Resource Library5 min read1,178 words
What this covers: Step-by-step compliance checklist for a mid-size Indian company to achieve compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act). The DPDP Act establishes India’s first comprehensive personal data protection law for digital personal data.
Statutory framework: Digital Personal Data Protection Act, 2023; DPDP Rules (once notified, as of 2025, rules are in draft/consultation stage).
Section 1: Data Mapping, Know What You Hold
| 1.1 | **Identify all personal data collected** | List every category of personal data your organisation collects: name, email, phone, address, financial data, health data, government identifiers (Aadhar/PAN), biometric data, children’s data | ☐ |
| 1.2 | **Map data flows** | For each category of data: where is it collected (website form, mobile app, physical form, third party)? Where is it stored (India / abroad)? Who processes it (internal teams, vendors)? | ☐ |
| 1.3 | **Identify lawful basis for each processing activity** | Under the DPDP Act, the primary lawful basis for processing is **consent**; the Act also provides for “legitimate uses” (specific statutory purposes, employment, medical emergency, national security, legal obligation) | ☐ |
| 1.4 | **Classify data by sensitivity** | Identify “sensitive personal data” (financial, health, biometric, children’s data); these require additional protections | ☐ |
| 1.5 | **Identify children’s data** | If you collect data of children below 18 years, parental consent is mandatory under the DPDP Act | ☐ |
Section 2: Notice and Consent
| 2.1 | **Review your Privacy Notice** | The DPDP Act requires a notice to be given to the Data Principal (individual) at or before collection of personal data; the notice must describe: what data is being collected, the purpose, and the Data Principal’s rights | ☐ |
| 2.2 | **Ensure notice is in plain language** | The DPDP Act requires that notices be written in clear, plain language (not complex legal language); must be available in multiple languages if offered to multiple linguistic groups | ☐ |
| 2.3 | **Implement a consent mechanism** | For consent-based processing, the consent must be: free, specific, informed, unconditional, and unambiguous; consent must be obtained through a clear affirmative action (no pre-ticked boxes) | ☐ |
| 2.4 | **Record of consent** | Maintain records of consent, who consented, when, for what purpose, through what mechanism | ☐ |
| 2.5 | **Right to withdraw consent** | Your system must allow Data Principals to withdraw consent as easily as they gave it; withdrawal of consent requires you to stop processing within a reasonable timeframe | ☐ |
| 2.6 | **Children’s consent mechanism** | If you process children’s data: parental/guardian consent is mandatory; implement age-verification and parental consent flow; no targeted advertising or processing of children’s data in a manner detrimental to their wellbeing | ☐ |
Section 3: Data Principal Rights, Your Obligations
| 3.1 | **Right to access (information request)** | Data Principals can request to know what personal data you hold about them; implement a process to receive, verify, and respond to access requests | ☐ |
| 3.2 | **Right to correction and erasure** | Data Principals can request correction of inaccurate personal data or erasure of data where it is no longer necessary for the purpose for which consent was given; implement a process to act on these requests | ☐ |
| 3.3 | **Right to grievance redressal** | Appoint a **Data Protection Officer (DPO)** or other grievance officer; publish contact details for the grievance officer; implement a process to address complaints within the timeframe to be prescribed in DPDP Rules | ☐ |
| 3.4 | **Right to nominate** | Data Principals can nominate another person to exercise their rights in case of death or incapacity; implement a process to recognise nominations | ☐ |
| 3.5 | **Timely responses** | All rights requests must be responded to within the timeline to be prescribed in the DPDP Rules (likely 30 days, monitor rules for exact timeline) | ☐ |
Section 4: Data Security Measures
| 4.1 | **Technical security measures** | Implement: encryption of personal data at rest and in transit; access controls (role-based access limiting who can see personal data); audit logs | ☐ |
| 4.2 | **Organisational measures** | Data protection training for all employees handling personal data; confidentiality agreements for employees and contractors; data handling procedures | ☐ |
