DPDP Act Compliance Checklist for Indian Companies (2026)
Most boards I sit in front of think DPDP is a policy problem. Draft a privacy notice, publish it, tick a box. Then I ask one question that ends the meeting: show me, right now, every system that holds a customer's phone number and who inside your company can read it. Silence. Nobody knows. That single unanswered question is the whole compliance gap in one sentence.
The Digital Personal Data Protection Act, 2023 (DPDP Act) is not the GDPR with an Indian accent. It is shorter, sharper and in some ways less forgiving. The Data Protection Board can impose penalties up to 250 crore rupees per instance for failing to prevent a breach, and the draft DPDP Rules, 2025 put hard clocks on things Indian companies have never had to time before. If you are treating this as a documentation exercise, you have already lost. This is an engineering and operations problem wearing a legal costume.
Why this one actually bites, when others did not
India has had privacy language before. The IT Act Section 43A and the SPDI Rules of 2011 asked for reasonable security practices and consent for sensitive data. Almost nobody enforced them. The result was a compliance culture that learned it could write a policy, never operationalise it, and never get caught. DPDP breaks that habit for three reasons.
- It creates a dedicated regulator, the Data Protection Board of India, whose only job is to adjudicate breaches and levy penalties. There is no shared mandate to hide behind.
- It makes penalties financial and per-instance, not nominal. 250 crore rupees for a security failure is a number that reaches the audit committee.
- It gives individuals, called Data Principals under the Act, real rights they can exercise: access, correction, erasure and grievance redressal, with your own timelines to answer them.
You, as the Data Fiduciary, are the entity that decides why and how personal data is processed. Your cloud vendor, your payment gateway, your call-centre BPO, your email tool: those are Data Processors acting on your instructions. The Act holds you accountable for what they do. You cannot outsource the liability. That single clause redraws every vendor contract you have signed.
The seven-layer readiness map, in priority order
After running DPDP gap assessments across banks, health-tech firms and D2C brands, I have stopped presenting findings as a flat list. Nobody fixes a flat list. I present it as seven layers, deliberately ordered so that each layer depends on the one above it. You cannot build consent without a data map. You cannot honour erasure without retention rules. Work top to bottom.
| Priority | Layer | What it answers | Typical time to close |
|---|---|---|---|
| 1 | Data mapping and inventory | What personal data do we hold, where, and why? | 4 to 8 weeks |
| 2 | Lawful basis and consent | On what legal ground do we process each item? | 3 to 6 weeks |
| 3 | Retention and deletion | When must this data be destroyed? | 4 to 6 weeks |
| 4 | Data Principal rights | How do we answer an access or erasure request in time? | 3 to 5 weeks |
| 5 | Processor and vendor obligations | Are our contracts and sub-processors compliant? | 6 to 10 weeks |
| 6 | Breach detection and reporting | Can we detect and report a breach on the clock? | 6 to 12 weeks |
| 7 | Governance and DPO | Who is accountable, and can they prove it? | 2 to 4 weeks |
Layer 1: The data map you have never actually built
Everything starts here, and this is where 90 percent of programmes stall. You cannot protect, delete or account for data you have not located. A DPDP data map is not a diagram drawn by a consultant in a workshop. It is a living record of every data element, its source, its purpose, its storage location, its lawful basis, its retention period and its downstream recipients.
Here is what actually happens. A mid-size lending firm told me they had two systems holding customer PII. We ran a discovery scan. We found forty-one. The marketing team had exported the full customer base to a spreadsheet on a shared drive in 2022 for a campaign, and it was still there, unencrypted, readable by nineteen people. There was a WhatsApp Business export sitting in an S3 bucket with no lifecycle policy. Their support team was pasting Aadhaar numbers into a helpdesk ticketing tool that stored them in plain text forever. None of this was in their policy. All of it was in their environment.
Your data map must capture, per data element:
- The category: identifier, contact, financial, health, biometric, location, behavioural.
- Whether it belongs to a child, since DPDP requires verifiable parental consent for anyone under 18 and bans behavioural tracking and targeted advertising directed at children.
- The source: collected directly, purchased, inferred, or received from a partner.
- The storage system, including shadow copies in spreadsheets, backups, logs and analytics tools.
- The lawful basis and the specific purpose.
- The retention clock and its trigger event.
- Every internal role and external processor that can access it.
Layer 2: Consent that would survive a Board inquiry
DPDP recognises two broad grounds for processing: consent, and certain legitimate uses defined in the Act, such as an individual voluntarily providing data for a stated purpose, employment, medical emergencies and legal obligations. For most commercial processing you will rely on consent, and the bar is specific. Consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action.
Read that again. Unconditional means you cannot bundle consent to marketing with the delivery of the core service. Pre-ticked boxes are dead. A single blanket consent covering eleven unrelated purposes is dead. Every request must be accompanied by, or preceded by, a notice in plain language, and the draft Rules require you to offer that notice in English and the languages of the Eighth Schedule to the Constitution. The individual must be able to withdraw consent as easily as they gave it, and withdrawal must be as frictionless as the sign-up.
