Statutory Readiness Audit

DPDPA Compliance Checklist 2025

Q: What is a DPDPA compliance checklist?

A DPDPA compliance checklist is a structured framework that maps every obligation under the Digital Personal Data Protection Act 2023 and the DPDP Rules 2025 to actionable items an organisation must address — covering consent mechanisms, privacy notices, data principal rights, breach notification protocols, DPO appointment, grievance redressal, and cross-border data transfer safeguards.

Q: Who needs to comply with DPDPA 2023?

Every entity that processes digital personal data within India, or processes personal data of individuals in India while offering goods or services, is a Data Fiduciary under DPDPA 2023. This includes companies, startups, government bodies, and non-profits handling personal data in digital form.

Q: What are the penalties for non-compliance with DPDPA?

DPDPA 2023 prescribes penalties of up to ₹250 Crores for specific violations. Penalties vary by contravention — failure to implement reasonable security safeguards, breach notification delays, and non-compliance with children's data obligations each carry distinct penalty ranges. The Data Protection Board of India adjudicates these matters.

Q: How is DPDPA different from GDPR?

While both regulate personal data processing, DPDPA 2023 is principle-based and consent-centric with India-specific constructs: Data Fiduciary (not Controller), Data Principal (not Data Subject), Consent Manager as a registered intermediary, Significant Data Fiduciary classification, and a distinct penalty architecture. India did not copy GDPR — it built its own sovereign framework.

42 obligations. 7 domains. Zero assumptions.

Every Data Fiduciary operating in India must satisfy specific statutory obligations under the Digital Personal Data Protection Act 2023 and the DPDP Rules 2025. This checklist maps each obligation to its source section — so your compliance programme rests on the statute, not on assumptions.

Review the 7 Domains Request Gap Assessment

Up to ₹250 Cr

Maximum penalty per contravention under the Schedule to DPDPA 2023

Section 33

Sections in the principal Act that create obligations for Data Fiduciaries

DPDPA 2023

Rules prescribed under DPDP Rules 2025 operationalising the Act

Subordinate legislation

Why a Checklist Matters

The gap between “we have a privacy policy” and “we are compliant” is where liability lives.

Most organisations treat data protection as a documentation exercise. They produce policies that nobody reads, consent forms that nobody understands, and compliance reports that gather dust. This worked when there was no enforcement.

DPDPA 2023 changed this calculus. The Act prescribes penalties of up to ₹250 Crores per contravention, creates the Data Protection Board of India as a dedicated adjudicatory body, and empowers Data Principals with enforceable rights. The penalty is not theoretical.

A structured compliance programme — mapped to statutory provisions, operationalised through workflows, and validated by independent assessment — is what separates organisations that will survive enforcement from those that will not.

The 7 Compliance Domains

Every checkpoint, traced to its statutory source

These are the seven domains where DPDPA enforcement will concentrate. Each item below maps to a specific provision of the Act or the Rules. If your organisation cannot satisfy a checkpoint, you have identified a compliance gap — and the precise statutory authority that creates the obligation.

Consent Architecture

Sections 6 & 7

25% of statutory exposure

✓
Consent collected for each specified lawful purpose — not bundled
✓
Consent notice in plain language with itemised data use purposes
✓
Mechanism for consent withdrawal — as easy as giving consent
✓
Deemed consent scenarios identified and documented (Section 7)
✓
Records of consent maintained with timestamps and purpose mapping
✓
Consent refresh workflow for new processing purposes

Privacy Notice & Transparency

Section 5

15% of statutory exposure

✓
Privacy notice provided at or before data collection
✓
Notice contains identity of Data Fiduciary, purpose of processing, and rights of Data Principal
✓
Notice available in English and the 22 scheduled languages where applicable
✓
Existing data subjects — retrospective notice issued for pre-DPDPA data
✓
Notice format compliant with DPDP Rules 2025 prescriptions

Data Principal Rights

Sections 11–14

20% of statutory exposure

✓
Right to access — mechanism to provide summary of processing activities
✓
Right to correction and erasure — workflow to action requests within prescribed timelines
✓
Right to nominate — facility for Data Principals to nominate another person
✓
Right to grievance redressal — designated contact and escalation matrix
✓
Grievance Officer appointed with published contact details

Data Breach Notification

Section 8

20% of statutory exposure

✓
Breach detection and classification protocol established
✓
Notification to Data Protection Board within prescribed timeline
✓
Notification to affected Data Principals without unreasonable delay
✓
Breach register maintained with root cause analysis
✓
Incident response team designated with defined roles
✓
Post-breach remediation and prevention measures documented

Children's Data

Section 9

8% of statutory exposure

✓
Age verification mechanism — identify Data Principals below 18 years
✓
Verifiable parental or guardian consent obtained before processing
✓
No tracking, behavioural monitoring, or targeted advertising directed at children
✓
Exemptions assessed — whether the organisation qualifies for Central Government relaxations

Cross-Border Data Transfer

Section 16

5% of statutory exposure

✓
Data transfer destinations identified and mapped
✓
Transfers only to jurisdictions not restricted by Central Government notification
✓
Contractual safeguards with overseas data processors
✓
Data localisation requirements assessed for sector-specific regulations

Significant Data Fiduciary Obligations

Section 10

7% of statutory exposure

✓
SDF status assessed — volume, sensitivity, risk to sovereignty criteria
✓
Data Protection Officer appointed (resident in India)
✓
Independent data auditor engaged for periodic audits
✓
Data Protection Impact Assessment conducted
✓
Audit reports filed with Data Protection Board

Counsel's Perspective

Three questions that reveal compliance maturity

The depth of your answers to these questions tells our practitioners more about your exposure than any policy document.

Where do most organisations fail?

Consent architecture. Most have a single "I agree" checkbox covering 15 purposes. DPDPA requires purpose-specific, unbundled consent collected through clear, affirmative action.

What triggers the highest penalties?

Failure to implement reasonable security safeguards (up to ₹250 Crores) and failure to notify data breaches to the Data Protection Board and affected Data Principals (up to ₹200 Crores).

Is a privacy policy enough?

A privacy policy is one element. DPDPA requires operational mechanisms — consent management infrastructure, rights fulfilment workflows, breach response protocols, and grievance redressal systems.

Confidential Engagement

Request a Compliance Gap Assessment

Our data privacy counsel will walk you through this checklist in the context of your specific operations and identify the gaps that carry the highest regulatory exposure.

Schedule a Confidential Assessment

One of our data privacy practitioners will reach out within one working day.