AMLEGALS
DPDPA Compliance Checklist — Updated for DPDP Rules 2025

The Definitive DPDPA Compliance Checklist

Eight phases. Every statutory provision. Cross-referenced to DPDP Rules, 2025. Built by practitioners who have implemented DPDPA across industries — not adapted from a GDPR template.

8 Phases44 DPDPA SectionsDPDP Rules 202560+ Action Items

Does DPDPA Apply to You?

1

Do you collect names, emails, phone numbers, or any identifying information?

If yes — you process "personal data" under Section 2(t)

2

Are any of your users, customers, or employees located in India?

If yes — DPDPA applies regardless of where you are incorporated (Section 3)

3

Do you share data with vendors, cloud providers, or partner organisations?

If yes — Section 8(2) processor obligations apply to every transfer

If you answered yes to any of the above, DPDPA compliance is not optional — it is a statutory obligation.

Implementation Framework

8-Phase DPDPA Compliance Checklist

Each phase maps directly to DPDPA sections and DPDP Rules, 2025 provisions. Sequenced for operational efficiency — complete phases in order for maximum compliance velocity.

1

Data Discovery & Mapping

Foundation — Section 3, Section 4

Before anything else, know where personal data lives across your organisation. This is the foundation every subsequent compliance action builds upon.

  • Inventory all systems, databases, and applications processing personal data
  • Map data flows — collection points, internal transfers, external sharing, storage locations
  • Identify all categories of Data Principals whose data you process
  • Document processing purposes for each data category
  • Classify data by sensitivity level and processing volume
  • Map third-party and cross-border data transfers
  • Identify legacy datasets that may lack proper consent records
2

Legal Basis Assessment

Section 4, Section 6, Section 7

Every piece of personal data you process must have a lawful basis. No exceptions. This phase determines which basis applies to each processing activity.

  • Classify each processing activity under consent (Section 6) or deemed consent/legitimate use (Section 7)
  • Assess whether "certain legitimate uses" under Section 7(4)-(9) apply to any existing processing
  • Review employment-related processing against Section 7(8) provisions
  • Evaluate State-related processing under Section 7(1)-(3)
  • Document the legal basis determination for each processing activity in a Processing Register
  • Flag activities where current legal basis is unclear or indefensible
3

Consent Architecture & Privacy Notices

Section 5, Section 6, Rule 3, Rule 4

Most existing consent mechanisms fail DPDPA standards. This phase rebuilds consent from the ground up — purpose-specific, informed, freely-given, and easily withdrawn.

  • Design Section 5 compliant notice templates — itemised purposes, plain language, multilingual capability
  • Build purpose-specific consent collection mechanisms across all touchpoints (web, mobile, in-person)
  • Implement granular consent — one purpose per consent item, no bundled permissions
  • Create withdrawal mechanisms that are as easy as giving consent (Section 6(4))
  • Establish Consent Manager integration requirements per Rule 3 and Rule 4
  • Design consent record-keeping system with timestamps, versions, and purpose linkages
  • Rewrite all existing privacy policies and privacy notices to DPDPA standards
4

Data Principal Rights Infrastructure

Section 11-14, Rule 8

Data Principals have enforceable rights under DPDPA. Your organisation needs operational infrastructure to receive, verify, process, and respond to rights requests.

  • Build grievance redressal mechanism under Section 13 and Rule 8
  • Implement right to correction and erasure workflows (Section 12)
  • Create nomination mechanism for Data Principals (Section 14)
  • Establish identity verification procedures for rights requests
  • Define response timelines and escalation procedures
  • Create templates for acknowledging, processing, and responding to requests
  • Design audit trail for every rights request received and actioned
5

Breach Response Protocol

Section 8(6), Rule 7

A data breach without a pre-tested response protocol is a compliance catastrophe. This phase builds the muscle memory your organisation needs.

  • Establish incident detection mechanisms and classification criteria
  • Define breach assessment process — scope, severity, data principals affected
  • Create Data Protection Board notification procedure per Section 8(6) and Rule 7
  • Build Data Principal communication templates and trigger criteria
  • Design containment and remediation protocols
  • Conduct tabletop simulation exercises with cross-functional teams
  • Define roles and responsibilities in the breach response chain
  • Establish forensic evidence preservation procedures
6

Vendor & Processor Governance

Section 8(2)-(3), Rule 6

Under DPDPA, the Data Fiduciary bears effectively non-delegable responsibility for processors. Your vendor contracts and oversight must reflect this.

