DPDPsecured
Sign InSign Up Free
← All articles
DPDP in Practice · 5 min read

The DPDP Act Compliance Checklist: 10 Things Your Business Needs to Have in Place

How to Use This

Go through each item honestly. A "no" or "not sure" is not a failing grade — it is a priority item. This list covers the core obligations under the DPDP Act, 2023 and Rules 2025 that every business must address.

1. You know exactly what personal data your business collects.

Not roughly. Precisely. Every form, every system, every vendor feed, every spreadsheet. The Act's obligations flow from what you collect — and you cannot manage what you have not mapped.

Not sure? A data mapping exercise is where every compliance programme starts. Without it, everything else is guesswork.

2. You have a lawful basis for every data collection point.

For most businesses, that basis is consent. For some processing — legal obligations, employment-related uses, medical emergencies — the Act recognises legitimate uses that do not require explicit consent. Know which applies where.

Not sure? Audit each collection point and document the basis in writing.

3. Your consent notices are clear, specific, and easy to find.

Not embedded in your terms and conditions. Not a pre-ticked checkbox. A plain-language notice that tells the individual exactly what data is being collected and for what specific purpose — itemised, as required by the Rules.

Not sure? Open your website right now as if you were a first-time visitor. Can you find the consent notice within thirty seconds? Is it itemised? Is it in plain language?

Read alsoDPDP Act Consent Requirements: What Valid Consent Actually Looks Like in Practice

4. Withdrawing consent is as easy as giving it.

One click to opt in must mean one click to opt out. If unsubscribing from your marketing list involves emailing a human, navigating multiple menus, or waiting for a response, you are non-compliant.

Not sure? Run the test yourself before someone from the Board does.

5. You have a data retention policy — and you follow it.

How long does your business keep customer data? Employee records? Applicant CVs? Inactive accounts? The Act requires you to delete data once its purpose is served. The Rules require you to notify individuals at least 48 hours before deletion.

Not sure? Draft a retention schedule by data category. Then build a deletion process around it and assign someone to run it.

6. Your vendor contracts include data protection obligations.

Every third party receiving personal data from your business — payroll processors, cloud providers, marketing platforms, background verification agencies — must be bound by a data processing agreement that meets DPDP standards. Their breach is your liability.

Not sure? Pull your ten most important vendor contracts and check for data processing clauses.

7. You have reasonable security measures protecting personal data.

The Act requires reasonable technical and organisational safeguards — encrypted storage, access controls, two-factor authentication, regular security reviews. It also requires that system and processing logs be retained for a minimum of one year.

Not sure? Ask your IT team what access controls exist on systems holding customer and employee data.

8. You have a data breach response plan.

If personal data under your control is compromised tomorrow — what happens first? Who is notified internally? Who notifies the Board? The 72-hour clock starts from the moment you become aware of a breach. You need a documented plan before that clock starts.

Not sure? Write a one-page breach response procedure. Name the people responsible at each step. Even a basic plan is infinitely better than none.

Read alsoWhat Happens After a Data Breach in India? A Step-by-Step Guide

9. You have a process for responding to rights requests.

An individual can request access to their data, ask for corrections, or ask for erasure. When that request arrives — and eventually, it will — you need a documented process with a named owner and a clear response timeframe.

Not sure? Assign clear ownership and set an internal response timeframe. Document both.

10. Someone in your organisation owns DPDP compliance.

A compliance programme without a named owner is a list of good intentions. One person — not a department, a person — needs to be accountable for each of the nine items above, and for keeping pace with the Rules as they are finalised and enforced.

Not sure? Appoint someone this week. It does not require a legal background. It requires accountability.

Read alsoWho is a Data Fiduciary? Understanding Your Legal Responsibilities

Where You Stand

8–10 ticked: Strong foundations. Focus on documentation depth and keeping pace with the Rules as they are finalised.

5–7 ticked: Real gaps alongside genuine progress. Prioritise by penalty exposure — security safeguards and breach notification carry the highest penalties.

Below 5: Meaningful exposure across multiple areas. Start with items 1 and 2. The data map and the lawful basis audit underpin everything else.

The Bottom Line

None of the ten items above require a large budget or a legal team. They require someone to take ownership, spend focused time, and build the habits that compliance depends on.

The businesses that will struggle under this Act are not the ones without resources. They are the ones that kept finding reasons to start next month.

Published by DPDPsecured — compliance intelligence for Indian businesses.
Published by DPDPsecured — compliance intelligence for Indian businesses.