AMLEGALSDPDPA
← All Insights
Framework

The DPDPA Compliance Audit Checklist: 47 Controls Every DPO Must Verify Before Enforcement Begins

Anandaday MisshraApril 2026
The DPDPA Compliance Audit Checklist: 47 Controls Every DPO Must Verify Before Enforcement Begins

Compliance audits under the DPDPA are not like financial audits. Financial audits verify transactions. DPDPA audits verify architecture — the systems, processes, documentation, and governance that prove every statutory obligation is operationalised, monitored, and demonstrable on demand.

The 47 controls in this checklist are organised by the DPDPA sections and DPDP Rules they address. Each control is designed to answer one question: if the Data Protection Board examined this obligation tomorrow, could the organisation demonstrate compliance with documentary evidence?

A policy without evidence is an intention. Evidence without a policy is an accident. The Board examines both.

Category 1: Consent and Notice (Sections 5-6, Rules 3-4) — 10 Controls

  • C-01: Is a consent notice served to every Data Principal before or at the time of collection, specifying each processing purpose separately in clear and plain language as required by Rule 3?
  • C-02: Does each consent record include a timestamp, the specific purpose consented to, the mechanism used, and the language presented — creating an audit trail that satisfies "demonstrable consent" under Section 6?
  • C-03: Is the consent withdrawal mechanism as accessible as the consent collection mechanism? Can a Data Principal withdraw with the same number of steps as consent was given?
  • C-04: Are consent records maintained in a centralised register that can be produced to the Board within 48 hours of a request?
  • C-05: Has every pre-existing personal data record (data collected before DPDPA) been assessed under Section 5(2)? Has a fresh notice been served for all legacy data still being processed?
  • C-06: Are consent notices available in English and every Scheduled Language specified by Rule 3?
  • C-07: Is consent granular — one purpose per consent — or bundled? Bundled consent is invalid under the specificity requirement of Section 6.
  • C-08: Is there a mechanism to refresh consent when processing purposes change? Stale consent for obsolete purposes is not valid consent.
  • C-09: Are Consent Managers (Section 23) registered and integrated for organisations that use them? Is the Consent Manager compliant with Rule 4?
  • C-10: Is there documentary evidence that no personal data is processed without valid consent or a documented Section 7 legitimate use basis?

Category 2: Data Fiduciary Obligations (Section 8, Rules 5-8) — 12 Controls

  • C-11: Is there a documented purpose limitation framework? Does every processing activity have a documented purpose that matches the consent notice?
  • C-12: Is personal data erased once the purpose is fulfilled, as required by Section 8(7)? Is the 48-hour pre-erasure notice under Rule 5 operationalised?
  • C-13: Are reasonable security safeguards implemented under Section 8(5)? Can the organisation document what "reasonable" means in its context — encryption standards, access controls, monitoring, and incident response?
  • C-14: Is there a Data Processing Agreement with every processor under Section 8(2)? Does it specify processing purposes, security obligations, sub-processing restrictions, breach notification requirements, and audit rights?
  • C-15: Is the accuracy obligation under Section 8(3) operationalised? Is there a process for Data Principals to correct inaccurate data under Section 12?
  • C-16: Is there a retention policy that specifies maximum retention periods for each data category and processing purpose? Is it enforced through automated deletion?
  • C-17: Is the breach notification protocol under Section 8(6) documented, tested, and capable of dual notification (Board and Data Principal) without delay?
  • C-18: Can the organisation produce a complete Record of Processing Activities on demand?
  • C-19: Is there a Data Protection Impact Assessment process under Rule 8 for high-risk processing activities?
  • C-20: Is personal data of children (under 18) processed with verifiable parental consent under Section 9 and Rule 10?
  • C-21: Is there a mechanism to identify and block processing of children's data that could cause detrimental effects, as prohibited by Section 9?
  • C-22: Is the prohibition on behavioural monitoring and targeted advertising directed at children operationalised?

Category 3: Data Principal Rights (Sections 11-14) — 8 Controls

  • C-23: Can the organisation respond to an access request under Section 11 within statutory timelines? Is there a system to extract and deliver a summary of all personal data processed?
  • C-24: Can the organisation process a correction request under Section 12 and update records across all systems where the data resides?
  • C-25: Can the organisation process an erasure request under Section 13 and demonstrate complete deletion across primary systems, backups, and vendor systems?
  • C-26: Is the grievance redressal mechanism under Section 13 documented, accessible, and staffed? Does it meet statutory response timelines?
  • C-27: Is the nomination mechanism under Section 14 implemented? Can a Data Principal nominate a representative to exercise rights on their behalf in case of death or incapacity?
  • C-28: Are Data Principal requests logged with timestamps, actions taken, and response times for audit trail purposes?
  • C-29: Is the identity verification process for Data Principal requests documented and proportionate — not so onerous that it effectively prevents rights exercise?
  • C-30: Are all rights-related communications to Data Principals in clear, plain language as required by the Act?

Category 4: Significant Data Fiduciary Obligations (Section 10, Rules 11-15) — 8 Controls

  • C-31: Has the organisation assessed whether it meets the criteria for Significant Data Fiduciary notification under Section 10(1)?
  • C-32: Is a DPO appointed who is based in India, has direct Board reporting access, and has documented authority to direct compliance activities as required by Rule 11?
  • C-33: Is a DPIA conducted for every processing activity that involves significant risk to Data Principal rights? Is the methodology documented and defensible?
  • C-34: Has an independent data audit been conducted by a registered auditor within the prescribed period under Rule 10?
  • C-35: Is there quarterly Board-level reporting on DPDPA compliance status by the DPO?
  • C-36: Is algorithmic transparency maintained for automated decision-making systems that significantly affect Data Principals?
  • C-37: Are periodic compliance reports filed with the Data Protection Board as required?
  • C-38: Is there a documented process for responding to Board inquiries under Section 12 within the prescribed timelines?

Category 5: Cross-Border Transfers and Governance (Sections 16-17, Rules 16-22) — 9 Controls

  • C-39: Is there a data transfer map identifying every cross-border transfer of Indian personal data — including cloud routing, disaster recovery, CDN, and vendor sub-processing?
  • C-40: Has every transfer destination been verified against the Central Government's restricted jurisdiction notifications under Section 16?
  • C-41: Do cloud service agreements specify actual routing regions (not just contractual primary regions)?
  • C-42: Are vendor sub-processors mapped and verified for cross-border compliance?
  • C-43: Is there an employee training programme with documented completion records and periodic refresher assessments?
  • C-44: Is there a privacy-by-design framework integrated into product development and system procurement?
  • C-45: Is there a documented data classification framework that categorises personal data by sensitivity and processing requirements?
  • C-46: Is the organisation's DPDPA compliance programme periodically reviewed and updated to reflect regulatory developments, Board orders, and enforcement precedent?
  • C-47: Is there a documented escalation matrix for DPDPA compliance issues — from operational teams through to Board-level governance?
"47 controls. Not 47 documents. 47 demonstrable capabilities. The difference is the distance between a filing cabinet and a functioning compliance architecture."
— Anandaday Misshra

Do this now

Score your organisation against each control: 0 (not implemented), 1 (partially implemented), 2 (fully implemented with evidence). Maximum score: 94. Any score below 70 indicates material compliance gaps that require immediate remediation. Any control scored 0 is a point of exposure the Board will identify. Start with the zeros. They are where the penalties live.

Need guidance on this topic?

We advise organisations across India on DPDPA compliance, AI governance and cross border data transfers.

Get in Touch →