The artefact that fails audits here is the consent record itself. When the Board asks you to prove that a specific person consented to a specific purpose on a specific date under a specific notice version, can you produce it? Most consent management is a checkbox that writes true to a database column with no timestamp, no notice version and no audit trail. That is not a consent record. That is a rumour.
| Consent failure | What auditors find | The fix |
|---|---|---|
| Bundled consent | One tick covers service plus marketing plus analytics | Granular, purpose-by-purpose toggles |
| No versioning | Notice was reworded but old consents not re-collected | Version every notice; link each consent to a version |
| Withdrawal friction | Sign-up is one click, opt-out is an email to support | Self-service withdrawal in the same interface |
| No provenance | Cannot show when or under what notice consent was given | Immutable consent log with timestamp and notice ID |
Layer 3: Retention, the silent liability
Every record you keep past its purpose is a liability with no upside. DPDP requires you to erase personal data once the purpose is served and retention is no longer necessary for a legal obligation, unless another law compels you to keep it. The draft Rules go further for large platforms, proposing a default erasure of certain data after the Data Principal has been inactive for a defined period, with prior notice before deletion.
This collides head-on with sector rules you already follow. The RBI KYC Master Direction requires you to retain KYC records for five years after the business relationship ends. The Prevention of Money Laundering Act mandates similar retention. SEBI, IRDAI and tax law each impose their own clocks. DPDP does not override these; it sits alongside them. So your retention schedule must map, per data category, the maximum permitted retention under DPDP against the minimum required retention under sector law, and resolve the conflict explicitly.
- Build a retention matrix: data category, DPDP position, sector-law requirement, final retention decision, deletion trigger.
- Implement automated deletion or anonymisation jobs. Manual quarterly purges do not survive scrutiny.
- Extend retention rules to backups and logs, not just the primary database. A record you deleted from production but kept in a two-year backup is still retained.
- Anonymise where you can. Truly anonymised data falls outside the Act, but pseudonymised data that can be re-linked does not.
Layer 4: Answering a Data Principal on the clock
Individuals can ask you what data you hold about them, request correction and completion, request erasure, and raise grievances. They can also nominate someone to exercise these rights on their behalf in the event of death or incapacity. The draft Rules attach timelines, and grievance redressal in particular has a defined response window that you must publish and meet.
The operational trap is that a rights request is not a legal task, it is a data task. To answer an access request honestly, you must pull every fragment of that person's data from all forty-one systems your map revealed. If you have not built the map, you cannot answer the request, and a missed request is itself a compliance event. Build a rights-fulfilment runbook now, with named owners, a ticketing workflow, an identity-verification step, and a hard SLA measured in days.
Layer 5: The processor obligations hiding in your contracts
This is the layer companies discover last and regret most. You remain the Data Fiduciary even when a vendor does the processing. That means every processor must be bound by a valid contract that restricts them to your documented instructions, and you are responsible for their security failures. When was the last time you read the data-processing terms of your CRM, your analytics platform, your SMS gateway or your offshore support desk?
A retail client of mine had a clean internal environment and still failed the assessment, because their loyalty programme was run by a third party that was quietly reselling aggregated purchase data to advertisers. Under the old regime, arguable. Under DPDP, that is the client's liability, because the client is the Fiduciary and never authorised or even knew about the onward sharing. Sub-processors are the blind spot. Your vendor's vendor is still your problem.
- Inventory every processor and, critically, every sub-processor they engage.
- Insert DPDP-compliant clauses: processing limited to instructions, security obligations, breach notification to you within a fixed window, deletion on termination, and audit rights.
- Require processors to notify you of any personal data breach immediately, because your reporting clock starts the moment you become aware.
- Assess cross-border flows. DPDP permits transfers except to countries the Central Government specifically restricts, but sector regulators such as RBI still mandate that payment data be stored in India.
Layer 6: Breach reporting, the unforgiving clock
This is where DPDP is stricter than most people realise, and where it stacks on top of an obligation you may already have missed. Under the draft DPDP Rules, on becoming aware of a personal data breach you must notify affected Data Principals without delay, and notify the Data Protection Board within seventy-two hours, with an initial description followed by fuller details. Separately, the CERT-In Directions of April 2022 already require reporting of cyber incidents to CERT-In within six hours. These are two different regulators, two different clocks, one incident.
