DPDPA Compliance Checklist for Digital Businesses in India [2026]
A practical readiness guide covering governance, consent, data lifecycle, security controls, vendor risk, and continuous monitoring under India's DPDPA.
DPDPA Compliance Checklist for Digital Businesses in India [2026]
The Digital Personal Data Protection Act (DPDPA) is India's law governing how businesses handle personal data. It introduces strict rules for consent, data security, and user rights, with penalties reaching up to ₹250 crore for violations.
November 2025
DPBI operations began
The Data Protection Board of India commenced operations, establishing the regulatory foundation for enforcement.
November 2026
Consent Manager framework
The Consent Manager framework rolls out, enabling users to manage consent signals across platforms.
May 2027
Full enforcement begins
Full enforcement of DPDPA obligations takes effect — organisations must be operationally ready.
Penalty exposure
Up to ₹250 crore
Per contravention for serious violations under the Act
Core Requirements
Clear consent, plain-language privacy notices in 22 Indian languages, and correct classification as Data Fiduciary or Data Processor.
Key Challenges
Legacy system sprawl, tight deletion timelines, and updating vendor contracts to DPDPA standards.
Steps to Prepare
Build a data inventory, implement consent management, update retention and breach policies, and conduct mock audits and DPIAs.
With penalties for non-compliance being steep, businesses must act now to align with DPDPA standards. Automating processes and integrating AI-driven compliance tools like CISOGenie can simplify compliance efforts.
Governance and Accountability Readiness
Getting governance right is the bedrock of compliance. Before diving into policies or vendor contracts, your organisation must first define responsibilities, starting with identifying your role under the Act. A strong governance framework not only meets DPDPA requirements but also aligns with standards like ISO 27001 and SOC 2.
Defining Roles and Responsibilities
Clearly defining roles is critical for audit readiness under the DPDPA. The first step is identifying whether your organisation functions as a Data Fiduciary, a Data Processor, or both. A Data Fiduciary determines why and how personal data is processed, while a Data Processor works on the Fiduciary's instructions. Many digital organisations find themselves wearing both hats depending on the context.
Once roles are defined, accountability must be shared across the organisation rather than being siloed in Legal or IT. A structured governance model might look like this:
| Role | Key Responsibility | Mandatory For |
|---|---|---|
| Data Protection Officer (DPO) | DPIA oversight, DPB coordination, grievance handling | Significant Data Fiduciaries (SDFs) |
| Executive Sponsor | Risk appetite, funding, board-level reporting | All organisations |
| Privacy Lead / Manager | Day-to-day compliance, data mapping, vendor reviews | All organisations |
| Data Owner | Data quality, classification, access approvals per dataset | All organisations |
| Independent Auditor | Periodic external validation of controls | Significant Data Fiduciaries (SDFs) |
For SDFs, the DPO must be based in India and report directly to the Board of Directors, ensuring independence from roles like the CISO or CTO. For non-SDFs, an internal Privacy Lead or a virtual DPO (costing around ₹3–5 lakhs annually) can be a more affordable and practical solution.
Developing and Mapping Compliance Policies
Your existing policies must be supplemented with 12 DPDPA-specific documents. These include a Privacy Policy, Data Retention Policy, Data Breach Response Plan, Consent Management Framework, Vendor Management Policy, Cross-Border Transfer Assessment, Employee Data Handling Guidelines, Data Subject Rights Procedure, Security Incident Response Plan, Third-Party Audit Rights, Data Processing Agreements (DPAs), and Records of Processing Activities (RoPA).
A common error is copying GDPR policies and rebranding them. The DPDPA's stricter consent requirements demand tailored documents. For example, there's no "legitimate interest" clause for marketing, and privacy notices must be available in English and any of the 22 languages listed in the Eighth Schedule of the Constitution if requested.
DPDP is simpler than GDPR in some ways, stricter in others. The biggest difference: consent requirements are much stricter in DPDP. You can't rely on 'legitimate interest' for marketing.
If your organisation already follows frameworks like ISO 27001 or SOC 2, map your DPDPA requirements to these existing controls. This avoids redundant work and demonstrates to auditors that your current security measures address many DPDPA obligations. Tools like CISOGenie can streamline this process by mapping controls across over 35 standards, saving significant manual effort.
Risk Oversight and DPIA Readiness
Not all data processing activities carry the same level of risk. While DPIAs are mandatory for SDFs, organisations managing children's data, large-scale sensitive data, or data impacting national security should also adopt DPIAs as a best practice.
