We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / DPDP Act
MeitY, Government of India · India

DPDP Act, 2023 (India)

India’s data-protection law governing the personal data of data principals.

Introduction: The Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (the 'DPDP Act' or 'the Act') is India's first comprehensive, horizontal data protection legislation. Enacted by Parliament and notified in the Gazette of India on 11 August 2023, it establishes a rights-based framework governing the processing of digital personal data within India, and — in defined circumstances — the processing of Indian residents' personal data outside India. The Act repeals Section 43A of the Information Technology Act, 2000 and its subordinate SPDI Rules (2011), replacing a narrow reasonable-security-practices regime with a principles-driven consent and accountability model broadly comparable to the EU General Data Protection Regulation (GDPR), though materially lighter in obligations and simpler in structure.

This Knowledge Center guide is written for boards, Data Protection Officers, privacy programme leads, legal counsel and security auditors who must operationalise DPDP compliance. It provides an auditor-grade decomposition of every obligation in the Act, a master assessment checklist mapping each duty to verifiable evidence, a phased implementation roadmap, a maturity model, and cross-mappings to GDPR, ISO/IEC 27701, ISO/IEC 27001 and the SPDI Rules. Because the Act is intentionally concise (44 sections across nine chapters) and delegates operational detail to the Digital Personal Data Protection Rules, this guide reflects both the primary legislation and the substance of the Draft DPDP Rules published for consultation by MeitY on 3 January 2025. Where an obligation depends on subordinate rule-making not yet finally notified, this is flagged explicitly.

Source and copyright note
The DPDP Act, 2023 is a statute of the Government of India (Ministry of Electronics and Information Technology, MeitY) and is Crown/Government material published in the Gazette of India; the bare Act text is in the public domain. However, this guide contains original analysis, checklists and interpretation authored by CyberSigma and must not be treated as legal advice. Section numbers, definitions and terminology herein are paraphrased for guidance; always cite the official Gazette text and the finally notified DPDP Rules for legal certainty. This document does not reproduce any proprietary or licensed third-party standard text.

What is the DPDP Act?

The DPDP Act, 2023 regulates the processing of 'digital personal data' — personal data in digital form, or personal data that is digitised after collection in non-digital form. 'Personal data' means any data about an individual who is identifiable by or in relation to such data. The Act adopts an omnibus, technology-neutral approach: unlike the SPDI Rules, it does not create a special category of 'sensitive personal data', treating all personal data under a single regime (with heightened obligations for children's and persons-with-disability data).

The Act's architecture rests on a small number of defined actors and a core set of principles:

  • Data Principal — the individual to whom the personal data relates (includes, for a child, the parent/lawful guardian, and for a person with disability, the lawful guardian).
  • Data Fiduciary — any person who, alone or with others, determines the purpose and means of processing personal data (analogous to a GDPR 'controller').
  • Significant Data Fiduciary (SDF) — a Data Fiduciary or class notified by the Central Government based on volume/sensitivity of data, risk to rights, sovereignty, electoral democracy, security of the State and public order; subject to enhanced obligations.
  • Data Processor — any person who processes personal data on behalf of a Data Fiduciary (analogous to a GDPR 'processor').
  • Consent Manager — a registered, accountable entity through which a Data Principal can give, manage, review and withdraw consent via an accessible, interoperable platform.
  • Data Protection Board of India (the 'Board') — the adjudicatory body that determines non-compliance and imposes monetary penalties.

Processing must rest on a lawful basis: either the free, specific, informed, unconditional and unambiguous consent of the Data Principal (signalled by a clear affirmative action), or one of the enumerated 'legitimate uses' (formerly styled 'deemed consent'). Every consent-based collection must be preceded or accompanied by a clear notice. The Act confers rights on Data Principals (access, correction, erasure, grievance redressal, nomination) and imposes duties on them (not to file false or frivolous complaints, not to impersonate, not to suppress material information). Penalties are significant — up to INR 250 crore per instance for failure to implement reasonable security safeguards resulting in a personal data breach.

Extra-territorial and cross-border scope
The Act applies to processing of digital personal data within India, and to processing outside India where it is in connection with offering goods or services to Data Principals within India. Cross-border transfer follows a 'blacklist' (negative-list) model: transfer is permitted to all countries except those specifically restricted by the Central Government — a notable divergence from GDPR's 'whitelist' adequacy model.

Who must comply with the DPDP Act?

The Act's material and territorial scope is broad. Any organisation that determines the purpose and means of processing digital personal data of individuals in India is a Data Fiduciary and is in scope, regardless of sector, size or whether it charges a fee. The following table summarises applicability by actor and scenario.

