DPDP Act 2023 Compliance Checklist for Indian Businesses — Free 2026
The Digital Personal Data Protection (DPDP) Act 2023 is India's primary data privacy law — applicable to any business that processes personal data of Indian citizens, whether data is stored in India or abroad. This free checklist helps Indian businesses assess and achieve DPDP compliance across 6 key domains.
Domain 1: Data Inventory and Mapping: □ Identify all personal data collected (name, email, phone, Aadhaar, PAN, health data, financial data)
□ Map where each data type is stored (CRM, HRMS, accounting, cloud storage, email)
□ Document the purpose for each data type collected
□ Classify data by sensitivity (general personal data vs sensitive personal data: health, financial, biometric)
□ Identify third parties who receive personal data (cloud vendors, payment processors, marketing tools)
□ Document data flows across systems (data flow diagram)
Domain 2: Consent Management: □ Review all data collection points (website forms, app sign-ups, physical forms, HR onboarding)
□ Ensure consent notices are in clear, plain language (not legalese)
□ Consent must be specific, informed, and freely given — no pre-ticked boxes
□ Implement consent withdrawal mechanism (users must be able to withdraw consent easily)
□ Record consent with timestamp and consent text version
□ Review consent for data collected before DPDP Act commencement — may need re-consent
Domain 3: Data Principal Rights: □ Implement process to respond to access requests (user can request what data you hold — respond within 30 days)
□ Implement data correction process (user can request correction of inaccurate data)
□ Implement data erasure process (user can request deletion — except where legally required to retain)
□ Implement data portability (provide data in machine-readable format on request)
□ Designate a Data Protection Officer (DPO) or point of contact for data requests
□ Publish privacy notice on website with contact details for data requests
Domain 4: Data Security Controls: □ Encryption at rest for sensitive personal data (health, financial, biometric)
□ Encryption in transit (TLS 1.2+ for all data transmission)
□ Access controls — only authorised staff access personal data (role-based access)
□ Multi-factor authentication for systems storing sensitive personal data
□ Regular vulnerability assessments (CERT-In 2022 requires VAPT for critical systems)
□ Vendor security assessment (cloud providers, SaaS vendors processing your data)
Domain 5: Breach Notification: □ Define "personal data breach" internally (unauthorised access, disclosure, alteration, or destruction)
□ Implement breach detection capabilities (SIEM, endpoint monitoring, log management)
□ Establish breach response team (IT, Legal, Management, Communications)
□ Document breach notification procedure: notify Data Protection Board within 72 hours of breach
□ Template: breach notification letter to affected Data Principals
□ Post-breach review procedure and documentation
Domain 6: Significant Data Fiduciaries (SDFs): If your business is designated as a Significant Data Fiduciary (SDF) by the Indian government:
□ Appoint a Data Protection Officer (DPO) — must be based in India
□ Appoint an independent Data Auditor
□ Conduct periodic Data Protection Impact Assessments (DPIA)
□ Comply with additional SDF-specific obligations when notified by MeitY
Note: SDF designation criteria include scale of data processing, sensitivity of data, national security implications, and risk to rights of Data Principals.
Frequently Asked Questions
Does the DPDP Act apply to my Indian small business?
The DPDP Act applies to any "Data Fiduciary" — any entity that determines the purpose and means of processing personal data of Indian citizens. This includes most Indian businesses that collect customer phone numbers, email addresses, or employee data. The Act has not yet specified exemptions for small businesses by revenue or employee count.
What is the penalty for DPDP Act non-compliance in India?
The DPDP Act prescribes penalties up to ₹250 crore for a single violation. Penalties for failing to notify a data breach can reach ₹200 crore. However, enforcement will be phased — the Data Protection Board is still being constituted (as of mid-2026). Businesses should use this window to achieve compliance before enforcement begins.
Is health data treated differently under DPDP Act in India?
Yes — health data is classified as "sensitive personal data" requiring stricter controls: explicit (not just inferred) consent, stronger security controls, and additional obligations for healthcare Data Fiduciaries. Hospitals, diagnostic labs, and health-tech apps have higher compliance obligations.
Get a DPDP compliance assessment for your Indian business — we identify gaps and implement required technical controls.