Checklist
DPDPA Compliance Checklist
Eight control areas. Built directly on the DPDPA Act 2023 and Rules 2025 — not adapted from a generic privacy framework.
Privara
DPDPA Compliance Advisory · DPDPA Act 2023 & Rules 2025 · 8 control areas · 40 checklist items
How to use this checklist: Each item represents an operational requirement under the DPDPA Act 2023 or Rules 2025. A self-assessment against this checklist tells you what your team believes is in place. An independent operational review tells you what is actually in place. Use this checklist as an orientation — not as a compliance certificate. Items are severity-rated: Critical, High, Medium.
1
Consent Architecture
Section 6
Consent is obtained through an affirmative action by the data principal
No pre-ticked boxes, no implied consent, no consent via inaction. The data principal must actively indicate agreement.
Consent is obtained via a notice separate from terms of service
Consent bundled into terms acceptance does not constitute valid consent under Section 6.
Each processing purpose has a separate, specific consent mechanism
One checkbox covering multiple purposes — marketing, analytics, product improvement — is not compliant.
A mechanism exists for data principals to withdraw consent
Withdrawal must be as easy to exercise as giving consent. A buried settings page or email-only process does not meet this standard.
Consent records are maintained and can be demonstrated
You must be able to show that consent was obtained, for what purpose, and when — for each data principal.
Most common gap: Consent collected via pre-ticked checkbox or bundled with terms acceptance — invalidating all processing based on that consent.
2
Privacy Notice
Section 5
Notice specifies the personal data being collected
Broad categories like "your information" are not sufficient. The notice must identify what data is specifically collected.
Notice specifies the purpose of processing for each type of data
Each category of data must be linked to a specific, named purpose — not a general statement.
Notice explains how data principal rights can be exercised
The mechanism for accessing, correcting, and erasing data must be described and accessible.
Notice identifies the grievance officer and contact details
A named grievance officer with a reachable contact mechanism is required — not a generic support email.
Notice reflects actual system behaviour — not intended practices
GDPR-adapted notices frequently describe what the organisation intends, not what the systems do. The notice must reflect operational reality.
Most common gap: Privacy notice adapted from a GDPR template that does not meet the Act's specific disclosure requirements for Indian data principals.
3
Vendor & Processor Agreements
Section 8(3)
All third-party tools processing personal data have been identified
Analytics, CRM, email, payments, cloud storage, customer support, and any other tool touching user data must be inventoried.
A Data Processing Agreement exists with each processor
Standard commercial SaaS terms do not satisfy this requirement. A written contract governing data handling must exist for each processor.
Processor agreements prohibit secondary use of submitted data
Many SaaS tools' default terms permit use of submitted data for their own product improvement. This is a violation if not contractually restricted.
Processor agreements include breach notification obligations
Processors must be contractually required to notify you of any breach involving your users' data within a defined timeframe.
Processor agreements require data deletion on contract termination
When you stop using a processor, your users' data must be deleted from their systems — not retained under their default terms.
Most common gap: Analytics and CRM tools processing user data under standard commercial agreements — no Data Processing Agreement in place.
4
Data Flows & Purpose Limitation
Section 6(1)
Personal data is only processed for purposes disclosed at collection
Using data for analytics, marketing, or product improvement that was not disclosed and consented to at the point of collection is a violation.
Data flows to third parties are disclosed in the privacy notice
Every third-party service that receives personal data must be identified in the notice — by name or category at minimum.
Only the minimum data necessary for each purpose is collected
Data minimisation is an implicit requirement under the Act. Collecting more data than the stated purpose requires creates additional compliance exposure.
A data flow map exists covering all personal data in the organisation
You cannot manage what you cannot see. A documented data flow map is the foundation of operational compliance.
Most common gap: Personal data passed to analytics and marketing tools for purposes not disclosed in the privacy notice.
5
Data Principal Rights
Sections 11–13
A mechanism exists for data principals to request access to their data
The mechanism must be accessible within the product or service — not buried in documentation or requiring a legal request.
A mechanism exists for data principals to correct inaccurate data
Users must be able to update or correct their personal data. Read-only profile pages do not satisfy this requirement.
Data erasure propagates across all systems and processors
Account deactivation is not erasure. When a user requests deletion, data must be erased from all databases, analytics tools, email systems, and processors.
Rights requests are fulfilled within prescribed timelines
The Rules prescribe response timelines for each type of rights request. You must have an operational process to meet these timelines consistently.
A grievance officer is appointed and reachable
A named individual must be designated as grievance officer — with contact details published in the privacy notice and accessible in the product.
Most common gap: Account deletion triggering deactivation — not actual data erasure across all systems and processors.
6
Data Retention & Erasure
Section 8(7)
A documented retention schedule exists for each data category
Each type of personal data must have a defined retention period tied to its processing purpose — not "we keep it indefinitely."
Personal data is erased when the processing purpose is fulfilled
Once the purpose for which data was collected no longer exists, the data must be erased — automatically or through a documented process.
Consent withdrawal triggers a defined erasure process
When a data principal withdraws consent, there must be a documented process for erasing their data across all systems within a defined timeframe.
Retention periods are disclosed in the privacy notice
Users must be informed how long their data will be retained and on what basis.
Most common gap: No documented retention schedule — data retained indefinitely with no defined deletion process.
7
Security Safeguards
Section 8(5)
Reasonable technical safeguards are implemented for personal data
Encryption at rest and in transit, access controls, and authentication measures appropriate to the sensitivity and volume of data processed.
Access to personal data is restricted on a need-to-know basis
Not all team members should have access to all personal data. Role-based access controls must be implemented and documented.
Security measures are reviewed periodically
Static security configurations that are never reviewed do not constitute "reasonable safeguards" as the threat environment evolves.
Processors are required to maintain equivalent security standards
Your security obligations extend to your processors. Contracts must require processors to maintain security standards consistent with the Act.
Most common gap: Security implemented for the product but not governed by documented standards — making "reasonable safeguards" difficult to demonstrate to the Board.
8
Breach Preparedness & Notification
Section 8(6)
A documented breach response process exists
A policy statement is not a process. You must have a documented, step-by-step response plan that your team can execute in the event of a breach.
Breach notification to the Data Protection Board is understood and planned
You must notify the Board of any personal data breach. The notification must be made — it cannot be conditional on internal investigation completing first.
Notification to affected data principals is planned and templated
Affected individuals must be notified of a breach. The notification process and content should be prepared in advance — not designed during the incident.
Processors are required to report breaches to you promptly
Your breach notification obligations include breaches at your processors. Contracts must require processors to notify you of any breach immediately.
Most common gap: No documented breach response process — organisations that discover a breach are designing their response under pressure, often too slowly.
What to do with your results
If you have identified gaps across multiple control areas, the next step is understanding which gaps carry the highest compliance risk — and in what order they should be addressed.
A self-assessment tells you what your team believes is true. An independent operational review — like Privara's DPDPA Readiness Review — tells you what is actually in place, with findings backed by evidence from your live systems and documentation.
Book a Scoping Conversation
Get Started
A checklist tells you what you think. An audit tells you what is.
Privara's operational assessments review your live systems, vendor contracts, and processes — and document exactly where your organisation stands against the Act's requirements.
Book a Scoping ConversationNo commitment required. Scope and pricing confirmed before work begins.