Who / scenarioIn scope?Key obligations triggered
Data Fiduciary processing personal data of individuals in IndiaYesFull Chapter II duties: notice, consent/legitimate use, security safeguards, breach notification, retention limits, grievance redressal, accuracy.
Foreign entity offering goods/services to individuals in IndiaYes (extra-territorial)All Data Fiduciary duties; likely to require Indian grievance contact and cross-border compliance.
Significant Data Fiduciary (notified by Government)Yes, enhancedAppoint India-based DPO, independent data auditor, periodic DPIA and audit, algorithmic-risk assessment, and any additional measures notified.
Data Processor acting for a FiduciaryYes, contractuallyMust process only under a valid contract; implement security safeguards; assist Fiduciary; no independent lawful basis needed but liable for breaches.
Consent ManagerYesRegister with the Board; meet net-worth, technical, transparency and fiduciary-duty conditions to Data Principals.
Startup / small Data FiduciaryYes, but relaxations possibleGovernment may notify certain provisions as inapplicable to notified classes (e.g., some notice/retention/DPO duties).
State and its instrumentalitiesYes, with exemptionsBroad exemptions available for sovereignty, security, public order and specified state functions.
Processing of purely personal/domestic personal data by an individualNoExempt — personal or domestic purpose.
Personal data made publicly available by the Data Principal or under a legal dutyNoExempt from the Act's obligations.

Note that the Act does not distinguish sensitive from ordinary personal data for scoping purposes; the single trigger is whether digital personal data of an individual is being processed. Children's data (individuals under 18) carries additional obligations: verifiable parental/guardian consent, and a prohibition on tracking, behavioural monitoring and targeted advertising directed at children (subject to notified exemptions).

Structure of the DPDP Act (chapters, duties and controls)

The Act comprises nine chapters and 44 sections. For assessment purposes it is more useful to organise obligations into control domains that map to how a privacy programme is actually built and audited. The following table maps the statutory chapters to auditable control domains and representative section references.

Control domainStatutory basis (chapter / section)Core requirement summary
D1 Lawful basis and consentCh. I s.2-4; Ch. II s.6, s.7Establish consent (free, specific, informed, unconditional, unambiguous, affirmative) or a legitimate use for every processing purpose.
D2 Notice and transparencyCh. II s.5Provide clear notice of data collected, purpose, rights exercise, complaint mechanism and Board access; make available in English and 22 Eighth-Schedule languages.
D3 Data Principal rightsCh. III s.11-14Enable access, correction, completion, updating, erasure, grievance redressal and nomination.
D4 Data Principal dutiesCh. III s.15Prohibit false/frivolous complaints, impersonation and suppression of material information.
D5 General obligations of Data FiduciaryCh. II s.8Accuracy, completeness, security safeguards, breach handling, retention limits, published grievance contact, accountability.
D6 Security safeguardsCh. II s.8(5)Implement reasonable technical and organisational measures to prevent personal data breach.
D7 Personal data breach managementCh. II s.8(6)Detect, contain and notify the Board and each affected Data Principal of a personal data breach.
D8 Data retention and erasureCh. II s.8(7)-(8)Erase personal data on consent withdrawal or purpose fulfilment, unless retention is legally required.
D9 Processor governanceCh. II s.8(2)Engage processors only under a valid contract; ensure downstream compliance.
D10 Children and persons with disabilityCh. II s.9Obtain verifiable parental/guardian consent; no harmful processing, tracking or targeted advertising to children.
D11 Significant Data Fiduciary obligationsCh. II s.10DPO, independent data auditor, DPIA, periodic audit, algorithmic and other notified measures.
D12 Cross-border data transferCh. II s.16Transfer permitted except to countries restricted by the Central Government (negative list).
D13 ExemptionsCh. IV s.17Apply statutory exemptions (state functions, legal claims, research/archiving, startups, etc.) where valid.
D14 Consent ManagerCh. II s.6(7)-(9); RulesWhere used, ensure registration, interoperability and fiduciary duty to the Data Principal.
D15 Grievance and Board interfaceCh. V-VI s.18-28Operate grievance redressal; cooperate with the Data Protection Board's inquiries and directions.
D16 Penalties and accountabilityCh. VIII ScheduleMaintain evidence of compliance to mitigate penalties up to INR 250 crore per breach.

Master assessment checklist — every domain, control and requirement

This is the core of the guide. Each control domain (D1-D16) is decomposed into specific, testable requirements. For every domain there is a table of 'What to verify' against 'Typical evidence'. An assessor should be able to score each line as Compliant, Partially Compliant, Non-Compliant or Not Applicable, and attach the evidence artefact referenced. Do not skip domains marked as conditional (e.g., SDF, Consent Manager) — record them as Not Applicable with justification if they do not apply.