A DPIA is only as effective as the data map supporting it. Without a thorough understanding of where personal data resides, how it flows, and which third parties access it, risk assessments will inevitably miss critical areas.
Once completed, DPIA findings must be documented with clear ownership and remediation plans. Filing them away without follow-up leaves your organisation vulnerable.
The law starts to hurt when a grievance, breach, or audit lands on your table and you cannot produce evidence of reasonable measures.
To stay on track, focus on these key milestones:
- Late 2025: Complete governance structure and data mapping.
- Mid-2026: Implement controls, update contracts, deploy consent mechanisms, and train staff.
- Late 2026: Conduct mock audits, test breach notifications, and maintain live DPIAs.
With governance firmly in place, the next step is to map and manage the entire data lifecycle effectively.
Data Lifecycle Management and Data Principal Rights
Managing personal data effectively is not just a best practice; it's essential for meeting compliance standards under the DPDPA. With data often scattered across multiple systems, ensuring proper oversight can be tricky. Below, we'll explore how to map data, manage consent, implement retention policies, and handle rights requests with precision.
Building a Data Inventory and Flow Map
You can't protect what you don't know exists. Start by identifying every point where personal data enters your systems — whether through web forms, mobile apps, APIs, CRM tools, or HR files.
Once you've gathered this information, classify it into three categories: general personal data (like names or email addresses), sensitive personal data (such as financial or health information), and children's data (pertaining to users under 18). For each dataset, document key details like its purpose, legal basis, recipients, and retention period.
Data outsourcing is not accountability, and a privacy policy without a data map is just branding.
Don't overlook legacy data — like old leads, rejected job applications, or inactive user accounts. If there's no valid reason to keep this data, delete it. Holding unnecessary data could lead to penalties of up to ₹250 crore per incident. For engineering teams, auditing repositories (e.g., checking configuration files for undocumented third-party API calls) can help uncover any "shadow" tools processing personal data. Ensure every access or change is logged, creating a tamper-proof audit trail for accountability.
Setting Up a Consent Management System
The DPDPA enforces stringent consent rules, leaving little room for ambiguity. Unlike many other regulations, it doesn't allow a "legitimate interest" basis for most commercial data uses — consent must be the default for activities like marketing and analytics.
Consent mechanisms must be clear, specific, and freely given. Pre-checked boxes or consent bundled into Terms of Service won't cut it. Privacy notices should be presented separately, in plain language, and translated into any of India's 22 scheduled languages upon request.
A Data Fiduciary that allows consent to be given with a single tap but requires a multi-step email-and-callback process to withdraw it would violate both the Act and these Rules.
Technically, organisations need a consent registry that logs every detail — purpose code, consent text, timestamps, user IPs, and even a hash of the UI state at the moment of consent. By November 2026, systems must also integrate with registered Consent Managers, which allow users to manage consents across multiple platforms. For users under 18, parental consent is mandatory, and targeted advertising to minors is strictly off-limits.
DPDPA Consent ManagementData Retention, Deletion, and Archiving
Retention policies aren't optional — they're a legal requirement. Define clear retention periods for each dataset and use event-driven deletion systems to ensure data is removed within the required 7-day window. When full deletion isn't feasible due to other legal obligations, use methods like soft-delete or pseudonymisation. Platforms with over 2 crore users, such as large e-commerce sites, must delete data after 3 years of account inactivity. Automated triggers are far more reliable than manual reviews for meeting these deadlines.
The 7-day erasure timeline is tight. Most enterprise software systems have data scattered across production databases, backups, analytics systems, data warehouses, and third-party integrations.
With retention policies in place, organisations must also prepare to address individual rights.
Handling Data Principal Rights Requests
The DPDPA grants individuals the right to access, correct, erase, and raise grievances regarding their data. Organisations must acknowledge requests within 72 hours and respond within 30 days.
| Right | What It Requires | Technical Approach |
|---|---|---|
| Access | Provide a copy of all personal data held | Aggregate data into a machine-readable format like JSON or CSV |
| Correction | Update inaccurate or outdated data | Enable field-level updates with detailed change logging |
| Erasure | Delete data once its purpose is fulfilled or consent withdrawn | Use soft-delete, pseudonymisation, and automate hard-deletion after retention periods |
| Grievance | Address complaints about data processing | Implement a ticketing system with a 30-day resolution SLA |
Identity verification is crucial before processing any request. Use methods like OTPs, Aadhaar-based checks, or verified account logins to prevent unauthorised access. Log every request with a unique ID, timestamp, and details of the action taken to maintain a clear audit trail. Implementing a self-service portal can make this process more scalable than relying on email-based workflows. Tools like CISOGenie can automate evidence collection and create audit trails, reducing manual effort and ensuring compliance. Remember, failing to meet the statutory response window could result in fines as high as ₹50 crore.