Six hours is brutal if you are not ready. What actually sinks companies is not the reporting itself; it is detection. You cannot report a breach you have not noticed. I have investigated incidents where attackers exfiltrated data for weeks and the first the company heard of it was a customer complaint or a dark-web listing. If your logging, alerting and monitoring cannot tell you a breach is happening in near real time, your seventy-two-hour and six-hour clocks are meaningless because they never start on time.
| Obligation | Regulator | Deadline | Trigger |
|---|---|---|---|
| Cyber incident report | CERT-In | 6 hours | Awareness of the incident |
| Board notification | Data Protection Board | 72 hours (draft Rules) | Awareness of the personal data breach |
| Data Principal notification | Directly to individuals | Without delay | Awareness of the breach affecting them |
| Sector breach report (banks) | RBI | 2 to 6 hours per RBI norms | Detection of the incident |
Layer 7: Governance, and the Significant Data Fiduciary question
The Central Government can classify certain organisations as Significant Data Fiduciaries based on volume and sensitivity of data, risk to Data Principals and other factors. If you are notified as one, additional duties apply: you must appoint a Data Protection Officer based in India who reports to the board, appoint an independent data auditor, and conduct periodic Data Protection Impact Assessments. Even if you are not an SDF, appointing a clear owner and running impact assessments on high-risk processing is the difference between a programme and a paper.
Governance is what makes the other six layers defensible. When the Board comes calling, they will not just ask whether you had controls. They will ask who owned them, how you tested them, and how you proved they worked. Accountability under DPDP is demonstrable accountability, not asserted accountability.
The 90-day fix-it checklist
If you do nothing else this quarter, do this, in this order. Each item unblocks the next.
- Run an automated data-discovery scan across production, cloud storage, endpoints and shared drives. Trust the tool, not the org chart.
- Build the data map: category, purpose, lawful basis, location, retention, recipients, per element.
- Flag every child and sensitive-data flow separately; these carry the highest exposure.
- Rebuild consent as granular, versioned and withdrawable, with an immutable consent log.
- Draft the retention matrix reconciling DPDP against RBI, PMLA, SEBI, IRDAI and tax retention.
- Automate deletion and anonymisation jobs across production, backups and logs.
- Stand up a rights-fulfilment runbook with named owners and a hard SLA.
- Re-paper every processor contract with DPDP clauses and map all sub-processors.
- Wire breach detection to alerting, and pre-write the 6-hour CERT-In and 72-hour Board notification templates.
- Appoint an accountable owner, and if you are likely an SDF, a board-reporting DPO and an independent auditor.
- Run a DPIA on your two highest-risk processing activities and keep the evidence.
Back to that unanswered question
The board that could not tell me who could read a customer's phone number was not negligent. They were normal. Almost every Indian company is in exactly that position, because for fifteen years the rules rewarded policy over practice. DPDP inverts that. It rewards companies that know their data cold and punishes those who only know their policy. Start with the map, and the rest of the Act stops being abstract.
At CyberSigma, we run DPDP gap assessments and readiness programmes hands-on as senior CERT-In empanelled auditors and PCI QSAs, sitting in your environment and building the artefacts with your team rather than handing you a template. If you want a second set of eyes on where your seven layers actually stand, that is the work we do.
FAQs
When does the DPDP Act come into force and what should we do now?
The Act was passed in 2023, and the operative obligations take effect as the Government notifies provisions and finalises the DPDP Rules, which were published in draft in 2025 with phased timelines. The sensible position is to treat enforcement as imminent. Building the data map and consent infrastructure takes months, so the readiness work should already be underway regardless of the exact commencement date.
What is the difference between a Data Fiduciary and a Data Processor?
A Data Fiduciary decides why and how personal data is processed and carries the primary legal accountability. A Data Processor processes data only on the Fiduciary's documented instructions, such as a cloud host or a BPO. If you decide the purpose, you are the Fiduciary, and you remain liable even for a processor's failures, which is why processor contracts and sub-processor oversight are non-negotiable.
How large are the penalties under the DPDP Act?
Penalties are set out in the Schedule to the Act and are levied per instance by the Data Protection Board. The headline figure is up to 250 crore rupees for failing to take reasonable security safeguards to prevent a breach. Other failures, such as breach-notification lapses or children's-data violations, carry their own penalty ceilings. Because penalties are per-instance and reach the audit committee, they are a board-level financial risk, not a compliance footnote.
Does DPDP replace the RBI, SEBI and IRDAI data rules we already follow?
No. DPDP sits alongside sector regulation rather than overriding it. Where a sector law compels retention, such as the RBI KYC five-year rule or PMLA record-keeping, that obligation continues and can override DPDP's erasure expectation for those specific records. Your retention matrix must reconcile both, and your breach reporting must satisfy both the Data Protection Board and your sector regulator on their separate clocks.
How do the DPDP and CERT-In breach timelines work together?
They are two separate obligations triggered by one incident. The CERT-In Directions of 2022 require reporting of cyber incidents within six hours of becoming aware. The draft DPDP Rules require notifying the Data Protection Board within seventy-two hours and affected individuals without delay. You should pre-build templates and an escalation runbook for both, because the practical bottleneck is detection: you cannot start either clock until your monitoring tells you a breach has occurred.
What consent do we need for processing children's data?
The Act treats anyone under 18 as a child and requires verifiable parental or guardian consent before processing their personal data. It also prohibits processing that is likely to cause harm to a child, and prohibits behavioural tracking and targeted advertising directed at children. This means you need reliable age assurance and a distinct consent flow, and any product with under-18 users should flag that data category as high-risk in the data map from day one.
Liked the post? Share on:





Leave A Comment