DPDP Act 2023 · Compliance Checklist
DPDP Compliance
Checklist
A comprehensive step-by-step checklist to help your organization achieve and maintain compliance with the Digital Personal Data Protection Act 2023.
Seven domains mapped to the Act and the DPDP Rules 2025 — an end-to-end program typically costs ₹1.5–4 lakh (indicative) for SMEs and mid-market firms.
DPDP Act 2023 + DPDP Rules 2025 · Phased obligations to 2027 · Last reviewed June 2026
Direct Answer
What does DPDP compliance require?
DPDP compliance means meeting the obligations the Digital Personal Data Protection Act 2023 places on data fiduciaries: give clear notice, obtain valid consent, honour data-principal rights, apply reasonable security safeguards, report breaches, and govern your processors. This checklist translates the Act and the MeitY DPDP Rules 2025 into seven actionable domains you can work through to reach and maintain compliance.
Statutory Basis
DPDP Obligations Mapped to Checklist Domains
Each checklist domain below traces to a specific obligation in the DPDP Act 2023 or the Rules 2025.
| Checklist domain | Statutory basis | Core requirement |
|---|---|---|
| Governance & leadership | Sections 8, 10 (SDF) | Accountability structure; DPO and independent auditor for Significant Data Fiduciaries |
| Data inventory & mapping | Section 8(1) | Know what personal data you hold, why, and on what lawful basis |
| Notice & consent | Sections 5, 6; Rule 4 | Clear notice; free, specific, informed, unconditional, unambiguous consent; easy withdrawal |
| Data principal rights | Sections 11–14; Rule 14 | Access, correction, erasure, grievance redressal, and nomination mechanisms |
| Security safeguards | Section 8(5) | Reasonable technical and organizational measures (encryption, access control, logging) |
| Breach management | Rule 7 | Detect, contain, and notify the Board and data principals without delay |
| Third-party management | Section 8(2) | Process personal data through processors only under a valid contract |
The Checklist
Seven Domains to Work Through
Governance & Leadership
Data Inventory & Mapping
Notice & Consent
Data Principal Rights
Security Safeguards
Breach Management
Third-Party Management
Roadmap
Suggested Implementation Timeline
Assessment & Planning
Gap analysis, data mapping, governance setup
Policy & Documentation
Privacy notices, consent forms, procedures
Technical Implementation
Security controls, consent systems, rights portals
Monitor & Maintain
Audits, training, continuous improvement
Frequently Asked Questions
Common questions on who must comply, timelines, first steps, cost, and penalties.
Who needs to comply with the DPDP Act?
Any data fiduciary that processes the digital personal data of individuals in India — whether the processing happens in India or abroad in connection with offering goods or services to people in India. There is no turnover or headcount threshold, so startups and large enterprises alike are in scope.
When does the DPDP Act take effect?
The Act received presidential assent in August 2023, and the DPDP Rules 2025 phase the operative obligations over a runway extending into 2026–27. Consent notices, security safeguards, and breach reporting land first, with Consent Manager registration and Significant Data Fiduciary duties following. Because data mapping and consent re-engineering take months, most organizations should start six to nine months before their obligations bite.
What are the first steps to become DPDP compliant?
Start with a gap assessment and a data inventory: map every processing activity and its lawful basis. From there, draft privacy notices and consent flows, implement reasonable security safeguards, build data-principal rights and grievance mechanisms, and put a breach response playbook in place. Significant Data Fiduciaries must additionally appoint a DPO and an independent auditor.
How much does DPDP compliance cost in India?
For most SMEs and mid-market companies, an end-to-end DPDP program — gap assessment, data mapping, policies, consent flows, breach playbooks, and training — costs ₹1.5–4 lakh (indicative). The final figure depends on your data footprint, the number of processing activities, and whether Significant Data Fiduciary obligations apply.
What happens if we miss a DPDP obligation?
The Data Protection Board can impose monetary penalties of up to ₹250 crore per instance for failing to maintain reasonable security safeguards, up to ₹200 crore for breach-notification and children’s-data violations, and lower slabs for other defaults. Penalties apply per instance, so a single incident touching several obligations can compound quickly.
Continue your DPDP research
- DPDP Act compliance hub — the full guide to the Act, Rules 2025, and phased deadlines.
- DPDP compliance consulting in India — gap assessment, data mapping, and end-to-end implementation.
- DPDP penalty calculator — quantify the cost of non-compliance.
- Tranquility Cybersecurity credentials & proof.
Written By Expert Auditors
Keep Exploring
Related Reading
DPDP Knowledge Hub
Rules 2025, penalties, SDF obligations and 14 deep-dive guides.
Read moreDPDP Rules 2025
The subordinate rules under the DPDP Act — timelines, obligations, SDF thresholds.
Read moreDPDP Implementation Roadmap
Phased roadmap from gap assessment to full compliance.
Read moreDPDP Consent Management
Lawful consent collection, withdrawal and record-keeping under the DPDP Act.
Read moreDPDP Consulting in India
DPDP Act readiness ahead of the 2027 deadline.
Read moreProof & Track Record
Every number we publish — explained, sourced and verifiable.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours