DPDP Act22 May 2026 8 min read

DPDP Act Compliance Checklist: 30 Items You Need to Cover

A 30-item DPDP Act compliance checklist covering data mapping, consent, security, rights, breach response, vendor contracts, and audit readiness for Indian companies.

Key Takeaways

A comprehensive DPDP compliance checklist covers 7 domains: data mapping, lawful basis, notices, consent, security, rights, and vendor management.
Data mapping and gap assessment must come first — you cannot comply with obligations you have not identified.
Security safeguards and breach response are the highest-penalty items and deserve the most immediate attention.
Every checklist item requires documented evidence — completion is not enough without proof.
Use AuditPath to track each checklist item as a control with evidence attachments and owner assignments.

In this guide

Domain 1: Data Mapping (Items 1-5)
Domain 2: Lawful Basis (Items 6-9)
Domain 3: Privacy Notices and Consent (Items 10-14)
Domain 4: Security Safeguards (Items 15-19)
Domain 5: Data Principal Rights (Items 20-23)
Domain 6: Vendor Management (Items 24-27)
Domain 7: Governance and Audit Readiness (Items 28-30)

Domain 1: Data Mapping (Items 1-5)

Item 1: Personal data inventory complete. Have you catalogued all personal data your company holds, including: data categories, data subjects, sources, storage locations, and retention periods? This is the foundation of every other compliance obligation.

Item 2: Data flow map complete. Have you mapped how personal data moves through your organisation — from collection point through processing systems to downstream processors and any cross-border transfers? Your data flow map should include all API integrations, database replication, and vendor data sharing.

Item 3: Processing activities register (ROPA). Do you maintain a register of processing activities that documents, for each activity: the purpose, the lawful basis, the data categories, the retention period, the data subjects, and the processors involved? Item 4: Retention schedule defined. For each data category, have you defined a retention period based on the processing purpose, and does your system automatically delete or archive data when the period expires? Item 5: Data minimisation review. Have you audited each data collection point to verify you collect only the minimum data necessary for the stated purpose?

Domain 2: Lawful Basis (Items 6-9)

Item 6: Lawful basis documented for every processing activity. For each entry in your ROPA, is a lawful basis (Section 6 consent or specific Section 7 legitimate use) documented and justified? Item 7: Legitimate use assessment. For processing activities where you rely on Section 7, have you verified that the specific sub-clause applies and documented your reasoning?

Item 8: No unlawful processing identified. After completing Items 6-7, is there any processing activity without a documented lawful basis? Any such activity must either be brought within a lawful basis or ceased.

Item 9: Children's data identified and protected. Have you identified all processing of under-18 users' data and implemented Section 9-compliant controls: age verification, verifiable parental consent, and disabling of tracking/profiling/behavioural advertising for those users?

Item 10: Privacy notice contains all Section 5 elements — data categories, processing purposes, rights description, Board complaint mechanism. Item 11: Privacy notice in plain language — not legal boilerplate, comprehensible to your average user. Item 12: Privacy notice available in relevant languages — at minimum English and Hindi for pan-India companies; all languages your product supports.

Item 13: Consent mechanisms are specific and unbundled — separate consent for each distinct processing purpose, with an affirmative action required. No pre-ticked boxes, no consent bundled with T&Cs acceptance.

Item 14: Consent withdrawal mechanism implemented — as accessible as the consent request, no fees charged, withdrawal is processed promptly across all downstream systems. Consent records maintained with timestamps and purpose details.

Domain 4: Security Safeguards (Items 15-19)

Item 15: Encryption implemented — personal data encrypted at rest and in transit. Document the encryption standards used (AES-256 at rest, TLS 1.2/1.3 in transit). Item 16: Access controls implemented — role-based access to personal data, principle of least privilege, access review process (quarterly minimum), administrative access with MFA.

Item 17: Vulnerability management programme — regular vulnerability scanning, penetration testing at least annually, security patching SLA defined and adhered to. Item 18: Security monitoring and alerting — SIEM or equivalent tool monitoring for suspicious activity involving personal data, alerts configured for unauthorised access attempts and data exfiltration patterns.

