted as 7-30 days). This is a board-level minimum even before SDF designation.
6. Implement Data Principal rights workflows
Users can demand: a summary of personal data being processed (right to information), correction or erasure, nomination, and grievance redressal. Build internal tooling — even a Notion/Airtable workflow — to log these requests, route them to engineering, and respond within timelines. See the full Section 11-14 breakdown.
7. Implement reasonable security safeguards (Section 8(5))
Encryption in transit (HTTPS), encryption at rest for sensitive fields, strong access controls, MFA for admin accounts, regular backups, and a tested incident response plan. The bar is "reasonable" — but the Data Protection Board will be unforgiving if you store passwords in plaintext or expose customer PII via misconfigured S3 buckets.
8. Set up breach notification procedures (Section 8(6))
You must notify both the Data Protection Board and every affected Data Principal "in such form and manner as may be prescribed." Have templates ready. Have a war-room runbook. Practice it once a year.
9. Address children's data protection (Section 9)
If users may be under 18, you need verifiable parental consent and you cannot do behavioural tracking or targeted advertising to them. EdTech and gaming apps face the heaviest scrutiny here.
10. Cross-border data transfer controls (Section 16)
You can transfer personal data outside India by default, except to countries the Central Government restricts. Maintain a list of all foreign processors (AWS, GCP, Stripe, OpenAI, etc.) and monitor MeitY notifications.
11. Vet and contract with all Data Processors (Section 8(2))
Every vendor that touches your users' personal data must be under a written contract that flows down DPDPA obligations. This includes payment gateways, email senders (SendGrid, Mailgun), analytics (PostHog, Mixpanel), and AI providers.
12. Plan for SDF (Significant Data Fiduciary) thresholds
The Government will notify volume/sensitivity thresholds. If you cross them you must appoint a DPO based in India, conduct annual DPIAs and audits, and report to the Board. Anyone processing health, financial, or biometric data at scale should plan for SDF designation.
13. Build an internal training and awareness program
Penalties under DPDPA can be levied for the act of an employee. Annual training (and onboarding training) for engineering, support, sales, and marketing teams is now table stakes.
14. Maintain documentary evidence of compliance
The Board will ask: show me your records of processing activities, your breach register, your consent logs, your processor contracts, your DPO appointment letter. Compliance is a paperwork exercise — keep the paperwork.
15. Review and refresh every 6 months
The Rules will continue to evolve. New sectoral guidelines (banking, telecom, healthcare) will land. Schedule a half-yearly DPDPA review on your founder/legal calendar.
What happens if you ignore this
The penalty schedule under DPDPA is among the most aggressive in the world: up to ₹250 crore for failure to take reasonable security safeguards, ₹200 crore for failure to notify a breach or for child-data violations, and ₹150 crore for failure to fulfill SDF obligations. See the full penalty matrix. Even for small businesses, the lower-tier penalties (₹10,000 to ₹50 crore) are existential.
Get started in 5 minutes
Compliance does not need to take a quarter. The fastest path is:
- Generate your privacy policy with our free DPDPA policy generator — it covers items 3, 6, and 11 of this checklist.
- Walk the interactive 15-point checklist with your engineering lead in one sitting.
- Bookmark the penalty page and share it with your board so the budget conversation is easy.
If you formalize a privacy program now, you will avoid almost every category of penalty. Procrastinating is the only mistake that scales.
Generate your DPDPA privacy policy
Free. Two minutes. Section-by-section references. English & Hindi.
Open the generator →