India's DPDP Act: A Practical Compliance Checklist

The Digital Personal Data Protection Act (DPDP) is one of the most significant pieces of privacy legislation in India's history. It applies to any organisation that processes the personal data of individuals in India, whether based in the country or abroad. Penalties for non-compliance can run into hundreds of crores, so readiness is not optional.

Compliance is less about a single sweeping change and more about a series of disciplined habits. The checklist below turns the law's requirements into concrete actions.

Know Your Data

You cannot protect what you cannot see. The foundation of DPDP compliance is a clear understanding of the personal data you hold.

• Map every system, vendor and process that touches personal data.
• Document why you collect each data element and how long you keep it.
• Identify cross-border transfers and confirm they are permitted.

Get Consent Right

DPDP places consent at the centre of lawful processing. Consent must be free, specific, informed and unambiguous.

• Provide clear notices in plain language at the point of collection.
• Make withdrawing consent as easy as giving it.
• Keep auditable records of when and how consent was obtained.

Honour Data Principal Rights

Individuals — "data principals" — have rights you must be able to fulfil quickly and reliably.

• Build a process to handle access, correction and erasure requests.
• Offer a grievance redressal mechanism with a named contact.
• Track and respond to requests within defined timelines.

Prepare for Breaches

The Act requires timely notification of personal data breaches to both the Data Protection Board and affected individuals.

• Maintain an incident response plan that includes notification steps.
• Run tabletop exercises so the plan works under pressure.
• Log security events so you can reconstruct what happened.

Appoint the Right People

Significant Data Fiduciaries face additional obligations, including appointing a Data Protection Officer and conducting periodic audits.

• Determine whether your organisation qualifies as a Significant Data Fiduciary.
• Assign clear ownership for privacy across legal, security and engineering.

From Checklist to Culture

Treating DPDP as a one-time project guarantees you will fall out of compliance the moment your systems change. The organisations that thrive treat privacy as an ongoing discipline — baked into product design, vendor selection and everyday operations. Start with the checklist, but aim for the culture.