DPDP Act 2023 Compliance Checklist
for Indian Businesses
A practical 20-point checklist to assess where your business stands against the Digital Personal Data Protection Act, 2023 β and what to fix first. Written by a practising cybersecurity consultant.
Updated April 2026 Β· No jargon Β· No sales email spam
Why this checklist exists
The DPDP Act came into force with strict penalties β up to βΉ250 crore per breach category. Most Indian SMEs we speak to know the Act exists but have not mapped their own data flows or named a Data Protection Officer. This checklist is the fastest way to see where you are exposed before the Rules are fully enforced.
Work through each item and score yourself: Done, Partial, or Not started. If more than 8 items are "Not started", you are in the urgent-action zone.
20 Points to Test Your DPDP Readiness
Six sections, twenty practical questions. If you cannot confidently say "yes" to a line, treat it as an open action item.
1. Data Mapping & Inventory
You cannot protect what you do not know you have. Start here.
We have a documented inventory of all personal data we collect (customer, employee, vendor) with source, purpose, and retention period.
We have mapped where personal data flows β from collection point, through systems, to third parties, to storage.
We have classified personal data by sensitivity (e.g. financial, health, Aadhaar-linked, children's data) with appropriate controls for each class.
We have a list of every vendor, processor, or SaaS tool that receives personal data on our behalf, with their role (Data Processor vs. Sub-Processor) identified.
2. Consent Management
The Act requires free, specific, informed, unconditional consent β separate from T&Cs.
We obtain explicit, purpose-specific consent before processing personal data, using plain-language notice in English plus regional languages where relevant.
We have a mechanism for users to withdraw consent as easily as they gave it β and systems that actually stop processing when they do.
We maintain an auditable log of when and how each consent was obtained (and later withdrawn).
For data about minors, we have a verifiable parental-consent workflow β and we do not do targeted advertising or behavioural monitoring on children.
3. Data Principal Rights
Users now have enforceable rights. You must be ready to honour them on demand.
We have a documented, tested process for Data Principals to request access, correction, completion, updating, and erasure of their data β with a published contact point.
We have a formal grievance-redressal mechanism with named owners and stated response SLAs (recommend: 7 days).
We can nominate another Data Principal in case of death or incapacity, as required for specific data categories.
4. Security Safeguards
Technical and organisational controls β the Act says "reasonable", regulators will say more.
We enforce Multi-Factor Authentication on every system that touches personal data β no exceptions for admin accounts.
We encrypt personal data in transit (TLS 1.2+) and at rest (database-level or field-level for sensitive attributes).
We apply the principle of least privilege β access to personal data is reviewed at least quarterly and revoked on role change or exit.
We have logging and monitoring that would detect unauthorised access to personal data within hours, not weeks.
5. Governance & Accountability
The Act holds specific roles accountable. Name them and train them.
We have appointed a Data Protection Officer (mandatory for Significant Data Fiduciaries; strongly recommended for others), with a published contact channel.
Our Board or leadership team reviews data-protection posture at least twice a year β with minuted decisions.
Every employee who handles personal data has had documented DPDP-awareness training within the last 12 months.
6. Breach & Incident Response
Breaches must be notified to the Data Protection Board and affected users.
We have a written Incident Response plan that specifically covers personal-data breaches, with named responders, escalation paths, and communication templates.
We have tested the breach-notification workflow in a tabletop exercise in the last 12 months β and timed ourselves against the 72-hour notification window.
Get the DPDP Action Pack
Printable 20-point DPDP checklist PDF, plus monthly DPDP intelligence briefings: new enforcement actions, rule clarifications, breach patterns, and practical implementation templates. Delivered to your inbox. Unsubscribe any time.
Prefer to skip the email? Download the PDF directly.
Common Questions
Who does the DPDP Act apply to?
The DPDP Act 2023 applies to every business that processes digital personal data in India β and to foreign businesses that offer goods or services to people in India. There is no minimum-size threshold; a 5-person startup with a customer email list is in scope.
When does DPDP enforcement actually begin?
The Act was notified in August 2023 but most obligations activate when the Central Government notifies the DPDP Rules. The Rules have been circulated in draft form; Indian regulators have signalled a staged rollout through 2026. Treat the Act as already binding β retrofitting consent and data-mapping takes months.
What are the penalties?
Maximum penalty is βΉ250 crore for failure to prevent a personal data breach. Other categories: βΉ150 crore (failure to notify), βΉ50 crore (children data breach), βΉ10,000 (Data Principal filing false complaint). Penalties are imposed by the Data Protection Board after an inquiry.
Do we need a Data Protection Officer?
A DPO is mandatory only for entities designated as Significant Data Fiduciaries (SDFs). Non-SDFs still need a Contact Person who can address Data Principal grievances. In practice, every business processing meaningful volumes of personal data should name a DPO β regulators view it as evidence of accountability.
Can RingSafe help us implement this?
Yes. A typical SME engagement: 2 weeks for data mapping and gap assessment, 4 to 6 weeks for consent/rights/security remediation, 1 week for DPIA and final report. Fixed-scope, fixed-price. Email hello@ringsafe.in or book a free consultation to discuss your environment.
Skip the Guesswork. Get a DPDP Roadmap.
A 30-minute consultation with Manish Garg β walk away with 3 to 5 specific DPDP actions, prioritised by risk and effort.
No sales pitch. Responds within 24 hours.
Understand the "why" behind each item
Our DPDP Practitioner track explains the Act, walks through data mapping, designs consent UX, and tabletops breach response.