DPDP Compliance Hub

DPDP Act Compliance Checklist

The DPDP Act, 2023 and the DPDP Rules, 2025 give organisations an 18-month phased runway to full compliance by 13 May 2027. This checklist breaks the obligations of a Data Fiduciary into concrete, sequenced steps — from knowing your data to standing up consent, rights and breach processes.

8 min read

1. Know your data (discovery & inventory)

You cannot protect or account for data you cannot see. Start by discovering where personal data lives across databases, cloud storage, SaaS apps and files.

  • Inventory every system that stores or processes personal data
  • Classify personal and sensitive data, including India-specific identifiers (PAN, Aadhaar, bank account, IFSC, UPI ID, GSTIN)
  • Map each data category to a processing purpose and a lawful basis

2. Establish lawful, purpose-bound consent

  • Capture granular, purpose-specific consent — not blanket acceptance
  • Present notice in clear language and in the applicable Indian language(s)
  • Make withdrawal as easy as giving consent, and ensure it propagates downstream
  • Generate a verifiable, tamper-evident consent artifact for every action

3. Enable Data Principal rights

  • Access to a summary of personal data and processing activities
  • Correction, completion, updating and erasure
  • Right to nominate another to exercise rights on death or incapacity
  • Grievance redressal with clear SLAs and escalation

4. Maintain records & governance

  • Keep Records of Processing Activities (RoPA) current
  • Run DPIAs for higher-risk processing
  • Define and enforce retention and deletion schedules
  • Appoint a DPO / grievance officer and publish contact details

5. Prepare breach response

  • Detect, classify and log personal data breaches end to end
  • Notify the Data Protection Board and affected Data Principals in the prescribed form and timelines
  • Keep an immutable breach register with root cause and remediation

6. Prove it (audit readiness)

  • Maintain a tamper-evident audit trail of access and processing
  • Produce compliance reports suitable for the Data Protection Board
  • Re-scan periodically to catch drift as systems change

This guide is educational and general in nature — it is not legal advice. Confirm specific obligations against the DPDP Act, 2023, the DPDP Rules, 2025 and any sectoral regulations that apply to you.

See how dpflo implements this

Discovery, consent, rights, retention and breach — one sovereign platform, deployable where your data lives.