DPDPA Readiness Review India

About This Engagement

What this engagement is about — and what it is not

The DPDPA Readiness Review is designed for organisations that want an accurate, documented picture of their current operational readiness without committing to a full audit.

It is not a questionnaire. It is not a self-assessment scored against your own responses. It is a structured review of what your systems, notices, vendor relationships, and data handling practices actually look like — measured against the specific requirements of the DPDPA Act 2023 and Rules 2025.

The output is a documented assessment that tells you what is in place, what is missing, and what needs to be addressed first.

This engagement is appropriate for organisations that

→ Have not previously conducted a formal DPDPA compliance review

→ Are preparing for investor due diligence or enterprise procurement

→ Want to understand their operational standing before committing to a larger engagement

→ Have made changes to their data practices and want to verify whether those changes are sufficient

Scope

Four areas reviewed in every Readiness Assessment

Each area is assessed against the Act's specific operational requirements — not a generic privacy framework.

Area 01

Consent Architecture

How consent is collected, recorded, and withdrawn across every data collection point in your product or service. The Act requires consent to be free, specific, informed, and unambiguous — obtained through a notice that is separate from your terms of service. We review whether your collection points meet this standard operationally.

Common findings in this area

Consent bundled with terms acceptance

Missing withdrawal mechanisms in the product interface

Notices that do not specify the purpose of processing with sufficient clarity

Area 02

Privacy Notice

Whether your privacy notice meets the mandatory disclosure requirements under Section 5 of the Act. We review whether your notice addresses each required disclosure specifically and accurately — including the personal data collected, the purpose of processing, how data principal rights can be exercised, and the grievance process.

Common findings in this area

Notice describes intended practices, not actual system behaviour

Grievance mechanism missing or inaccessible

Third-party processors not identified by name or category

Area 03

Vendor and Processor Setup

Which third-party tools and services process personal data on your behalf — and whether Data Processing Agreements exist for each. The Act requires every data processor to operate under a written contract that specifically governs how personal data is handled. We identify every third-party tool in your stack and assess whether adequate contractual arrangements are in place.

Common findings in this area

Analytics tools processing personal data under standard commercial terms

No Data Processing Agreements with email or CRM platforms

Vendor default terms permitting secondary use of submitted data

Area 04

Data Handling Practices

How personal data flows through your product and whether the purposes for which it is processed are valid under the Act. We review your data flows against the grounds of processing, and assess whether personal data is being used for purposes that are disclosed, specific, and consistent with what your notice states.

Common findings in this area

Personal data used for purposes not disclosed in the notice

No documented retention timeline or deletion process

Data retained after the purpose has been fulfilled

Deliverables

What you receive at the end of the engagement

Executive Summary

A single-page summary of the overall operational readiness, the most critical findings, and three immediate priority actions. Designed to be shared with leadership without requiring them to read the full report.

Compliance Assessment

A documented assessment across all four reviewed areas — each finding referenced to the specific Act provision it relates to, with the evidence reviewed and the gap clearly identified.

Gap Register

Every gap identified, documented in a structured register with potential compliance impact mapped per finding. Organised by area and severity so your team can prioritise remediation.

Three Immediate Actions

The three highest-priority actions your organisation should take within the next two weeks. Each is specific, operationally clear, and does not require additional analysis to begin.

Scope Boundaries

What this engagement does not cover

The Readiness Review is scoped to provide an accurate governance baseline. Scope boundaries are confirmed during the scoping conversation before work begins.

✕

Full vendor contract audit Contracts are assessed for existence, not reviewed clause by clause. Full vendor contract review is covered in the Operational Compliance Audit.

✕

Maturity scoring across all eight DPDPA control areas Full coverage across all eight control areas is part of the Operational Compliance Audit.

✕

Remediation design Gap identification is included. Solution design for each gap is covered in the Remediation and Governance Plan.

✕

Policy or notice drafting Findings will identify where your notice is deficient. Redrafting is a separate engagement.

✕

Legal advice Findings are compliance advisory in nature. Regulatory interpretation questions should be directed to qualified legal counsel.

Real Findings

What a finding looks like in practice

Finding — Consent Architecture

Example of the type of operational finding reviewed during a Readiness Assessment.

Pre-ticked marketing consent checkbox

During a consent architecture review, we examine how consent is collected across every data collection point. A common finding is a signup flow that presents users with a single checkbox simultaneously accepting the terms of service and providing consent to marketing communications.

Under Section 6(1) of the DPDPA Act 2023, consent must be obtained through a notice that is specific to the purpose of processing and requires an affirmative action. A pre-ticked box does not constitute valid consent — all marketing processing based on this mechanism has no lawful basis.

This finding is documented with a reference to the relevant Act provision, an assessment of the potential compliance impact, and a recommended immediate action.

Critical Section 6(1) — Valid Consent Live UI Review

Upgrade Path

When to consider the Operational Compliance Audit instead

The Readiness Review establishes your governance baseline. For some organisations, a more comprehensive engagement is appropriate from the outset.

Consider the Operational Compliance Audit if your organisation operates in a sector where DPDPA obligations intersect with other regulatory frameworks — such as fintech, healthcare, or edtech — or has already conducted an informal compliance review and needs a deeper operational assessment across all eight control areas.

Learn more about the Operational Audit

FAQ

Questions about the Readiness Review

How is this different from a compliance checklist?

A checklist records what you believe is in place. The Readiness Review examines what your systems, notices, and vendor setup actually look like — independent of your own assessment.

What information do you need from us?

The evidence request is structured to minimise disruption. It typically includes your privacy notice, consent flows, a list of third-party tools that process user data, and any existing data processing documentation.

Can we act on the findings ourselves?

Yes. The report is written to be operationally clear and immediately usable by your team. There is no obligation to continue to a further engagement.

Does DPDPA apply to pre-revenue startups?

Yes. The Act applies to any organisation that collects personal data of Indian users — regardless of revenue or stage. A pre-revenue startup with a beta product collecting user emails is subject to the Act's core obligations.

We have a privacy policy. Are we compliant?

A privacy policy is one component — not the entirety of DPDPA compliance. The Act additionally requires verifiable consent mechanisms, vendor agreements, data principal rights processes, and a breach response process.

Get Started

Start with a scoping conversation

We will confirm whether the Readiness Review is the right starting point for your organisation — and what the engagement will involve — before anything is agreed.

Book a Scoping Conversation

Scope and pricing confirmed before work begins. No commitment required.