  • Audit all existing vendor/processor relationships
  • Update Data Processing Agreements to DPDPA standards (Section 8(2), Rule 6)
  • Establish sub-processor chain controls and approval mechanisms
  • Define processor audit rights and inspection procedures
  • Implement processor breach notification escalation requirements
  • Create processor onboarding checklist for new vendor engagements
  • Review international processor arrangements against Section 16 requirements
7

Special Categories & Cross-Border

Section 9, Section 16, Rules 10-12

Children's data and cross-border transfers require distinct compliance tracks. Significant Data Fiduciaries face additional obligations.

  • Audit whether you process children's data (under 18) and implement verifiable parental consent
  • Review advertising and tracking practices against Section 9(3) prohibitions
  • Map cross-border data transfers and assess against Section 16 negative-list framework
  • Implement contractual safeguards for international data transfers
  • Assess Significant Data Fiduciary (SDF) applicability under Section 10
  • If SDF: appoint independent Data Auditor, conduct DPIA, implement algorithmic transparency per Rules 10-15
  • Review processing of data related to the disabled and evaluate guardian consent requirements
8

Evidence Framework & Board Readiness

Rule 13, Schedule

Compliance without evidence is indistinguishable from non-compliance in Board proceedings. This phase builds the documentation that protects your organisation.

  • Build comprehensive compliance evidence archive — consents, assessments, training records
  • Establish periodic audit cadence aligned with Rule 13
  • Create Board-ready compliance reporting templates
  • Implement continuous monitoring for consent status, data retention, and processor compliance
  • Design internal training programme and maintain training completion records
  • Prepare for Data Protection Board inquiry scenarios
  • Create executive briefing materials for Board-level governance
  • Establish annual compliance review and gap reassessment cycle

What Non-Compliance Costs

₹250 Cr

Maximum penalty under the Schedule for specified contraventions

Board-Led

Data Protection Board of India adjudicates complaints with inquiry powers

Reputational

Published Board orders, client confidence erosion, and regulatory scrutiny compounding

Why a Counsel-Led Approach Matters

Attorney-Client Privilege

Compliance assessments conducted under legal privilege protect your organisation. Consulting firm reports enjoy no such protection and are fully discoverable in Board proceedings.

Board Representation

When the Data Protection Board issues a show-cause notice, a law firm can represent you. A consulting firm cannot appear on your behalf in quasi-judicial proceedings.

Statutory Interpretation

DPDPA is a new statute with untested provisions. Legal opinions carry weight in Board proceedings. Consultant recommendations do not have the same evidentiary value.

27 Years of Regulatory Practice

AMLEGALS brings 27 years of experience in Indian regulatory law — not a DPDPA practice built in 2023. We understand how Indian regulators think, investigate, and adjudicate.

Related DPDPA Resources

DPDPA Consulting

End-to-end implementation services

DPDPA Deep Dive

Section-by-section statutory analysis

DPDP Rules 2025

Complete rules analysis

Enterprise Governance

Board-level compliance framework

Consent Management

Section 5 & 6 deep dive

Breach Response

Section 8(6) + Rule 7 playbook

Penalties Framework

Schedule analysis

Data Privacy Audit

Rule 13 audit framework

Start Your DPDPA Compliance Journey

A checklist is the starting point. Execution requires experienced counsel who understand both the statute and your business. Speak with us.

Request a Confidential Briefing

Our data privacy counsel will reach out within one working day.

Your information is handled in accordance with our privacy obligations. No spam, ever.

Insights & Answers

What practitioners and boards are asking

What is a DPDPA compliance checklist?

A DPDPA compliance checklist is a structured 8-phase implementation framework mapping every requirement of the Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025 to actionable steps. It covers data discovery and mapping, legal basis assessment, consent architecture, data principal rights, breach response protocols, vendor governance, cross border transfers, and Board readiness evidence frameworks. AMLEGALS provides counsel led DPDPA implementation from 10 offices across India with 27 years of regulatory experience.

How long does DPDPA compliance take?

DPDPA compliance timelines depend on organisation size, data processing complexity, and current maturity. A typical mid sized organisation requires 6-12 months for full implementation across the 8 phases: data mapping, legal basis assessment, consent architecture, rights infrastructure, breach protocols, vendor governance, special categories, and evidence framework. Significant Data Fiduciaries face additional requirements under Rules 10-15.