Security Controls, Vendor Risk, and Cross-Border Data Transfers
Putting Data Security Controls in Place
Rule 6 outlines "reasonable security safeguards" across seven critical areas: encryption and obfuscation, access control, logging and monitoring, continuity measures like backups, a minimum one-year log retention period, contractual safeguards with data processors, and technical plus organisational measures. These aren't just recommendations — failing to follow them can lead to fines of up to ₹250 crore per incident, making it the costliest violation under the Act.
Failure to implement reasonable security safeguards is the single highest-penalty contravention in the DPDP Schedule - up to Rs 250 crore per contravention.
To meet these requirements, implement AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit. Use strict Role-Based Access Control (RBAC) policies with no shared admin accounts. Maintain tamper-evident logs for incident investigations and enable automated tools like SIEM for breach detection and forensics. Also, prepare pre-drafted breach notification templates to comply with the 72-hour reporting requirement. Align these measures with existing ISO 27001 or SOC 2 frameworks to ensure consistent governance.
Managing Vendor and Third-Party Risk
As a Data Fiduciary, you're responsible for ensuring compliance even when working with third-party Data Processors.
Start by creating a detailed inventory of all vendors — this includes SaaS tools, cloud providers, payment gateways, and APIs that interact with personal data. Use tools or scripts to uncover any undocumented third-party integrations, often referred to as "shadow" processors. Once identified, ensure every vendor signs a Data Processing Agreement (DPA). These agreements should include breach notification timelines, audit rights, and restrictions on unauthorised sub-processing. Avoid reusing GDPR-specific DPAs, as Indian regulations, particularly around children's data, have unique requirements. Platforms like CISOGenie can automate vendor risk profiling and identify gaps in DPA coverage before they escalate into compliance issues.
| Step | Action Required |
|---|---|
| Inventory | Maintain a list of all processors and sub-processors |
| Classification | Categorise vendors based on the sensitivity of the data they handle |
| Contracting | Ensure DPAs include breach notification and audit clauses |
| Assessment | Conduct regular security evaluations |
| Monitoring | Track compliance with data retention and deletion policies |
Cross-Border Data Transfers and Localisation Requirements
India's rules for cross-border data transfers take a different path compared to GDPR. Under the DPDPA, personal data can be transferred abroad unless the Central Government explicitly places a country on a restricted "negative list". This mechanism is expected to go live on 1st August 2026, meaning businesses should start preparing now by setting up monitoring systems.
A practical approach is to host primary production data within Indian cloud regions — such as AWS Mumbai (ap-south-1), Azure Central India (Pune), or GCP Mumbai (asia-south1) — with disaster recovery in other Indian regions. This strategy avoids most cross-border complications. For scenarios requiring international vendors, consider pseudonymising or redacting personally identifiable information (PII) before making API calls to reduce exposure. Additionally, ensure that non-Indian processors sign DPAs aligning with DPDPA requirements, and clearly inform users if their data will be stored outside India.
Keep in mind that the DPDPA's 72-hour breach notification rule works alongside CERT-In's stricter 6-hour reporting mandate for financial institutions and critical infrastructure.
These strategies lay the groundwork for strong compliance practices, ensuring readiness for the next phase of operational obligations.
Continuous Compliance Monitoring and Automation
Bridging the gap between compliance planning and execution under the DPDPA requires a seamless approach, where continuous monitoring and automation play a central role.
Automating Evidence Collection and Control Monitoring
Relying on manual evidence collection can lead to outdated records, increasing the risk of non-compliance. Tools like CISOGenie leverage AI to actively scan databases, APIs, and cloud environments, ensuring your data inventory and flow maps stay current. Automated Vulnerability Assessment and Penetration Testing (VAPT) tools can perform up to 441 security tests in under two hours, delivering reports aligned with CERT-In requirements to demonstrate "reasonable security safeguards" under the DPDPA. For managing consent, backend systems should capture critical details like consent_text_id and proof_blob_sha256. Automated platforms streamline this process, ensuring that consent records are securely stored and easily accessible for auditor reviews.
