DPDPA Compliance Checklist for Indian Businesses
This checklist covers statutory obligations under the Digital Personal Data Protection Act, 2023 and operational evidence controls required to demonstrate DPDPA compliance. It is organised in two sections: Section 1 covers 15 areas of statutory and rule-based requirements including applicability, consent, notice, rights, breach notification, children's data, penalties, and cross-border transfers. Section 2 covers 12 operational governance areas including data inventory, rights management, security controls, vendor governance, and management reporting.
DPDPA Compliance Checklist
Based on the Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025
Designed for organisations that collect, store, process, share, or handle digital personal data in India — or process such data outside India in connection with offering goods or services to Data Principals in India. The checklist separates legal obligations from operational evidence controls. The Act tells you what must be true; the Rules explain how; the evidence controls prove the wiring is connected.
⚠ Compliance-readiness guide only — not legal advice. Organisations in regulated sectors (banking, telecom, insurance, health, payments, employment) should validate sector-specific obligations separately.
How to read this checklist
Section 1 — Statutory and Rule-Based DPDPA Compliance
15 sections · 49 controls · DPDP Rules 2025 + DPDPA Act 2023
Confirm whether the organisation processes digital personal data within India or processes digital personal data outside India in connection with offering goods or services to Data Principals in India.
DPDPA applies to digital personal data, not every form of business data. Anonymised or non-personal business data should be assessed separately.
Identify whether the organisation acts as a Data Fiduciary, Data Processor, Consent Manager, or another relevant participant.
The primary accountability sits with the Data Fiduciary. Processors act on behalf of the Data Fiduciary.
Check whether the organisation or class of organisations has been notified as a Significant Data Fiduciary by the Central Government.
Do not assume SDF status. Additional SDF obligations apply only where notified.
Free Compliance Assessment
See exactly where your business stands
The checklist tells you what the law requires. The assessment tells you which gaps apply to your business — with a personalised risk score and next actions.
Section 2 — Operational Evidence and Governance Checklist
12 sections · 41 controls · These are the evidence controls that prove statutory compliance is operational, not just documented.
Maintain a system-wise register of personal data collected, stored, processed, shared, archived, and deleted.
Do not call this a GDPR RoPA unless your policy defines it. Use "DPDPA Processing Register."
Map each activity to purpose, data category, Data Principal category, lawful basis, owner, processor, retention, and transfer location.
This prevents "mystery processing." Mystery is fun in novels, not audits.
Document flow from collection to storage, use, sharing, archival, deletion, and processor handoff.
Include SaaS tools, APIs, data lake, BI reports, logs, backups, and exports.
Key Guardrails for This Checklist
1. DPDPA is not a blanket data localisation law
DPDPA permits transfer of personal data outside India except to countries or territories restricted by the Central Government. Localisation may still arise under sectoral laws, contractual obligations, or specific government notifications, but it should not be described as a general DPDPA mandate.
2. Consent must be provable
If consent is the basis of processing, the organisation should be able to prove notice, consent, purpose, timestamp, and withdrawal status. Consent without evidence is not a control; it is a hope with a checkbox.
3. Rights workflows need SLA discipline
Data Principal rights and grievance workflows should be tracked against the Rule 13 maximum response period of 90 days, including access, correction, completion, updating, erasure, grievance redressal, and nomination handling.
4. SDF obligations are conditional
DPO appointment, independent data audit, DPIA, periodic audit, and additional prescribed measures apply as statutory obligations where the organisation is notified as a Significant Data Fiduciary. Other organisations may adopt these as best practice, but should not mislabel them as universal statutory duties.
5. Penalty tracking must use the correct statutory basis
Penalty exposure should be mapped to Section 33, Section 33(2), and the Schedule. The "twice the original amount" concept relates to the Central Government's power to amend the Schedule under Section 42, not Section 33(3). This is a small citation correction but a big credibility point.
Related Compliance Resources
Free Risk Assessment
Personalised compliance score for your business
Start assessmentDownload White Paper
45-page DPDPA guide — Act 2023 + Rules 2025
Download freeCompliance Templates
5 ready-to-use DPDPA templates for your business
Get templatesDPDPA Learning Hub
Plain-English guides on every area of the Act
Start learning