D1 — Lawful basis and consent (s.6, s.7)

What to verifyTypical evidence
Every processing activity has a documented lawful basis (consent or a specific legitimate use).Record of Processing Activities (RoPA); data-mapping register listing basis per purpose.
Consent is free, specific, informed, unconditional, unambiguous and signalled by clear affirmative action.Consent-capture UI screenshots; opt-in logs; consent copy review; no pre-ticked boxes.
Consent is limited to data necessary for the specified purpose (data minimisation at consent).Purpose-to-field mapping; DPIA notes; UX walkthrough.
Consent requests are decoupled from acceptance of unrelated terms.Terms of service; consent flow separation review.
Withdrawal of consent is as easy as giving it, with defined downstream consequences.Consent-withdrawal mechanism demo; withdrawal logs; cessation-of-processing workflow.
Legitimate uses relied upon are within the s.7 enumerated list (e.g., voluntary provision, State benefits, medical emergency, employment, specified public interest).Legitimate-use justification memo per purpose; legal sign-off.
Where consent predates the Act, a compliant fresh notice was issued as soon as reasonably practicable.Re-consent notice records; dispatch logs; timestamps.

D2 — Notice and transparency (s.5)

What to verifyTypical evidence
Notice itemises the personal data to be collected and the purpose of processing.Published privacy notice; layered notice; version history.
Notice explains how to exercise rights and lodge a complaint with the Data Fiduciary.Rights-exercise section of notice; grievance contact details.
Notice explains how to make a complaint to the Data Protection Board.Board escalation clause in notice.
Notice is available in English and each language listed in the Eighth Schedule to the Constitution.Language versions; translation records; language selector.
For consent obtained before the Act, retrospective notice was provided.Retrospective notice log.
Notice is provided at or before the point of collection.Collection-point UX capture; timestamps.

D3 — Data Principal rights (s.11-14)

What to verifyTypical evidence
Right to access: Data Principal can obtain a summary of personal data processed and processing activities, plus identities of Fiduciaries/Processors with whom shared.Access-request procedure; sample fulfilled request; response templates.
Right to correction, completion and updating of personal data.Correction workflow; audit trail of changes.
Right to erasure on withdrawal or where no longer necessary.Erasure workflow; deletion certificates; retention exceptions log.
Readily available grievance redressal mechanism with defined response period.Grievance policy; SLA definition; ticketing metrics.
Right to nominate an individual to exercise rights in event of death or incapacity.Nomination facility; nomination records.
Identity verification for rights requests without excessive friction.Verification procedure; DPIA of verification method.
Requests fulfilled within the timeline prescribed by the Rules.Response-time metrics; escalation records.

D4 — Data Principal duties (s.15)

What to verifyTypical evidence
Terms communicate Data Principal duties (no false complaints, no impersonation, no suppression of material information).Terms of service; consent notice clause.
Mechanism to flag and handle potentially false or frivolous complaints without deterring genuine ones.Complaint triage procedure; audit log.

D5 — General obligations of the Data Fiduciary (s.8)

What to verifyTypical evidence
Reasonable efforts ensure personal data is accurate and complete, especially where used for decisions or disclosed.Data-quality controls; validation rules; correction rates.
A published business contact / grievance officer is identified for Data Principal communications.Website contact page; DPO/officer designation.
The Fiduciary remains accountable for processing by its Processors.Processor oversight records; audit reports.
Compliance is demonstrable through documentation and governance.Privacy governance charter; RoPA; policy set; board minutes.
Personal data is processed only for the purpose for which consent/legitimate use was established (purpose limitation).Purpose-mapping register; access controls; DLP monitoring.

D6 — Security safeguards (s.8(5))

What to verifyTypical evidence
Reasonable technical and organisational security measures are implemented to prevent a personal data breach.Information security policy; ISO 27001 SoA; control catalogue.
Encryption, tokenisation or masking applied to personal data at rest and in transit as appropriate.Encryption standards; TLS configuration; key-management records.
Access control on a least-privilege / need-to-know basis with periodic review.IAM policy; access-review logs; RBAC matrix.
Logging and monitoring to detect unauthorised access or processing.SIEM configuration; log-retention policy; alerting evidence.
Backups and disaster-recovery to preserve availability and enable restoration.Backup schedule; DR test reports.
Contractual imposition of equivalent safeguards on Processors.Data-processing agreements; security schedules.
Reasonable measures continue after a breach to prevent recurrence.Post-incident remediation records.