Item 19: Incident response plan documented and tested — 72-hour notification chain defined, Board notification template prepared, Data Principal notification template prepared, tabletop exercise conducted within the past 12 months. Breach log maintained.

Domain 5: Data Principal Rights (Items 20-23)

Item 20: Rights request intake mechanism in place — dedicated email/form for access, correction, erasure, and grievance requests, published in privacy notice, routed to trained handler. Item 21: Rights fulfilment process documented — for each right type, internal SLA defined, technical steps documented, response template drafted.

Item 22: Grievance redressal mechanism functional — dedicated contact channel, acknowledgement within 24-48 hours, resolution within 30 days target, grievance log maintained with outcomes.

Item 23: Nominee rights accommodation planned — process for handling requests from individuals claiming to be nominees of deceased Data Principals, verification procedure defined, documentation requirements specified.

Domain 6: Vendor Management (Items 24-27)

Item 24: Vendor inventory complete — all vendors that process personal data on your behalf identified, categorised by data category and processing activity, country of data storage documented.

Item 25: DPAs in place with all Data Processors — every vendor in Item 24 has a signed DPA covering purpose, security, breach notification, and data return/deletion. DPA review date documented. Item 26: Processor security assessed — for material processors, evidence of security certification (SOC 2 Type II, ISO 27001) requested and reviewed annually.

Item 27: Cross-border transfer register — all transfers outside India documented, destination countries noted, business justification documented, whitelist compliance assessed and monitored.

Domain 7: Governance and Audit Readiness (Items 28-30)

Item 28: Privacy Lead or DPO appointed — a named individual responsible for DPDP compliance, with defined role, authority, reporting lines, and contact details published in the privacy notice. If classified as an SDF, DPO is India-based and formally appointed.

Item 29: Privacy training completed — all staff handling personal data have received privacy awareness training in the past 12 months. Training completion recorded as evidence. Item 30: Compliance evidence file maintained — all compliance documentation (ROPA, privacy notice versions, consent records procedure, security policy, IRP, DPAs, training records) compiled in a retrievable evidence file. AuditPath or equivalent compliance platform used to track control status and manage evidence.

Review this checklist quarterly. Update it when new processing activities are introduced, new vendors are engaged, or regulatory developments occur. Treat it as a living document, not a one-time project deliverable.

Frequently Asked Questions

Which of these 30 items should we prioritise if we have limited resources?

Prioritise the highest-penalty risks first: Items 15-19 (security safeguards — ₹250 crore risk), Items 10-14 (consent and notice — ₹250 crore risk for violations), and Item 9 (children's data — ₹250 crore risk). Then address Items 20-23 (rights fulfilment — ₹10,000 per Data Principal) and Items 24-27 (vendor contracts — accountability risk). Governance (Items 28-30) should run in parallel.

How long does it typically take to complete all 30 items?

For a startup with a simple product and small team: 2-3 months with focused effort. For a mid-size company with complex data flows and many vendors: 4-6 months. For a large enterprise with legacy systems, many product lines, and a pan-India user base: 6-12 months. Start with the highest-risk items regardless of overall timeline.

Do we need external legal advice to complete this checklist?

For most items, good internal judgment with compliance tooling is sufficient. External legal advice is particularly valuable for: drafting privacy notices (especially multilingual versions), negotiating DPAs with major vendors, assessing cross-border transfer risk, and advising on whether specific processing activities have a valid lawful basis. Budget for legal advice on these specific points rather than outsourcing the entire programme.

What evidence should we maintain for each checklist item?

For each item, maintain: the policy or procedure document; evidence of implementation (screenshots, logs, certificates); a date of last review; and an owner. For consent (Item 13): consent database records. For security (Item 17): penetration test reports, patch management logs. For training (Item 29): training completion certificates or LMS records.

Should we share our compliance checklist status with customers?

For B2B companies, sharing a compliance summary with customers demonstrates due diligence and can be a competitive differentiator. You do not need to share every internal detail, but a summary of your compliance posture (similar to a SOC 2 bridge letter) can satisfy enterprise customers' vendor due diligence requirements and reduce the risk of being disqualified from procurement.