☑ DPDP Act Compliance Checklist

All consent collection mechanisms use clear, affirmative opt-in (no pre-ticked boxes)

💡 Go through every form, sign-up page, and checkout flow. If any checkbox is pre-ticked for data sharing, fix it immediately.

Privacy notice is provided before or at the time of collecting consent

💡 The notice must appear BEFORE the consent checkbox, not hidden in a footer link. Users must see it before they agree.

Privacy notice is available in English and all 22 scheduled languages

💡 This is a massive undertaking. Start with English plus Hindi and the languages most relevant to your client's user base, then expand.

Each consent is specific to a single purpose (no bundled consents)

💡 If one checkbox covers both 'order processing' and 'marketing emails,' split it into two separate consents.

Consent withdrawal is as easy as giving consent

💡 If consent was given with one click, withdrawal must also be one click. Do not require phone calls or email chains to withdraw.

Consent records are maintained with timestamps, purpose, and notice version shown

💡 Keep a log of every consent transaction. If the regulator asks 'Show me proof of consent,' you must produce it.

Re-consent has been obtained for data collected before the DPDP Act came into force

💡 For existing data, you must send a notice and give Data Principals an opportunity to withdraw consent as soon as reasonably practicable.

No dark patterns are used in consent interfaces

💡 Dark patterns include: making the 'Accept' button big and green while 'Decline' is small and grey, or using confusing double negatives.

Mechanism exists for Data Principals to submit access requests

💡 At minimum, provide an email address and web form. Ideally, build a self-service portal in the user's account settings.

Access requests can be fulfilled within prescribed timeframe

💡 Test this: submit a mock access request and see how long it takes to gather all data across systems. If it takes weeks, you need automation.

Correction and update mechanisms are operational

💡 Ideally, let users correct their own data through their account profile. For corrections that need verification, define a clear process.

Erasure processes can delete data across all systems including backups

💡 Deletion is harder than it sounds. Data lives in production databases, analytics warehouses, backups, and third-party systems. Map every location.

Grievance Officer is appointed and contact details are published

💡 This must be a named person (not just a generic email). Publish their name, designation, email, and postal address on your privacy page.

Grievance redressal process has defined SLAs and escalation paths

💡 Define: acknowledge within 48 hours, investigate within 7 days, resolve within 30 days. Escalate to DPO if unresolved.

Nomination mechanism is available for Data Principals

💡 Add a 'Nominate a representative' option in user settings. This is unique to DPDP — no equivalent in GDPR.

Personal data is encrypted at rest using industry-standard encryption (AES-256)

💡 Check every database and file store containing personal data. If data is stored in plaintext, encrypt it. This is the highest-penalty area (Rs 250 Crore).

Personal data is encrypted in transit (TLS 1.2 or higher)

💡 All APIs and web pages that transmit personal data must use HTTPS with TLS 1.2+. Check internal communications too, not just external.

Role-based access control (RBAC) is implemented for all personal data stores

💡 Not everyone needs access to personal data. Grant access based on role: customer support sees customer data, HR sees employee data, etc.

Audit logging is enabled for all access to and modification of personal data

💡 Log who accessed what data, when, and why. These logs are essential for breach investigations and regulatory audits.

Vulnerability assessments are conducted at least quarterly

💡 Scan all systems containing personal data for known vulnerabilities. Fix critical and high vulnerabilities within 30 days.

Penetration testing is conducted at least annually

💡 Hire an external security firm to try to break into your systems. This finds vulnerabilities that automated scans miss.

Breach detection capabilities are in place (SIEM, IDS, DLP)

💡 You cannot report a breach you do not detect. Invest in monitoring tools that can flag unauthorized data access.

Breach notification process is documented with templates and timelines

💡 Have pre-written notification templates for the DPBI and for affected individuals. During a breach, you will not have time to draft from scratch.

Breach response team is identified with clear roles and contact information

💡 Define who does what: IT contains the breach, Legal assesses notification requirements, Communications drafts public messaging, DPO notifies the Board.

Tabletop breach simulation exercises are conducted at least annually

💡 Simulate a breach scenario: '10,000 customer records have been exfiltrated. What do we do?' Walk through every step. Fix gaps you find.

Breach register is maintained with details of all incidents

💡 Keep a log of every data incident, even minor ones. The regulator may ask for your breach history during an investigation.

Age verification mechanism is implemented for user-facing services

💡 You must be able to determine if a user is under 18. At minimum, ask for date of birth. For higher-risk services, use more robust verification.

Verifiable parental consent process is operational for children under 18

💡 When a child is identified, you need their parent's verified consent before processing any data. A child clicking 'I agree' is NOT valid consent.

No tracking, behavioural monitoring, or targeted advertising directed at children

💡 If a user is under 18, disable all tracking pixels, behavioural analytics, and targeted ad serving for that user. This is a strict prohibition.

Processing likely to cause detrimental effect on child's well-being is prohibited

💡 Review all processing involving children's data and assess whether any could harm a child's physical or mental well-being. If in doubt, stop the processing.

Children's data processing activities are separately documented in ROPA

💡 Flag every ROPA entry that involves children's data. These entries trigger additional compliance requirements and higher penalty exposure (Rs 200 Crore).

All cross-border data transfers are mapped and documented

💡 List every country where personal data is sent or stored. Cloud providers count — if data is on AWS US-East, that is a cross-border transfer.

No transfers to countries restricted by the Central Government

💡 Monitor government notifications for the restricted countries list. Currently no countries are restricted, but this can change.

Data retention periods are defined for all categories of personal data

💡 Every type of personal data needs a retention period. 'We keep everything forever' is not compliant — you must delete when the purpose is fulfilled.

Automated retention enforcement (deletion/anonymisation) is operational

💡 Manual deletion does not scale. Set up automated jobs that identify and purge data past its retention date.

Legal hold processes can override automated deletion when needed

💡 Sometimes you must keep data longer (litigation, regulatory investigation). Build a 'legal hold' feature that pauses deletion for specific records.

DPO is appointed, based in India, and registered with the DPBI

💡 The DPO must be a real person based in India with direct access to your Board of Directors. This is not a checkbox role — they need authority and resources.

Data Protection Impact Assessment has been conducted

💡 Start with the highest-risk processing activity. Use the DPIA template in this playbook. The DPIA must be repeated periodically as prescribed in the Rules.

Independent data auditor is engaged and first audit is scheduled

💡 Engage an independent auditor from the government-approved panel (once announced). Budget for annual audits as a recurring compliance cost.

Additional SDF measures (as prescribed in Rules) are implemented

💡 Monitor for additional requirements in the Rules. Build flexibility into your compliance programme to accommodate new obligations.