D7 — Personal data breach management (s.8(6))

What to verifyTypical evidence
A documented breach-detection and response process exists.Incident-response plan; runbooks.
Ability to notify the Data Protection Board of a personal data breach in the prescribed form and time.Board-notification template; notification log; timelines.
Ability to notify each affected Data Principal with prescribed particulars (nature, likely consequences, mitigation, contact).Data Principal notification template; dispatch records.
Breach register maintained with root-cause and remediation.Breach register; RCA reports.
Processor obligation to report breaches to the Fiduciary without delay.DPA breach-reporting clause; processor incident logs.
Tabletop exercises and breach drills conducted periodically.Exercise reports; lessons-learned.

D8 — Data retention and erasure (s.8(7)-(8))

What to verifyTypical evidence
A retention schedule defines retention periods per data category and purpose.Retention schedule; data-classification register.
Personal data is erased once the purpose is served or consent is withdrawn, unless legally required.Automated deletion jobs; erasure logs; legal-hold register.
Special retention/erasure rules for e-commerce, online gaming and social-media intermediary classes (per Rules) are applied.Class-specific retention configuration; notice-before-erasure records.
Data Principals are notified before erasure where required, giving opportunity to re-engage.Pre-erasure notification records.
Retention exceptions are documented and time-bound.Legal-hold justifications; review dates.

D9 — Processor governance (s.8(2))

What to verifyTypical evidence
Every Processor is engaged under a valid, written contract.Executed data-processing agreements.
Contracts flow down purpose limitation, security, breach reporting, sub-processing controls and assistance duties.DPA clauses; sub-processor approval records.
Sub-processors are authorised and equivalently bound.Sub-processor list; back-to-back agreements.
Processor due diligence and periodic assurance is performed.Vendor risk assessments; audit reports; certifications.
On termination, Processors return or delete personal data.Deletion/return certificates.

D10 — Children and persons with disability (s.9)

What to verifyTypical evidence
Verifiable parental consent obtained before processing a child's personal data (under 18).Age-verification and parental-consent flow; verification logs.
No processing likely to cause detrimental effect on the well-being of a child.Child-impact assessment; policy.
No tracking, behavioural monitoring or targeted advertising directed at children (subject to notified exemptions).Ad-targeting configuration; suppression rules; audit.
Verifiable guardian consent obtained for persons with disability where lawful guardianship applies.Guardian-verification records.
Where an exemption for a class of Fiduciary or purpose applies, it is validly documented.Exemption memo referencing notified rule.

D11 — Significant Data Fiduciary obligations (s.10)

What to verifyTypical evidence
A Data Protection Officer based in India is appointed and reports to the board/governing body.DPO appointment letter; reporting line; contact publication.
An independent data auditor is appointed to evaluate compliance.Auditor engagement; independence declaration.
Periodic Data Protection Impact Assessments are conducted.DPIA reports; risk registers.
Periodic compliance audits are conducted and reported.Audit reports; board review minutes.
Assessment of risks from algorithmic software and other measures notified by Government.Algorithmic-risk assessments; model documentation.
Additional measures notified for SDFs (e.g., localisation, verification) are implemented.Evidence per applicable notification.

D12 — Cross-border data transfer (s.16)

What to verifyTypical evidence
Transfers to countries restricted by the Central Government are prevented.Transfer register; geo-restriction controls; restricted-country list monitoring.
Any sector-specific localisation requirements (e.g., RBI, insurance) are honoured in addition to the Act.Sectoral-compliance mapping; localisation evidence.
Transfer mechanisms and safeguards for overseas Processors are contractually assured.Cross-border DPA clauses; hosting-location records.

D13 — Exemptions (s.17)

What to verifyTypical evidence
Any exemption relied upon (State function, legal claim enforcement, judicial function, research/archiving/statistics, startup relaxation) is specifically identified and justified.Exemption justification memo; legal opinion.
Exempt processing is confined to the scope of the exemption and not used as a blanket carve-out.Scoping analysis; access controls.
Research/archiving/statistical exemptions meet any conditions prescribed by the Rules.Standards compliance record.

D14 — Consent Manager (s.6(7)-(9))

What to verifyTypical evidence
Where a Consent Manager is used, it is registered with the Board and meets prescribed conditions.Registration certificate; net-worth and technical criteria evidence.
The Consent Manager operates an accessible, transparent, interoperable platform for giving, managing and withdrawing consent.Platform documentation; interoperability standard adherence.
The Consent Manager acts in a fiduciary capacity toward the Data Principal and avoids conflicts of interest.Fiduciary-duty policy; conflict-of-interest controls.
Consent records are auditable and available to the Data Principal.Consent-artefact logs; audit trail.

