We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Cybersecurity blog

DPDP Act Compliance Checklist for Indian Businesses (2026)

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

DPDP Act Compliance Checklist for Indian Businesses (2026)

Most boards I sit in front of think they became DPDP-ready the day their legal team pasted a new privacy policy onto the website. Then I ask one question: show me, right now, every place a customer's phone number lives. Silence. Someone opens a laptop. Twenty minutes later we have a list of four systems, and by the end of the day it is eleven. That gap between what you think you hold and what you actually hold is where every DPDP audit starts to hurt.

The Digital Personal Data Protection Act, 2023 (DPDP Act) is not a documentation exercise. It is an operational one. You can have a flawless notice and consent form and still fail the moment a Data Principal writes in asking you to erase their data and you have no idea where it all sits. This checklist is written the way I actually audit — control by control, artefact by artefact — so you can find your own gaps before a regulator, a breach, or an angry customer does it for you.

What the DPDP Act actually asks of you

Strip away the noise and the Act turns on a few load-bearing ideas. You are a Data Fiduciary if you decide the purpose and means of processing personal data. The individual whose data you process is the Data Principal. Anyone processing on your behalf — your cloud vendor, your call centre, your analytics tool — is a Data Processor, and you remain accountable for them. Consent must be free, specific, informed, unconditional and unambiguous, with a clear affirmative action. That last phrase kills pre-ticked boxes and bundled consent stone dead.

The Act was notified in 2023, and through 2025 the government released the Draft DPDP Rules for consultation, which flesh out consent notices, the Consent Manager framework, breach reporting timelines and Significant Data Fiduciary obligations. Treat the Rules as your operational spec even as the final text settles — the direction of travel is clear, and auditors are already testing against it. Penalties are severe: up to 250 crore rupees for failing to prevent a breach through reasonable security safeguards, up to 200 crore for breach-notification failures, and up to 50 crore for other lapses, adjudicated by the Data Protection Board of India.

RoleWho it isWhat you are on the hook for
Data FiduciaryYou, if you decide why and how data is processedConsent, notice, security, rights, breach reporting, vendor oversight
Data ProcessorVendor processing on your instructionFollowing the contract; the Fiduciary still answers for you
Data PrincipalThe individual (customer, employee, user)Nothing — they hold rights you must honour
Consent ManagerRegistered platform managing consentGiving Principals a single point to grant/withdraw consent

Step 1: You cannot protect what you have not mapped

Every real DPDP programme begins with a data inventory, and almost every failed one skipped it. Before you touch a consent form, you need a Record of Processing Activities (RoPA): for each category of personal data, what you collect, why, the lawful basis, where it is stored, who it is shared with, and how long you keep it. This is the artefact I ask for first, because it exposes the shadow systems — the marketing spreadsheet, the WhatsApp Business exports, the old CRM nobody decommissioned.

Do this properly and the rest of the checklist gets easier, because every downstream control — consent, rights, retention, breach scope — depends on knowing exactly what you hold and where. Do it badly and you will be guessing during a breach, which is the worst possible time to guess.

  • Categories of personal data: identity, contact, financial, biometric, children's data, health, location
  • Purpose and lawful basis for each category, stated in plain language
  • Storage location and system, including cloud region and third-party SaaS
  • Data flows: who inside and outside the organisation receives it, and why
  • Retention period and the trigger for deletion or archival
  • Whether any processing involves children (under 18) or is done at scale

Step 2: Consent and notice — the paperwork auditors read line by line

Here is where most Indian businesses have quietly been non-compliant for years and never noticed. Under the DPDP Act, consent must be tied to a specific purpose, and the notice you show at the point of collection must be itemised. A single sentence saying we may use your data to improve our services does not survive scrutiny. You must tell the Data Principal what personal data you are collecting, the purpose for each, how they can exercise their rights, and how they can complain to the Board.

Consent notices must also be available in English and the languages listed in the Eighth Schedule to the Constitution — a point many organisations miss until an auditor asks for the Hindi or Tamil version and there isn't one. And withdrawal must be as easy as giving consent. If a customer needed one click to opt in, do not make them call a helpline to opt out.

Consent elementWhat good looks likeCommon failure I see
GranularitySeparate consent per purposeOne checkbox for marketing, analytics and sharing bundled together
Affirmative actionUser actively ticks an unticked boxPre-ticked box or consent buried in T&Cs
Notice clarityItemised list of data and purposesVague we may use your data language
LanguageEnglish plus Eighth Schedule languages on requestEnglish-only notice
WithdrawalOne-step withdrawal, effect equal to consentWithdrawal requires emailing support and waiting days
RecordsTimestamped, versioned consent logsNo proof of what the user actually agreed to, or when

The record-keeping point is the one that catches people. When the Board or a Data Principal challenges you, you must produce the exact consent that was captured, against the exact notice version shown at that time. If your website has been redesigned three times and you cannot reconstruct which notice a 2024 customer saw, you have a problem. Version your notices. Log consent with a timestamp and a reference to the notice version. Keep it immutable.

