⚖ Updated for 2026

DPDPA Compliance Checklist
15-Point Guide for Indian Businesses

A comprehensive checklist to help your organization comply with India's Digital Personal Data Protection Act, 2023. Pair this with our free policy generator for full compliance.

Your Progress
0 / 15

Table of Contents

  1. Lawful Consent Mechanisms
  2. Clear Notice Before Collection
  3. Limit Processing to Stated Purposes
  4. Practice Data Minimization
  5. Define Retention Periods
  6. Data Principal Rights Mechanisms
  7. Grievance Redressal Process
  8. Appoint a DPO
  9. Data Security Safeguards
  10. Breach Notification Procedures
  11. Children's Data Protection
  12. Cross-Border Data Transfers
  13. Audit Third-Party Processors
  14. Publish DPDPA-Compliant Policy
  15. Regular Compliance Reviews
1
Implement Lawful Consent Mechanisms Section 6

Under Section 6 of the DPDPA, you must obtain free, specific, informed, unconditional, and unambiguous consent from Data Principals before collecting or processing their personal data.

  • Use clear opt-in checkboxes (not pre-ticked) at every data collection point
  • Present a plain-language notice explaining what data is collected and why
  • Ensure consent is given through affirmative action (click, check, sign)
  • Do not bundle consent with terms of service
  • Implement a mechanism for users to withdraw consent easily at any time
  • Maintain records of when and how consent was obtained
Generate consent-compliant policy →
2
Provide Clear Notice Before Data Collection Section 5

Before or at the time of collecting personal data, provide a clear notice containing:

  • An itemized description of the personal data being collected
  • The specific purpose for each category of data processed
  • How the Data Principal can exercise their rights under the DPDPA
  • How to file a complaint with the Data Protection Board

The notice must be in clear, plain language. Consider providing it in Hindi and regional languages as well.

3
Limit Data Processing to Stated Purposes Section 4 & 8(3)

Purpose limitation is a core principle. You may only process personal data for the specific purposes communicated to the Data Principal at the time of consent.

  • Document all purposes for which you process data
  • Do not use data for new purposes without obtaining fresh consent
  • Regularly audit your data processing activities
  • Train employees and contractors on purpose limitation
4
Practice Data Minimization Section 8

Collect only the minimum personal data necessary to fulfill the stated purpose. Avoid collecting data "just in case".

  • Review each form field and data collection point for necessity
  • Remove or make optional any non-essential data fields
  • Do not collect sensitive data (Aadhaar, biometrics, health) unless absolutely required
  • Periodically review and prune unnecessary data
5
Define and Enforce Data Retention Periods Section 8(7)

The DPDPA requires personal data be erased once the purpose has been fulfilled, unless retention is required by law.

  • Define clear retention periods for each data category
  • Implement automated deletion or anonymization
  • Consider legal requirements (e.g., 7-year retention for financial records)
  • Delete or anonymize data when a user withdraws consent or requests erasure
6
Document Data Principal Rights Mechanisms Sections 11-14

You must have functioning processes to handle the following Data Principal rights:

  • Right to Access (Sec 11): Provide summary of data, processing, and sharing
  • Right to Correction (Sec 12): Allow correction of inaccurate data
  • Right to Erasure (Sec 12): Delete data on request
  • Right to Nomination (Sec 14): Allow nomination for death/incapacity

Create response templates and track all requests with SLAs.

7
Establish Grievance Redressal Process Section 13 & 8(8)

Every Data Fiduciary must have a process for Data Principals to raise and resolve grievances.

  • Publish contact details of your grievance officer prominently
  • Provide an easy mechanism (email, web form, phone) for complaints
  • Acknowledge grievances within 48 hours
  • Resolve complaints within prescribed timeframes
  • Inform Data Principals of their right to escalate to the DPBI
8
Appoint a Data Protection Officer (DPO) Section 8(8) & 10

Mandatory for Significant Data Fiduciaries; strongly recommended for all businesses handling personal data.