D15 — Grievance and Data Protection Board interface (s.13, s.18-28)

What to verifyTypical evidence
Grievance redressal is operational, published and meets the response timeline in the Rules.Grievance policy; SLA metrics; ticket exports.
Data Principals must first approach the Fiduciary/Consent Manager before the Board (exhaustion of remedy).Grievance escalation path documentation.
Cooperation with Board inquiries, directions and information requests is planned for.Regulatory-response playbook; single point of contact.
Voluntary undertakings and remediation directions can be tracked to closure.Undertaking register; remediation tracker.

D16 — Penalties and accountability (Schedule)

What to verifyTypical evidence
Compliance is continuously evidenced to demonstrate reasonable measures and mitigate penalties.Accountability framework; evidence repository; management reviews.
The organisation understands penalty exposure per obligation (see penalty table).Penalty risk register; board briefing.
Financial safeguards, if any (e.g., cyber-insurance), account for DPDP penalty exposure.Insurance schedule; risk-transfer analysis.

The Act's Schedule prescribes maximum monetary penalties. Assessors should quantify exposure per obligation:

Breach of obligationIndicative maximum penalty
Failure to take reasonable security safeguards to prevent a personal data breachUp to INR 250 crore
Failure to notify the Board and affected Data Principals of a personal data breachUp to INR 200 crore
Breach of additional obligations relating to childrenUp to INR 200 crore
Breach of additional obligations of a Significant Data FiduciaryUp to INR 150 crore
Breach of a Data Principal's dutiesUp to INR 10,000
Breach of terms of a voluntary undertakingUp to the amount otherwise applicable
Any other breach of the Act or RulesUp to INR 50 crore

Scoping the assessment

Accurate scoping determines audit effort and defensibility. Because the Act applies to all digital personal data (not a sensitive subset), scoping is driven by data flows, systems and legal entities rather than by data category alone.

  1. Enumerate legal entities and territories: identify every entity processing personal data of individuals in India, including foreign entities offering goods/services into India.
  2. Build the data inventory: catalogue personal data elements, systems, applications and repositories (structured and unstructured).
  3. Map data flows: document collection points, internal processing, third-party sharing, Processors, sub-processors and cross-border transfers.
  4. Identify the role for each flow: Data Fiduciary, joint Fiduciary, or Processor — and record the lawful basis.
  5. Determine SDF likelihood: assess volume, sensitivity, and risk factors that could trigger Significant Data Fiduciary notification, and pre-emptively adopt SDF-grade controls if borderline.
  6. Assess children's/guardian data exposure: flag any service reasonably accessed by under-18s.
  7. Identify exemptions: record any s.17 exemptions and their precise scope.
  8. Define the assessment boundary: in-scope systems, entities, processors and geographies, with documented exclusions and rationale.
Scoping tip
Treat the absence of a 'sensitive data' category as widening, not narrowing, scope. Fields you may have historically excluded from SPDI-based programmes (e.g., names, contact details, identifiers) are all in scope under DPDP. Conversely, the domestic-purpose and publicly-available-data exemptions can meaningfully reduce scope where properly evidenced.

Implementation approach (phased)

A defensible DPDP programme is best delivered in five phases. Each phase lists key activities and deliverables. Timelines assume a mid-sized enterprise and should be compressed for SDFs given the enforcement runway following final Rule notification.

Phase 1 — Mobilise and discover (Weeks 1-4)

  • Activities: appoint programme sponsor and (for likely SDFs) DPO; establish governance and RACI; conduct DPDP awareness for leadership; launch data-discovery across systems.
  • Deliverables: programme charter; RACI matrix; preliminary data inventory; entity/role register; gap-assessment plan.

Phase 2 — Assess and design (Weeks 4-10)

  • Activities: complete the master assessment checklist (D1-D16); build RoPA and data-flow maps; perform DPIAs on high-risk processing; design consent, notice and rights-handling architecture.
  • Deliverables: gap-assessment report with risk-rated findings; RoPA; DPIA reports; target operating model; remediation roadmap.

Phase 3 — Remediate and build (Weeks 10-20)

  • Activities: deploy consent-capture and consent-management (or integrate a registered Consent Manager); publish multilingual notices; implement rights-fulfilment workflows; harden security safeguards; execute retention and erasure automation; renegotiate Processor contracts.
  • Deliverables: consent platform; published notices in required languages; DSAR/rights tooling; updated DPAs; retention automation; security control uplift evidence.

