DPDPA Compliance Checklist 2026: 8 Practical Steps for Indian Businesses

The DPDP Rules 2025 were notified on November 13, 2025. The Data Protection Board of India is now operational. The Consent Manager framework goes live on November 13, 2026. And full compliance is mandatory by May 13, 2027.

That gives most businesses less than 12 months to complete a compliance programme that typically takes 6 to 18 months. Companies that wait until 2027 will either rush through it poorly or face penalties on day one of enforcement.

This checklist is designed for practical action — not legal theory. Work through these 8 steps and you will have a solid DPDPA compliance foundation.

You cannot protect data you do not know you have. The first step is mapping every piece of personal data in your organisation.

• What personal data do you collect? (names, emails, phone numbers, payment data, health data, location data)
• Where is it stored? (databases, CRMs, spreadsheets, cloud storage, email servers)
• Who has access to it internally?
• Who do you share it with externally? (vendors, partners, payment gateways, analytics tools)
• How long do you keep it?
• Is there data you hold that you no longer need?

This data mapping exercise is the foundation of everything else. Without it, you cannot build a compliant consent system, respond to user requests, or demonstrate accountability to the Data Protection Board.

Consent is the core of the DPDPA. Go through every touchpoint where you collect personal data — your website, mobile app, signup forms, checkout pages, and offline-to-digital processes — and assess whether your current consent is legally valid.

• Remove all pre-ticked checkboxes — they are explicitly not valid under DPDPA
• Break bundled consent into separate, purpose-specific consent requests
• Update privacy notices to be clear, simple, and in the language the user understands
• Add an easy, one-click way for users to withdraw consent at any time
• Store a timestamped record of every consent given — this is your audit trail

Under the DPDPA, your privacy notice must include specific information that most current privacy policies do not contain. Update it to include:

• The specific purposes for which each type of personal data is being processed
• The names of all Data Processors and third parties you share data with (not just categories — actual names)
• A description of the personal data shared with each third party
• Clear information on how users can exercise their rights
• Contact details for your Grievance Officer or Data Protection Officer
• How users can withdraw consent and what happens when they do

Write your privacy notice in plain language. The DPDPA requires it to be available in all 22 scheduled languages of India if you have users who prefer those languages.

Every Data Fiduciary must appoint a Grievance Officer who handles complaints and requests from Data Principals. This is not optional — it is a mandatory requirement under the Act.

The Grievance Officer's contact details must be published prominently in your privacy notice and on your website. They are responsible for responding to all data rights requests within the timeframes set by the Act.

If your organisation is designated a Significant Data Fiduciary, you must additionally appoint a Data Protection Officer who must be based in India and report directly to your Board of Directors.

Your users now have legal rights — and you need a process to honour them. A Data Subject Access Request (DSAR) system lets users submit requests and ensures your team responds correctly and on time.

• Right to Access: Build a way for users to request a summary of all data you hold on them
• Right to Correction: Allow users to update or correct their personal data
• Right to Erasure: Create a process to delete a user's data when they request it and when the legal retention period has passed
• Right to Withdraw Consent: Make it as easy to withdraw as it was to give — one click should suffice
• Response tracking: Log every request, the date received, actions taken, and date resolved

Every vendor, partner, or service provider that handles your users' personal data is a Data Processor under the DPDPA. You — as the Data Fiduciary — remain legally responsible for how they handle that data.

• List every third party that receives or processes personal data on your behalf
• Sign a Data Processing Agreement (DPA) with each one before sharing any data
• Ensure the DPA includes DPDPA-compliant clauses on security, breach notification, and data deletion
• Periodically assess each vendor's security posture and compliance status
• Remove or replace vendors that cannot demonstrate adequate data protection practices

The DPDPA requires all Data Fiduciaries to implement reasonable security safeguards to protect personal data. Failing to do so is the violation that carries the highest penalty — up to ₹250 crore.

• Encrypt personal data both in transit (TLS) and at rest (AES-256)
• Implement role-based access controls — not everyone needs access to all data
• Enable multi-factor authentication for systems that store personal data
• Conduct regular security vulnerability assessments
• Build a data breach response plan before a breach happens
• Log and monitor access to personal data

The Data Protection Board can ask for evidence of compliance at any time. Documentation is your proof that you took the Act seriously.

• Maintain records of all consent collected (timestamped, purpose-specific)
• Keep copies of all Data Processing Agreements with vendors
• Document your data audit and any updates to your data map
• Record all DSAR requests received and how they were resolved
• Train every employee who handles personal data on the basics of the DPDPA

DataDefend makes this entire checklist manageable — from automated consent collection and DSAR workflows to vendor risk scoring and audit-ready reporting. Start with a free account and see how much you can automate from day one.