DPDPA Compliance Checklist 15-Point Guide for Indian Businesses
A comprehensive checklist to help your organization comply with India's Digital Personal Data Protection Act, 2023. Pair this with our free policy generator for full compliance.
Under Section 6 of the DPDPA, you must obtain free, specific, informed, unconditional, and unambiguous consent from Data Principals before collecting or processing their personal data.
Use clear opt-in checkboxes (not pre-ticked) at every data collection point
Present a plain-language notice explaining what data is collected and why
Ensure consent is given through affirmative action (click, check, sign)
Do not bundle consent with terms of service
Implement a mechanism for users to withdraw consent easily at any time
Maintain records of when and how consent was obtained
Provide Clear Notice Before Data CollectionSection 5
Before or at the time of collecting personal data, provide a clear notice containing:
An itemized description of the personal data being collected
The specific purpose for each category of data processed
How the Data Principal can exercise their rights under the DPDPA
How to file a complaint with the Data Protection Board
The notice must be in clear, plain language. Consider providing it in Hindi and regional languages as well.
3
Limit Data Processing to Stated PurposesSection 4 & 8(3)
Purpose limitation is a core principle. You may only process personal data for the specific purposes communicated to the Data Principal at the time of consent.
Document all purposes for which you process data
Do not use data for new purposes without obtaining fresh consent
Regularly audit your data processing activities
Train employees and contractors on purpose limitation
4
Practice Data MinimizationSection 8
Collect only the minimum personal data necessary to fulfill the stated purpose. Avoid collecting data "just in case".
Review each form field and data collection point for necessity
Remove or make optional any non-essential data fields
Do not collect sensitive data (Aadhaar, biometrics, health) unless absolutely required
Periodically review and prune unnecessary data
5
Define and Enforce Data Retention PeriodsSection 8(7)
The DPDPA requires personal data be erased once the purpose has been fulfilled, unless retention is required by law.
Define clear retention periods for each data category
Implement automated deletion or anonymization
Consider legal requirements (e.g., 7-year retention for financial records)
Delete or anonymize data when a user withdraws consent or requests erasure
6
Document Data Principal Rights MechanismsSections 11-14
You must have functioning processes to handle the following Data Principal rights:
Right to Access (Sec 11): Provide summary of data, processing, and sharing
Right to Correction (Sec 12): Allow correction of inaccurate data
Right to Erasure (Sec 12): Delete data on request
Right to Nomination (Sec 14): Allow nomination for death/incapacity
Create response templates and track all requests with SLAs.
Complying with the Digital Personal Data Protection Act, 2023 requires a multi-pronged approach covering legal, technical, and organizational measures. The first step is understanding the Act's key concepts — Data Principals, Data Fiduciaries, and Data Processors — and recognizing your role and obligations.
The most critical actions: implement proper consent mechanisms, publish a transparent privacy policy, establish security safeguards, and create processes for Data Principal rights and grievance redressal. If your business handles children's data or transfers data cross-border, additional safeguards apply.
Remember, penalties for non-compliance are severe — up to ₹250 crore for serious violations. Investing in compliance now protects your business from regulatory risk and builds trust with your users.