Free Tool · 5-Minute Self-Assessment

DPDP Act Readiness Checklist
for Indian Organisations

Twenty practitioner-grade questions to test whether your organisation is genuinely DPDP-ready — or whether you are one DSR away from a regulator enquiry. No email gate.

Questions
20
Time
5 min
Output
Score band
Email gate
None
Start the Checklist Read the Full Guide
Your readiness
0 / 20
The Checklist

Answer Honestly. No One Is Watching.

Five sections, twenty yes/no questions. Click Yes only if you can produce the document or run the workflow today. Score reveals at the bottom when you complete all twenty.

01

Discovery & Data Mapping

You cannot comply with what you have not catalogued. Every DPDP gap audit starts here.

1
We have a current Record of Processing Activities (RoPA) covering every system, vendor, and SaaS tool that touches personal data.
2
We have mapped every data flow from collection point through processing to storage, including third-party transfers and sub-processors.
3
We have classified personal data by sensitivity (financial, health, Aadhaar, biometric, children's) and applied differential controls per class.
4
We have inventoried every cross-border transfer and identified the legal basis under DPDP §16.
02

Lawful Basis & Consent

DPDP §6 sets a high bar for consent. Most existing consent flows fail it.

5
Every processing activity has a documented lawful purpose under DPDP §4 — consent or a legitimate use under §7.
6
Our consent forms are free, specific, informed, unconditional, and unbundled — not buried inside Terms and Conditions.
7
Consent notices are available in plain English plus required regional languages, with a clear withdrawal mechanism.
8
For data about minors, we have a verifiable parental-consent workflow and we do not run targeted advertising or behavioural tracking on children.
03

Data Principal Rights

Section 11 to 14 rights are enforceable. Build the workflows before the requests arrive.

9
We have a documented and tested Data Subject Request (DSR) workflow covering access, correction, completion, updating, and erasure — with a 90-day SLA.
10
We have a published grievance-redressal mechanism with a named contact person and stated response timelines.
11
We can fulfil nomination requests (transferring rights to another Data Principal in case of death or incapacity).
12
We have templated DSR responses (acknowledge, fulfil, partial-reject, reject) with clear legal grounds for any refusal.
04

Vendors, DPAs & Cross-Border

Your processors are your liability. Map them, paper them, monitor them.

13
We have signed DPAs (Data Processing Agreements) with every processor and sub-processor that handles personal data on our behalf.
14
Each DPA includes the mandatory clauses: purpose limitation, security obligations, sub-processor consent, breach notification, audit rights, and termination data return or deletion.
15
We have due-diligence records for each vendor (security questionnaire, certifications, breach history) refreshed at least annually.
16
For all cross-border transfers, we have verified the destination country is not on the DPDP §16 restricted list and we have documented the transfer mechanism.
05

Governance, Security & Breach Response

The DPDP Board will ask for these documents first when an incident or complaint lands.

17
We have appointed a Data Protection Officer (mandatory if classified as a Significant Data Fiduciary) with a published contact channel and clear independence from processing decisions.
18
We enforce technical and organisational security measures proportionate to risk — MFA on all admin access, encryption at rest and in transit, least-privilege access reviewed quarterly.
19
We have a written breach-response runbook with named responders, evidence-capture procedures, and the 72-hour Data Protection Board notification template ready.
20
We have run a tabletop exercise of the breach-response workflow within the last 12 months and timed ourselves against the notification window.
What "Ready" Looks Like

Three Bands. Three Plays.

0–7
Critical exposure

You are materially non-compliant. A Data Principal complaint or breach today will not survive Board scrutiny. Treat the next 90 days as remediation: data discovery, RoPA build-out, consent-flow rework, DPA papering with all vendors.

8–14
At risk

Foundations exist but operational evidence is thin. Close DSR workflow, breach runbook, and the highest-risk vendor DPAs in the next 60 days. Schedule a tabletop exercise to test breach response under the 72-hour clock.

15–20
Compliance-defensible

You can stand behind your posture in front of a Data Protection Board enquiry. Move to continuous monitoring: quarterly RoPA refresh, annual DPIA review, automated DSR routing, and board-level privacy MIS.

FAQ

Common Questions

Who is in scope of the DPDP Act? +

Every business that processes digital personal data in India, plus foreign businesses offering goods or services to people in India. There is no minimum-size threshold — a 5-person startup with a customer email list is in scope.

What is the difference between a Data Fiduciary and a Significant Data Fiduciary? +

A Data Fiduciary is anyone who decides the purpose and means of processing personal data. A Significant Data Fiduciary (SDF) is a Fiduciary the Central Government has designated based on volume, sensitivity, risk, or sectoral importance. SDFs face additional obligations: mandatory DPO, mandatory DPIA, and independent audit.

When does enforcement actually begin? +

The Act was notified in August 2023. Most operational obligations activate when the Central Government notifies the DPDP Rules, which have been circulated in draft. A staged rollout through 2026 is the regulator's signalled approach. Treat the Act as already binding — retrofitting consent and data mapping takes months, not weeks.

Do small businesses really need a DPO? +

A DPO is mandatory only for entities designated as Significant Data Fiduciaries. Non-SDFs still need a Contact Person who can address grievances. Practically, every business with meaningful personal data volumes should name a DPO — regulators view it as evidence of accountability.

What is the difference between this checklist and the buyer's guide? +

The checklist diagnoses readiness in 5 minutes. The 50-page buyer's guide explains the why behind every line, walks through gap-assessment methodology, RoPA construction, DSR runbook design, breach-notification mechanics, and vendor selection — with sample templates and Indian-context cost benchmarks.

Need an implementation roadmap?

Skip the Guesswork. Get a DPDP Roadmap.

A 30-minute consultation. Walk away with a prioritised remediation list, an effort estimate, and a sequenced 90-day plan that closes your highest-risk gaps first.

Book Free Consultation Read the Full Guide

No sales pitch. Responds within 24 hours.