  • Appoint a DPO or equivalent contact person
  • Ensure the DPO is based in India (mandatory for SDFs)
  • Publish DPO contact details on your website and privacy policy
  • DPO should serve as point of contact for the Data Protection Board
  • DPO should report to Board of Directors or senior management
9
Implement Data Security Safeguards Section 8(4)

Section 8(4) requires reasonable security safeguards to prevent personal data breaches:

  • Encryption: TLS/SSL in transit, encryption at rest
  • Access controls: Role-based access, MFA, least-privilege
  • Regular audits: Security assessments and penetration testing
  • Employee training: Staff training on data protection
  • Incident response: Tested data breach response plan
  • Secure disposal: Secure deletion from systems and backups

Failure can attract a penalty of up to ₹250 crore.

10
Set Up Breach Notification Procedures Section 8(6)

In the event of a personal data breach, notify:

  • The Data Protection Board of India in prescribed form
  • Each affected Data Principal

To be prepared:

  • Breach detection and reporting procedure
  • Designated breach response team
  • Notification templates for Board and individuals
  • Breach simulation drills and a breach register

Failure to notify can attract penalty up to ₹200 crore.

11
Address Children's Data Protection Section 9

If your platform may collect data from individuals under 18:

  • Implement age verification mechanisms
  • Obtain verifiable parental consent before processing child data
  • Do not engage in behavioral tracking of children
  • Do not serve targeted advertising to children
  • Do not process data detrimental to the child's well-being
  • Allow parents/guardians to exercise rights on behalf of the child

Non-compliance penalty: up to ₹200 crore.

12
Manage Cross-Border Data Transfers Section 16

The DPDPA allows transfer of personal data outside India, except to countries restricted by Central Government.

  • Identify all data flows outside India (cloud, third-party services)
  • Monitor government notifications for restricted country lists
  • Ensure contractual safeguards with foreign processors
  • Document all cross-border transfers in your privacy policy
13
Audit Third-Party Data Processors Section 8

As a Data Fiduciary, you are responsible for the actions of your Data Processors.

  • Maintain a register of all Data Processors
  • Execute Data Processing Agreements (DPAs) with all processors
  • Ensure processors implement appropriate security measures
  • Conduct periodic audits of processor compliance
  • Include breach notification obligations in contracts
14
Publish a DPDPA-Compliant Privacy Policy Section 5 & 8

Your privacy policy is the primary compliance document. It must clearly communicate:

  • What personal data you collect and why
  • How you process, store, and protect the data
  • With whom you share the data
  • Retention period
  • Data Principal rights and how to exercise them
  • DPO or grievance officer contact details
Generate your DPDPA policy now →
15
Conduct Regular Compliance Reviews Best Practice

DPDPA compliance is not a one-time task. As regulations evolve:

  • Conduct quarterly reviews of data processing activities
  • Update your privacy policy on material changes
  • Monitor government notifications for new rules
  • Obtain fresh consent if processing purpose changes
  • Train new employees on DPDPA during onboarding
  • Maintain documentation for potential audits

Generate Your DPDPA-Compliant Privacy Policy

Now that you understand the requirements, use our free tool to generate a policy addressing all 15 points.

Generate Free Privacy Policy →

Summary: Your DPDPA Compliance Roadmap

Complying with the Digital Personal Data Protection Act, 2023 requires a multi-pronged approach covering legal, technical, and organizational measures. The first step is understanding the Act's key concepts — Data Principals, Data Fiduciaries, and Data Processors — and recognizing your role and obligations.

The most critical actions: implement proper consent mechanisms, publish a transparent privacy policy, establish security safeguards, and create processes for Data Principal rights and grievance redressal. If your business handles children's data or transfers data cross-border, additional safeguards apply.

Remember, penalties for non-compliance are severe — up to ₹250 crore for serious violations. Investing in compliance now protects your business from regulatory risk and builds trust with your users.

Use our free DPDPA Privacy Policy Generator to take the first step towards compliance. See the full penalty schedule to understand the risks.