DPDP - General Compliance Checklist

DPDP - General Compliance Checklist

📋 DPDP Compliance Checklist

Structured for practical implementation | Based on DPDPA 2023 + Rules 2025

Data Governance Basics

Identify and classify personal data collected

Catalogue all personal data categories collected (Sec. 2(t))
Identify processing of children's data (Sec. 9; Rule 10)
Flag high-risk datasets that may trigger SDF designation

Map processing activities

Document purposes for each processing activity (Sec. 4)
Ensure processing is purpose-limited and data-minimised (Sec. 6; Rule 8)

Confirm lawful bases

Verify consent obtained where required (Sec. 6)
Check "legitimate use" grounds (Sec. 7), especially:
  • State functions
  • Employment purposes
  • Emergency healthcare
  • Publicly funded services

Review retention and deletion protocols

Ensure retention aligns with Rule 8 and Third Schedule
Implement automated disposal when it is reasonable to assume purpose is not served
Maintain erasure logs for audit

Consent and Notices

Clear, itemised consent text

Consent must be: free, informed, specific, unambiguous, opt-in (Sec. 6(1))
Must include: purpose, processing description, withdrawal method (Rule 3)

Notice format compliant with Rules

Provide itemised notice containing all mandatory elements in Rule 3(1)
Ensure notices are available in all languages in which service is offered

Easy withdrawal mechanisms

Offer simple, accessible withdrawal paths (Sec. 6(5))
Ensure withdrawal is as easy as giving consent (Rule 3(4))
Integrate Consent Manager option where applicable

Data Principal Rights Handling

Access, correction, erasure workflow

Provide mechanisms for access (Sec. 12(1)(a))
Provide mechanisms for correction and completion (Sec. 12(1)(b))
Provide mechanisms for erasure (Sec. 12(1)(c))
Update internal timelines for compliance

Grievance redressal timelines

Publish grievance contact details on website/app (Rule 14)
Respond to grievances within the period published (≤ 90 days) (Rule 14(1))

Verification method for requests

Set up identity verification flow for rights requests (Rule 3(6))
Build special flows for child and parental requests (Rule 10; Sec. 9)

Security Safeguards

Reasonable security controls

Implement "reasonable security safeguards" as required by Sec. 8(5)
Ensure compliance with Rule 6 (security safeguards), including:
  • Access control
  • Role-based permissions
  • Encryption at rest/in transit (preferred)
  • Logging and monitoring

Breach detection and reporting

Internal breach detection SOP
Notify Data Principals + Board "as soon as practicable" (Sec. 8(6))
Use the two-step system (Rule 7):
  • Immediate preliminary notice
  • 72-hour detailed update

Vendor assessment framework

Ensure Data Processors comply with Sec. 8(7)
Conduct due diligence for all processors handling personal data
Insert breach-notification and security clauses in contracts

Significant Data Fiduciary (SDF) Requirements

(if designated)

DPO (Data Protection Officer/Manager) appointment

Appoint a Data Protection Officer (DMA) as required under Sec. 10(3)
Ensure direct reporting line to Board/governing body

DPIA for high-risk processing

Conduct Data Protection Impact Assessments (Sec. 10(2)(d))
Especially for: large-scale profiling, children's data, Aadhaar-linked processing

Periodic audits

Conduct annual/periodic audits as mandated (Sec. 10(2)(e))
Maintain certification/report from external auditors if required

Cross-Border Data Practices

Confirm permitted jurisdictions

Check if the Government has notified any restricted jurisdictions (Sec. 16)
Maintain updated list of allowed/blocked destinations

Vendor contract clauses

Include:
  • Purpose limitation safeguards
  • Security measures
  • Onward-transfer restrictions
  • Return/deletion obligations on termination

7️⃣ Documentation & Record-Keeping

Policies updated to reflect DPDP Rules

Privacy policy updated per Rule 3 requirements
Children's data policy updated per Sec. 9 and Rule 10
Breach-response and grievance policies aligned to Rules 7 & 14

Internal compliance reports

Maintain Board/management-level compliance reports
Retain DPIA reports (if applicable)
Keep SDF-related documentation ready for inspection

Employee training logs

Maintain training records on:
  • Privacy obligations
  • Handling rights requests
  • Security and breach protocols

Product and Engineering Integration

Privacy-by-design reviews

Conduct pre-launch reviews of new features/services for:
  • Data minimisation
  • Purpose limitation
  • Default retention configurations
  • Grievance routes

Feature-level compliance checks

Check children's data flows for tracking/targeting ban (Sec. 9(3))
Ensure "withdraw consent" links/buttons are embedded in product UI
Review data flows in onboarding, login, analytics, and advertising systems

Logging and documentation

Maintain logs of consent, withdrawals, rights requests, and breach events
Ensure logs are accessible for DPB audits/inquiries (Sec. 28 powers)