| 4.3 | **Data retention policy** | Personal data must not be retained longer than necessary for the purpose for which it was collected; implement automated deletion/anonymization processes | ☐ |
| 4.4 | **Third-party security** | Vendors and processors handling personal data must be contractually bound to equivalent security standards | ☐ |
Section 5: Data Processors, Vendor Contracts
| 5.1 | **Identify all Data Processors** | All vendors, cloud service providers, payment processors, analytics platforms, and outsourcing partners who process personal data on your behalf are Data Processors | ☐ |
| 5.2 | **Data Processing Agreements (DPAs)** | The DPDP Act requires that Data Fiduciaries (your organisation) ensure that Data Processors only process data as instructed and implement appropriate safeguards; execute DPAs with all Data Processors | ☐ |
| 5.3 | **Sub-processor approval** | Your DPAs should require Data Processors to obtain your approval before engaging sub-processors | ☐ |
| 5.4 | **Processor audit rights** | Include the right to audit or assess Data Processor compliance in DPAs | ☐ |
Section 6: Cross-Border Data Transfers
| 6.1 | **Identify cross-border transfers** | Do any of your vendors, cloud platforms, or partner organisations store or process personal data outside India? | ☐ |
| 6.2 | **Permitted countries** | The DPDP Act permits transfer of personal data outside India to countries to be notified by the Government of India (a “whitelist” approach); until the whitelist is published, monitor government notifications | ☐ |
| 6.3 | **Restricted countries** | The Government may restrict transfers to specified countries; ensure your transfer practices are consistent with any restrictions | ☐ |
Section 7: Significant Data Fiduciary
| 7.1 | **Assess if you qualify as a Significant Data Fiduciary (SDF)** | The Government will designate certain Data Fiduciaries as SDFs based on: volume of data processed, sensitivity of data, risk to Data Principals, national security implications | ☐ |
| 7.2 | **Additional SDF obligations** | If you are designated as an SDF: appoint a Data Protection Officer (resident in India); conduct Data Protection Impact Assessments (DPIAs); periodic data audits by an independent auditor | ☐ |
Section 8: Data Breach Response Plan
| 8.1 | **Incident response policy** | Document a written data breach response policy covering: how breaches are detected, who is notified internally, escalation procedures | ☐ |
| 8.2 | **Notification obligation** | The DPDP Act requires notification to the Data Protection Board (to be established) upon becoming aware of a personal data breach; and notification to affected Data Principals; timeline to be prescribed in rules | ☐ |
| 8.3 | **Breach logging** | Maintain a register of all data breaches (including minor breaches) for regulatory audit purposes | ☐ |
| 8.4 | **Post-breach remediation** | Document remediation actions taken post-breach; evidence that the breach has been contained | ☐ |
Penalties Under the DPDP Act 2023
| Breach of obligations for processing children’s data | INR 200 crore |
| Failure to implement adequate security measures (data breach) | INR 250 crore |
| Failure to notify the Data Protection Board of a breach | INR 200 crore |
| Non-compliance with Data Principal rights obligations | INR 50 crore |
| Breach of any other provision | INR 50 crore |
| Non-compliance by Data Processor | INR 10 crore |
This resource is for general information purposes only and does not constitute legal advice. For advice on your specific situation, seek appropriate professional counsel.
| **Corpus Lawyers | 148 Lawyers Chambers, Saket Court Complex, New Delhi 110016 | mail@corpuslawyers.in** |
Prashant Kumar Nair is an Advocate-on-Record at the Supreme Court of India. He practises across insolvency and restructuring, arbitration and dispute resolution, real estate and infrastructure, corporate and commercial law, taxation, intellectual property, regulatory and compliance, and capital markets law. He is a doctoral researcher at RGNUL focusing on the arbitration-insolvency interface. He is the founder of Corpus Lawyers.
linkedin.com/in/prashant-kumar-nairThis article is for informational purposes only and does not constitute legal advice. The views expressed are those of the author in a personal capacity. Readers should seek independent legal counsel before acting on any matter discussed herein. While every effort has been made to ensure accuracy, the author makes no representation as to the completeness or currency of the information at the time of reading.