Automation impact: Cutting ongoing monitoring workloads by approximately 70% compared to manual evidence collection.
The manual approach works... The trade-off is time and internal bandwidth, both of which are scarce at a growing SMB.
This shift towards automation lays the groundwork for a robust audit framework, which is explored in the next section.
Preparing for Internal and External Audits
Maintaining consistent controls and a centralised evidence repository is essential for audit readiness. This repository should include key compliance documents such as Records of Processing Activities (RoPA), timestamped consent logs, DPIA reports, vendor DPA statuses, and training records — all accessible from a single location.
| Review Frequency | Key Tasks |
|---|---|
| Monthly | Address pending DSR requests, track consent withdrawal trends, monitor security logs |
| Quarterly | Update data flow maps, assess vendor DPA compliance, conduct breach simulation exercises |
| Annually | Perform a full compliance audit, refresh DPIAs, review privacy notices, validate retention schedules |
To evaluate your current posture, you can use a compliance readiness toolkit to identify gaps before an official audit.
Incident response plans must clearly address two distinct timelines: the CERT-In 6-hour reporting requirement and the DPBI 72-hour notification window. These obligations have separate deadlines and must be managed accordingly.
The first time you walk it [the breach-notification timeline] on a real incident is not when you want to discover the CERT-In 6-hour clock.
While technology and processes are critical, fostering a privacy-aware culture across the organisation is equally important for long-term compliance.
Building a Privacy-Aware Culture Across the Organisation
Even with automation in place, human errors — like misconfigured forms or unapproved data sharing — can still pose risks. A three-tier training model can help mitigate these issues:
- Foundational awareness for all employees
- Specialised training for customer-facing roles
- Advanced protocols for IT and security teams
Embedding privacy-by-design into the product development lifecycle is another key practice. Every new data processing purpose should trigger a DPIA before launch, not after.
Compliance is not a one-time project. It is an operating discipline with a setup phase and an ongoing phase.
For organisations classified as Significant Data Fiduciaries (SDFs), this discipline is more than a best practice — it's a legal requirement. SDFs must conduct regular independent audits, perform DPIAs for every new processing purpose, and appoint an India-based Data Protection Officer. Even if your organisation doesn't currently fall under this category, adopting these practices now can ease the transition if your status changes. Platforms like CISOGenie simplify DPDPA compliance by integrating evidence collection, control monitoring, vendor risk management, and audit preparation into one continuously updated system.
Conclusion: Steps to Achieve DPDPA Compliance
Achieving compliance with the DPDPA is not a one-time task — it's an ongoing commitment. With Phase 2 set to implement the Consent Manager framework on 13th November 2026 and full enforcement beginning on 13th May 2027, businesses have limited time to prepare.
A 50-person startup that fails to report a breach faces the same legal framework as TCS or Infosys.
This highlights that no organisation, regardless of size, is exempt from the law, including IT companies with engineering teams in India. Non-compliance could lead to fines running into crores.
The compliance framework rests on five key pillars: governance and accountability, data lifecycle management, security controls and vendor risk, cross-border transfers, and continuous monitoring. Together, these elements create a robust, interconnected system that simplifies audits and ensures long-term compliance. For example, even the most advanced consent management system is ineffective without a current, accurate data inventory. Similarly, vendor agreements (DPAs) are only useful if they're reinforced by regular, automated assessments.
One of the most critical actions organisations can take now is to move away from manual, spreadsheet-based processes and adopt automated data discovery tools. Automated systems can uncover 40–60% more personal data processes than manual methods, which means your organisation's risk exposure might be greater than you think. Tools like CISOGenie leverage autonomous AI agents to handle tasks like evidence collection, control monitoring, vendor risk management, and generating audit trails, significantly reducing the effort required for ongoing compliance.
The DPDP Act is not merely a law about paperwork. It is a law about how businesses work.
Start by creating a detailed data map, establish your consent framework before November 2026, and automate processes wherever possible. Treat every new data processing activity as an opportunity to reassess compliance. Platforms like CISOGenie can play a crucial role in maintaining a strong and sustainable compliance programme throughout this journey.
Frequently Asked Questions
Ready to operationalise DPDPA compliance?
See how CISOGenie helps Indian digital businesses map data flows, manage consent, automate evidence collection, and stay audit-ready under the DPDPA.