Phase 4 — Operationalise and assure (Weeks 20-28)

  • Activities: stand up breach-response and Board-notification runbooks; run breach tabletop; establish grievance SLA operations; (for SDFs) appoint independent data auditor and schedule periodic audit and algorithmic-risk assessments; train staff.
  • Deliverables: incident-response and breach-notification playbooks; grievance operating procedure; audit schedule; training completion records; KPI dashboard.

Phase 5 — Monitor and improve (Continuous)

  • Activities: monitor KPIs; track Rule notifications and Board directions; conduct periodic re-assessment; manage change (new products, vendors, transfers); maintain evidence repository.
  • Deliverables: quarterly compliance report to board; updated RoPA and DPIAs; continuous-improvement register; regulatory-change log.

Maturity and capability model

To measure programme maturity, CyberSigma applies a five-level capability model across each control domain. Scoring each domain on this scale produces a heat-map that prioritises remediation and evidences trajectory to the board and (for SDFs) the independent auditor.

LevelNameCharacteristicsIllustrative DPDP indicator
0AbsentNo awareness or controls; DPDP not on the agenda.No data inventory; consent not captured; no notice.
1Initial / Ad hocReactive, undocumented, person-dependent efforts.Some privacy notices exist but are inconsistent; rights handled case-by-case.
2DevelopingDocumented policies for key domains; partial implementation.RoPA started; consent UI in flagship product; retention schedule drafted.
3DefinedStandardised, organisation-wide processes with ownership.Consent, notice, rights, breach and retention operating across systems; DPAs in place.
4ManagedMetrics-driven; monitored SLAs; periodic audit and DPIA.KPI dashboard; tabletop drills; SDF-grade DPO and audit; measured DSAR SLAs.
5OptimisingContinuous improvement; automation; privacy-by-design embedded.Automated erasure; privacy-by-design gate in SDLC; predictive breach analytics; interoperable consent.

Assessment and audit approach

CyberSigma conducts DPDP assessments using a structured, evidence-based methodology aligned to the master checklist. For Significant Data Fiduciaries, the same methodology underpins the statutory independent audit under s.10.

  1. Initiation and scoping: confirm entities, systems, geographies and roles; agree assessment boundary and success criteria.
  2. Documentation review: examine policies, RoPA, notices, consent records, DPAs, DPIAs, retention schedules and incident logs.
  3. Data-flow validation: trace representative personal-data journeys end-to-end, including cross-border and processor legs.
  4. Control testing: test each D1-D16 requirement against 'What to verify', sampling live records (consent artefacts, DSAR fulfilment, deletion logs).
  5. Technical assessment: review security safeguards — encryption, access control, logging, backups — and, for SDFs, algorithmic-risk exposure.
  6. Interviews and walkthroughs: corroborate operating effectiveness with process owners across privacy, security, legal and product.
  7. Gap analysis and risk rating: rate each finding by likelihood and impact, mapped to penalty exposure.
  8. Reporting: deliver a findings report with a prioritised, costed remediation roadmap and maturity heat-map.
  9. Remediation validation: re-test remediated controls and confirm closure.
  10. Ongoing assurance: agree the periodic re-assessment / audit cadence and regulatory-change monitoring.

Evidence request list

The following categorised list is the standard evidence pack an assessor will request. Assemble it before the assessment to compress timelines.

  • Governance: privacy governance charter; RACI; board/committee minutes; DPO appointment (if applicable); privacy policy suite.
  • Inventory and mapping: Record of Processing Activities (RoPA); data inventory; data-flow diagrams; systems catalogue; cross-border transfer register.
  • Lawful basis and consent: consent-capture screenshots and copy; consent logs; withdrawal logs; legitimate-use justification memos.
  • Notice: published privacy notices; layered/just-in-time notices; language versions (Eighth Schedule); version history.
  • Data Principal rights: DSAR/rights procedures; sample fulfilled requests (access, correction, erasure); nomination facility; grievance SLA metrics.
  • Security: information security policy; ISO 27001 SoA (if held); encryption and key-management standards; IAM and access-review logs; SIEM/logging configuration; backup and DR test reports.
  • Breach management: incident-response plan; breach register; RCA reports; Board and Data Principal notification templates; tabletop reports.
  • Retention and erasure: retention schedule; deletion job logs; legal-hold register; pre-erasure notification records.
  • Processors and third parties: executed DPAs; sub-processor list; vendor risk assessments; deletion/return certificates.
  • Children and disability: age-verification and parental-consent design; ad-targeting suppression evidence; guardian-verification records.
  • SDF-specific: DPIA reports; independent auditor engagement and reports; algorithmic-risk assessments; periodic audit reports.
  • Training and awareness: training materials; completion records; phishing/breach-drill results.

Roles and responsibilities

Clear accountability is a statutory and practical necessity. The following RACI-style table sets out typical roles in a DPDP programme.