Step 3: Data Principal rights — the operational test you will actually be graded on

Consent forms are theory. Rights fulfilment is practice, and it is where an auditor learns whether your programme is real. The Act gives Data Principals the right to access a summary of their data and processing, the right to correction and erasure, the right to grievance redressal, and the right to nominate someone to act on their behalf if they die or become incapacitated.

Picture the scene that actually plays out. A customer emails: delete all my data. Your support agent forwards it to IT. IT deletes the CRM record. Six months later a marketing email lands in that customer's inbox because their address still sat in the email platform and the analytics warehouse and a backup. Now you have not just failed the erasure request — you have created evidence of it. The fix is not willpower; it is a defined workflow with a system-of-record mapping and an SLA.

RightWhat you must doTarget timeline
AccessProvide a summary of personal data and processing activitiesWithin a reasonable period defined in your policy, typically 30 days
Correction and completionCorrect, complete or update inaccurate dataPromptly on verified request
ErasureDelete data unless retention is legally requiredPromptly, across all systems including backups on their cycle
Grievance redressalRespond via a published grievance officerWithin the period stated in your notice
NominationAllow a Principal to nominate another individualCapture and honour on request

Publish a named Grievance Officer with real contact details, not a generic inbox nobody reads. Log every request, its resolution, and the time taken. When I audit rights fulfilment, I pick three closed requests at random and trace them end to end. If the data survived in a system your workflow forgot about, the whole control fails — however good the paperwork looked.

Step 4: Reasonable security safeguards — where the 250 crore penalty lives

The Act does not hand you a control catalogue. It says you must protect personal data with reasonable security safeguards to prevent a breach — and then attaches the largest penalty in the statute to that single obligation. So the practical question becomes: what will an auditor and the Board treat as reasonable? The honest answer is that they will benchmark you against established frameworks — ISO/IEC 27001, the CERT-In directions, and sector rules from the RBI, SEBI or IRDAI if they apply to you.

Reasonable is not a fixed line; it scales with the sensitivity and volume of what you hold. A fintech processing millions of financial records is held to a far higher bar than a five-person consultancy. But there is a floor everyone must clear, and it maps cleanly onto controls a CERT-In empanelled auditor already tests.

  • Encryption of personal data at rest and in transit, with managed keys
  • Role-based access control and least privilege, reviewed quarterly
  • Multi-factor authentication on all admin and remote access
  • Audit logging retained for at least 180 days, in line with CERT-In directions
  • Network segmentation isolating databases holding personal data
  • Vulnerability assessment and penetration testing on internet-facing systems, at least annually
  • Data backup and tested restoration, with encryption on the backups
  • Vendor security due diligence and Data Processing Agreements with every Processor

The CERT-In directions of 2022 matter here even though they predate the DPDP Act. They mandate synchronising system clocks to NIC or NPL time, retaining logs for 180 days within India, and reporting specified cyber incidents to CERT-In within six hours of noticing them. That six-hour clock is separate from your DPDP breach obligation, and both can apply to the same incident. Miss either and you have two regulators to answer to.

Step 5: Breach notification — the clock starts before you are ready

No breach programme survives first contact with an actual breach unless it was rehearsed. The DPDP Rules require you to notify both the Data Protection Board and every affected Data Principal when a personal data breach occurs — and the draft framing points to prompt, essentially without-delay notification, with a fuller report to follow. This is intentionally aggressive. It means the decision to notify has to be made while you are still firefighting, not after the forensics are complete.

The failure mode is always the same: the incident is spotted by an engineer at 11pm, escalated the next morning, debated by legal for two days, and reported late. By then you have blown the timeline and the notification itself reads like a cover-up. The fix is a pre-approved decision tree and pre-drafted templates so that the on-call responder knows exactly who to wake and what threshold triggers a report.

ObligationTriggerTimeline
CERT-In incident reportNoticing a listed cyber incidentWithin 6 hours
DPDP Board notificationAny personal data breachWithout delay, per the DPDP Rules framework
Data Principal notificationBreach affecting their dataWithout delay, describing the breach and mitigation
Sectoral report (RBI/SEBI/IRDAI)If a regulated entityPer the relevant sector circular, often 2 to 6 hours

Your breach notice to affected individuals must describe the nature of the breach, its likely consequences, the measures you have taken, and what the individual can do to protect themselves. Write those templates now. During an incident, nobody has the calm to draft clear language from a blank page.

