Regulatory Guide · India

DPDP Act 2023:
Compliance checklist for Indian businesses

The Digital Personal Data Protection Act 2023 is in force. Self-certified — no external audit required. Penalties up to ₹250 crore per violation. Here is everything you need to implement, in the order you should do it.

Last updated: May 2026 · DPDP Rules: not yet fully finalised — monitor for updates

Who does this apply to?

Any entity that processes digital personal data of individuals in India — whether you are based in India or not. If an Indian user signs up for your product and you process their name, email, phone number, or any other personal data, DPDP Act applies.

There is no size threshold. A two-person startup processing personal data of Indian users has the same core obligations as a large enterprise. The difference is proportionality in how you implement — the obligations themselves are the same.

Important: The DPDP Rules (secondary legislation that specifies implementation details) are not yet fully finalised as of May 2026. The Act itself is in force. Monitor meitY.gov.in for Rules updates — particularly around consent managers, cross-border data transfers, and Data Protection Board constitution.

Implementation checklist

1.

Data inventory

CRITICAL
  • Map every category of personal data you collect (name, email, phone, Aadhaar, financial data, health data, etc.)
  • Document the purpose for collecting each data type
  • Document where each data type is stored and who has access
  • Document how long each data type is retained and why
  • Document every third party that receives or processes personal data

This is the foundation. Everything else — privacy notice, consent, DPAs — depends on knowing exactly what data you have and why.

2.

Privacy notice

CRITICAL
  • Write a plain-language privacy notice (not legalese)
  • Include: what data is collected, why, how long it's kept, who it's shared with
  • Include all data principal rights with clear instructions for how to exercise them
  • Include grievance officer contact details
  • Publish on your website — linked from footer, sign-up pages, and contact forms
  • Present notice before collecting any personal data — not buried in terms

Plain language is a DPDP Act requirement, not a preference. 'We may use your data to improve our services' is not sufficient.

3.

Consent architecture

CRITICAL
  • Collect consent before processing any personal data
  • Consent must be free — not bundled into terms of service or made a condition of using the service (unless processing is strictly necessary)
  • Consent must be specific — one consent per purpose, not a blanket 'I agree to everything'
  • Consent must be informed — the data principal knows what they're agreeing to
  • Consent must be unambiguous — a pre-ticked box or passive consent is not valid
  • Consent must be withdrawable — a simple mechanism to withdraw consent at any time
  • Store consent records — what was consented to, when, and which version of the notice was shown

The most common failure: bundling consent into T&Cs. Under DPDP, consent for data processing must be separate and specific.

4.

Data principal rights

HIGH
  • Right to access: implement a mechanism for users to request what data you hold on them
  • Right to correction: implement a mechanism to correct inaccurate or incomplete data
  • Right to erasure: implement a mechanism to delete personal data on request
  • Right to nominate: allow users to nominate someone to exercise rights on their behalf
  • Define response timelines (DPDP Act requires timely response — document your SLA)
  • Respond to access/correction/erasure requests within your defined SLA
  • Log all rights requests and their outcomes

These don't need to be automated on day one. An email address for rights requests is a valid starting point. What matters is that you actually respond.

5.

Grievance mechanism

HIGH
  • Name a Grievance Officer (can be the founder at early stage)
  • Publish the Grievance Officer's contact email on your privacy policy page
  • Document the complaints procedure: how to raise, who handles it, what the resolution process is
  • Acknowledge complaints within 7 days
  • Resolve complaints within 30 days
  • Log all complaints and outcomes

The Grievance Officer is the data principal's first escalation path before the Data Protection Board. It must be a real contact that actually responds.

6.

Data breach notification

CRITICAL
  • Document a breach response procedure before a breach happens
  • Define what constitutes a reportable breach
  • Define internal escalation: who decides it's a breach, who notifies data principals, who reports to the Data Protection Board
  • Prepare a notification template for affected users
  • Notify affected data principals without undue delay in the event of a breach
  • Notify the Data Protection Board (when constituted) as required

The DPDP Act requires notification 'without undue delay' — this will be tightened by Rules (not yet finalised). Treat it as 72 hours to be safe, consistent with CERT-In.

7.

Vendor data processing agreements

HIGH
  • Inventory every third-party vendor that handles personal data (cloud provider, email, analytics, KYC, payment gateway, CRM, support tools)
  • Confirm each vendor has a Data Processing Agreement (DPA) or equivalent
  • DPA must bind the vendor to process data only per your instructions
  • DPA must require the vendor to notify you of a breach within 24 hours
  • DPA must require data deletion on termination
  • DPA must prohibit sub-processing without your consent

AWS, GCP, and Azure have standard DPAs you can accept in their consoles. Custom SaaS vendors (CRM, analytics, support tools) need to be reviewed individually.

8.

Data retention and deletion

HIGH
  • Define retention periods for each category of personal data
  • Delete personal data that is no longer needed for the stated purpose
  • Do not retain data 'just in case' — this is explicitly prohibited by the DPDP Act
  • Document retention periods in your privacy notice
  • Implement automated or scheduled deletion where possible

Indefinite retention of personal data is not permitted under DPDP Act. This is a common gap for startups that store everything forever in a database.

What DPDP Act does not require

One of the most useful things a compliance assessment does is tell you what you do not need to do. Common misconceptions:

Myth: You need an external audit or certification

Reality: DPDP Act is self-certified. No external auditor, no certification body. You implement and declare compliance.

Myth: You need a Data Protection Officer (DPO)

Reality: DPDP Act does not require a DPO for most private entities. It requires a Grievance Officer — a lower bar that can be the founder.

Myth: You need ISO 27001 to be DPDP compliant

Reality: ISO 27001 is not required by DPDP Act. It may be triggered by enterprise customer contracts, but it is a separate framework.

Myth: Consent is required for every processing activity

Reality: DPDP Act allows processing without consent for certain legitimate uses (employment, legal obligations, state functions). Most consumer apps will use consent as the primary basis.

Myth: You need a GRC platform

Reality: At early stage, a well-organised Google Drive with the right documents is sufficient. GRC platforms (Sprinto, Scrut, Vanta) are useful at scale but not required and often premature.

Get compliant

Check your DPDP posture — free

Run a free scan at kawacha.com/scan — we check for a privacy policy, DPDP compliance signals, and security issues on your domain in under 2 minutes. For full DPDP implementation — data inventory, privacy notice, consent architecture, grievance mechanism, breach response, and vendor DPAs — we offer fixed-fee engagements.

Run a free scan →Talk to us about DPDP →