RolePrimary responsibilitiesDPDP relevance
Board / Governing bodyApprove privacy strategy, risk appetite and budget; oversee accountability.Ultimate accountability; DPO reports to board in SDFs.
Data Protection Officer (DPO)Own privacy programme; act as contact point; oversee compliance and grievance escalation.Mandatory for SDFs (India-based); recommended otherwise.
Chief Information Security Officer (CISO)Implement and maintain reasonable security safeguards; lead breach response.Owns s.8(5) safeguards and s.8(6) breach handling.
Legal / ComplianceInterpret the Act and Rules; manage exemptions, contracts and Board interface.Owns lawful basis, exemptions, DPAs, regulatory response.
Product / EngineeringEmbed privacy-by-design; build consent, notice, rights and erasure functionality.Delivers D1-D3, D8 in-product controls.
Data Owners / Business unitsMaintain data accuracy; apply purpose limitation and retention in their domains.Owns D5 accuracy and D8 retention operationally.
Grievance OfficerOperate the grievance redressal mechanism within SLA.Owns D3/D15 grievance handling.
Independent Data AuditorEvaluate SDF compliance objectively and report.Statutory role for SDFs under s.10.
Vendor / Processor managersEnsure processors are contractually bound and assured.Owns D9 processor governance.
All employeesHandle personal data per policy; report incidents.First line of defence; training-dependent.

KPIs to track

Measuring the programme demonstrates operating effectiveness and supports the accountability principle. Track at minimum:

  • Percentage of processing activities with a documented lawful basis in the RoPA.
  • Consent capture rate and consent-withdrawal fulfilment time.
  • Data Subject / Principal rights requests: volume, and percentage fulfilled within the prescribed timeline.
  • Grievance resolution rate and mean time to resolution against SLA.
  • Percentage of Processors under a compliant DPA; sub-processor approval coverage.
  • Number of personal data breaches; mean time to detect, contain and notify (Board and Data Principals).
  • Percentage of data assets covered by the retention schedule and automated erasure.
  • Percentage of records erased on schedule / on consent withdrawal.
  • Multilingual notice coverage (Eighth Schedule languages) across customer-facing surfaces.
  • DPIA coverage of high-risk processing; number of open high-risk DPIA findings.
  • Security-control coverage (encryption, access review completion, log coverage).
  • Training completion rate and time-to-completion for new joiners.
  • Maturity score per control domain (D1-D16) trend over time.

Readiness checklist

Use this checklist as a go/no-go gate before asserting DPDP readiness.

  • Entity and role register complete; every processing flow classified as Fiduciary or Processor.
  • RoPA and data-flow maps complete and current.
  • Lawful basis documented for every processing purpose; no reliance on pre-ticked or bundled consent.
  • Privacy notices published, layered and available in English and required Eighth Schedule languages.
  • Consent capture, management and withdrawal mechanisms operational (in-house or via registered Consent Manager).
  • Data Principal rights (access, correction, erasure, nomination) fulfilled through documented workflows within SLA.
  • Grievance redressal mechanism live, published and meeting the prescribed timeline.
  • Reasonable security safeguards implemented and evidenced (encryption, access control, logging, backups).
  • Breach-response and Board/Data Principal notification runbooks tested via tabletop.
  • Retention schedule enforced with automated erasure and legal-hold controls.
  • All Processors under compliant DPAs; sub-processors authorised and bound.
  • Children's and guardian consent controls in place where services reach under-18s; harmful/targeted processing suppressed.
  • SDF obligations addressed (DPO, independent auditor, DPIA, audit, algorithmic-risk) where applicable, else Not Applicable justified.
  • Cross-border transfers screened against the restricted-country list and sectoral localisation rules.
  • Accountability evidence repository maintained; board briefed on penalty exposure.

Common gaps observed

  • Carrying over SPDI-era thinking and treating only 'sensitive' data as in scope, leaving ordinary personal data ungoverned.
  • Consent that is bundled with terms of service, pre-ticked, or lacking a clear affirmative action — invalid under s.6.
  • No easy withdrawal mechanism, and no downstream cessation of processing when consent is withdrawn.
  • Privacy notices available only in English, missing the Eighth Schedule multilingual requirement.
  • No Record of Processing Activities, making lawful-basis mapping and accountability impossible to evidence.
  • Absent or untested breach-notification capability to the Board and to affected Data Principals within prescribed timelines.
  • Retention 'forever by default' — no schedule, no erasure automation, no pre-erasure notification.
  • Processor contracts lacking DPDP flow-down clauses (purpose limitation, security, breach reporting, sub-processing, deletion).
  • No age-assurance or parental-consent design in services reachably used by children; continued behavioural ad-targeting.
  • Under-preparation for Significant Data Fiduciary status — no India-based DPO, no independent auditor, no DPIA cadence.
  • Cross-border transfers assumed compliant without monitoring the restricted-country list or sectoral localisation rules.
  • Treating exemptions as blanket carve-outs rather than narrow, documented and scope-limited.
  • No demonstrable accountability evidence, weakening the ability to mitigate penalties before the Board.

DPDP Act mapped to other frameworks

Organisations rarely implement DPDP in isolation. The following mapping helps leverage existing GDPR, ISO/IEC 27701, ISO/IEC 27001 and legacy SPDI programmes, and highlights where DPDP diverges.

DPDP concept / obligationGDPR (EU) 2016/679ISO/IEC 27701:2019ISO/IEC 27001 / SPDI Rules 2011
Data FiduciaryController (Art. 4(7))PII ControllerBody corporate (SPDI)
Data ProcessorProcessor (Art. 4(8))PII ProcessorThird party / agency
Data PrincipalData SubjectPII PrincipalProvider of information
Consent (s.6)Consent (Art. 6(1)(a), Art. 7)Clause 7.2.3 / 7.3.x consentSPDI Rule 5 consent
Notice (s.5)Transparency / info (Art. 12-14)Clause 7.3.2 noticeSPDI Rule 4 privacy policy
Rights: access/correction/erasure (s.11-13)Arts. 15-17 rightsClause 7.3.x data subject rightsSPDI Rule 5(6) review/correction
Security safeguards (s.8(5))Art. 32 security of processingAnnex A controlsISO 27001 Annex A / SPDI Rule 8
Breach notification (s.8(6))Arts. 33-34 breach notificationIncident management controlsCERT-In directions (6-hour)
Retention/erasure (s.8(7)-(8))Storage limitation (Art. 5(1)(e))Clause 7.4.x retentionNo explicit SPDI equivalent
DPIA (SDF, s.10)Art. 35 DPIAClause 7.2.5 privacy impactNo explicit SPDI equivalent
DPO (SDF, s.10)Arts. 37-39 DPOGovernance rolesNo explicit SPDI equivalent
Cross-border transfer (s.16)Chapter V (Arts. 44-49) adequacyClause 7.5 transfer controlsNo explicit SPDI equivalent
Consent Manager (s.6)No direct equivalentNo direct equivalentNo equivalent
Supervisory / adjudicatory bodySupervisory authorities / EDPBN/A (management system)Adjudicating Officer (IT Act)

Key divergences to note: DPDP uses a negative-list (blacklist) model for cross-border transfers rather than GDPR adequacy; it has no separate sensitive-data category; it introduces the unique Consent Manager construct; and its enforcement is via the Data Protection Board rather than a network of supervisory authorities. An ISO/IEC 27701 privacy information management system provides an excellent operational backbone for DPDP, but does not by itself satisfy statutory obligations such as multilingual notice, Board breach notification, or SDF-specific duties.

How CyberSigma helps
CyberSigma is a CERT-In empanelled cybersecurity and privacy consultancy that operationalises DPDP Act compliance end-to-end. We run the master D1-D16 gap assessment, build your RoPA and data-flow maps, design compliant consent and multilingual notice architectures, stand up Data Principal rights and grievance workflows, implement reasonable security safeguards and breach-notification runbooks, and — for Significant Data Fiduciaries — provide DPO advisory, independent data audit, DPIA and algorithmic-risk assessment. Our SigmaGRC platform tracks every control, evidence artefact and KPI on a live maturity dashboard, giving your board defensible, audit-ready assurance and demonstrable accountability before the Data Protection Board of India. Engage CyberSigma to move from ad hoc to optimising with a costed, phased roadmap tailored to your risk profile and SDF status.
Free 1-minute check
DPDP Readiness Checker
Check your readiness for India’s DPDP Act and see your priority gaps — free.
Try it free →

Frequently asked questions

What are the penalties under the DPDP Act?
The Schedule sets penalties up to ₹250 crore for failure to take reasonable security safeguards, ₹200 crore for breach-notification failures, and others — set by the Data Protection Board based on nature and gravity. Our DPDP penalty calculator estimates exposure.
Who is a data fiduciary vs a data processor?
A data fiduciary determines the purpose and means of processing (like a GDPR controller); a data processor processes on the fiduciary’s behalf.
Is the DPDP Act in force?
The Act is enacted; its detailed Rules and enforcement commence in stages. Organisations should prepare now, as the grace period ends when the Rules commence.

Need help with DPDP Act?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.