Step 6: Extra duties if you are a Significant Data Fiduciary

The government can notify certain organisations as Significant Data Fiduciaries based on the volume and sensitivity of data they process, the risk to Data Principals, and impact on public order or India's sovereignty. If you are named one — and large platforms, big fintechs and health players should assume they will be — additional obligations kick in. You must appoint a Data Protection Officer based in India who reports to the board, appoint an independent data auditor, and conduct a periodic Data Protection Impact Assessment (DPIA).

  • Appoint an India-based Data Protection Officer accountable to the board
  • Engage an independent data auditor to evaluate DPDP compliance
  • Run a Data Protection Impact Assessment for high-risk processing
  • Conduct periodic compliance audits and retain the reports
  • Apply heightened scrutiny to any algorithmic processing that could harm Principals

Even if you are not formally designated, adopting the DPIA discipline is smart. A DPIA forces you to document risk before you launch a new product feature that scoops up personal data — which is exactly the moment most privacy failures are born.

The fix-it checklist: what to do in the next 90 days

If you do nothing else, work this list in order. It is sequenced the way I would run a remediation programme — inventory first, because everything downstream depends on it, and vendors last only because they take longest to close.

  • Build a Record of Processing Activities covering every system that touches personal data, including shadow tools
  • Rewrite consent notices to be itemised, purpose-specific and available in required languages
  • Implement versioned, timestamped consent logging you can reproduce on demand
  • Stand up a Data Principal rights workflow with an SLA and a system-of-record deletion map
  • Publish a named Grievance Officer with working contact details
  • Close the reasonable-security floor: encryption, MFA, RBAC, 180-day logging, annual VAPT
  • Sign Data Processing Agreements with every vendor and run security due diligence on the high-risk ones
  • Write and pre-approve breach decision trees and notification templates for the Board, Principals and CERT-In
  • If you may be a Significant Data Fiduciary, appoint a DPO and independent auditor and run a DPIA
  • Rehearse a breach tabletop so the timelines are muscle memory, not theory

The gap between the policy and the practice

Come back to that boardroom and the eleven systems nobody could name. The privacy policy was fine. The consent form was fine. What was missing was the operational spine — the mapping, the workflows, the logs, the rehearsed response — that turns a legal document into something an auditor can actually verify. DPDP compliance is not a certificate you earn once. It is a set of habits you can prove on any given Tuesday, including the Tuesday you get breached.

If you want a second pair of eyes on where you actually stand, that is the work we do at CyberSigma — senior CERT-In empanelled auditors who sit in the room, trace your data end to end, and tell you plainly what will fail before a regulator does. No dashboards, just the honest findings and a remediation plan you can act on.

FAQs

Is the DPDP Act in force, and do I need to comply now?

The DPDP Act was passed in 2023 and the Draft DPDP Rules were released for consultation through 2025. While some provisions are being operationalised in phases, the direction is settled and enforcement is coming. Treat the Act and Rules as your operating standard now — building the inventory, consent and rights machinery takes months, so starting late is the real risk.

What is the difference between DPDP obligations and the CERT-In directions?

They are separate but overlapping. CERT-In directions (2022) mandate six-hour cyber-incident reporting, 180-day log retention in India, and clock synchronisation, and apply broadly to entities operating in India. DPDP governs how you handle personal data specifically — consent, rights, breach notice to the Board and affected individuals. A single incident can trigger both, so map your obligations to both regulators.

How large are the penalties under the DPDP Act?

The Data Protection Board can impose up to 250 crore rupees for failing to take reasonable security safeguards that would have prevented a breach, up to 200 crore for breach-notification failures, and up to 50 crore for other breaches of duty. Penalties scale with the nature, gravity and duration of the lapse, so a documented, good-faith programme materially reduces exposure.

Do I need consent for employee or existing customer data?

You need a lawful basis for all processing of personal data. The Act recognises certain legitimate uses that do not require fresh consent, such as processing for employment purposes or where a Principal has voluntarily provided data for a purpose. But you still owe notice, security, rights fulfilment and retention limits. Do not assume existing databases are exempt — map them and confirm the basis for each.

What counts as reasonable security safeguards?

The Act does not list them, but auditors and the Board benchmark against ISO/IEC 27001, CERT-In directions and any sector rules (RBI, SEBI, IRDAI). Practically, expect encryption at rest and in transit, MFA, role-based access, 180-day logging, network segmentation, annual VAPT, tested backups and vendor due diligence. The bar scales with the sensitivity and volume of data you hold.

Who is a Significant Data Fiduciary and what changes for them?

The government designates them based on data volume, sensitivity, and risk to Principals and to the country. If named, you must appoint an India-based Data Protection Officer reporting to the board, engage an independent data auditor, and conduct periodic Data Protection Impact Assessments. Large platforms, fintechs and health-data processors should plan as if designation is likely.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Free 1-minute check
DPDP Readiness Checker
Check your readiness for India’s DPDP Act and see your priority gaps — free.
Try it free →

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205