DPDP Act 2023 Compliance Checklist for Indian Businesses

Who Must Comply

The Act applies to processing of digital personal data in India regardless of who is doing the processing. It also applies to processing of personal data of Indian residents outside India, provided that processing is in connection with offering goods or services to Indian data principals.

Roles: Data Fiduciary determines purpose and means of processing (equivalent to GDPR data controller). Data Processor processes on the Data Fiduciary's behalf (equivalent to GDPR data processor). Data Principal is the individual whose personal data is processed.

Practical implication for Indian businesses: almost every B2C, B2B, employer, healthcare provider, educational institution and government supplier is a Data Fiduciary. Most outsourced service providers are Data Processors. The Act has very few exemptions.

Consent and Notice Requirements

Consent must be free, specific, informed, unconditional, unambiguous, with clear affirmative action, and equally easy to withdraw as to give. Consent for multiple purposes requires separate consent for each purpose. Bundled consent that forces acceptance for unrelated purposes is non-compliant.

Notice must accompany consent: identity of the Data Fiduciary, purposes of processing, personal data categories, rights of the Data Principal, complaint mechanism, contact details. Plain-language requirement is meaningful; legalese is likely to fail an audit.

Some processing can be done without consent under 'certain legitimate uses' (employment context, medical emergency, function of state, court orders, etc.). These are exception cases and must be documented and justified.

Data Principal Rights

Every Data Principal has rights that the Data Fiduciary must operationalise in product and process: access (summary of personal data processed, identities of processors), correction (rectify inaccurate data), erasure (delete data no longer necessary for the purpose, subject to retention requirements), grievance redressal (mechanism to raise grievances, reasonable response time), nomination (nominate another individual to exercise rights in case of death or incapacity).

Implementation: build self-service flows in the product (data download, correction, account deletion), publish a grievance officer contact, define internal SLAs, train customer support. Most Indian SaaS products are partway there in 2026 but not complete.

Reasonable Security Safeguards

Section 8 requires the Data Fiduciary to implement appropriate technical and organisational measures to ensure compliance and prevent personal data breach. The Act does not prescribe specific controls; ISO/IEC 27001:2022 Annex A is widely adopted as the practical interpretation, plus sector-specific guidance (RBI, IRDAI, SEBI, NCIIPC).

Common controls expected by auditors and the eventual Data Protection Board: identity and access management with MFA, encryption at rest and in transit, network segmentation, vulnerability and patch management with regular VAPT, logging and monitoring, incident response, vendor cyber assurance, awareness training, physical security.

Breach Notification

A personal data breach must be notified to the Data Protection Board of India (DPBI) and to each affected Data Principal. The Draft DPDP Rules 2025 specify the operational mechanics. Timelines are short; the definition of personal data breach is broad (any unauthorised access, disclosure, alteration, loss, destruction, or compromise of confidentiality, integrity or availability).

Practical preparation: integrate DPBI notification into the existing incident response plan, document who notifies, what the notification contains, what the timeline is. The CERT-In April 2022 directions also require notification within 6 hours of specified cyber incidents; the two regimes operate in parallel. See our IRP blog for the parallel notification matrix.

Significant Data Fiduciary Obligations

The Central Government may notify certain Data Fiduciaries as Significant Data Fiduciary (SDF) based on factors including volume and sensitivity of data, risk to rights of Data Principals, potential impact on sovereignty, security of the State, public order, electoral democracy.

SDF additional obligations: appoint a Data Protection Officer based in India (independent and reporting to board), appoint an independent data auditor, conduct periodic Data Protection Impact Assessment (DPIA) and audit, comply with other measures the Central Government may prescribe.

Likely SDF candidates: large banks, major fintechs, major insurers, large hospitals, major e-commerce platforms, large IT services exporters, large telcos, large social media platforms. Plan for SDF obligations if your organisation is at this scale.

Practical Compliance Checklist

• Personal data inventory across systems and processes
• Lawful basis documented for each processing purpose (consent or certain legitimate use)
• Consent management implementation (capture, withdraw, audit)
• Privacy notice in plain language, accessible from the product
• Data principal rights workflows (access, correction, erasure, grievance)
• Grievance officer appointed and contact published
• Retention schedule defined and operationalised
• Reasonable security safeguards aligned with ISO 27001 Annex A or equivalent
• Breach response plan integrated with CERT-In and DPBI notification
• Vendor (Data Processor) agreements aligned with DPDP requirements
• Cross-border transfer assessment per Section 16 and any Government notification
• DPO and independent auditor where SDF designated
• DPIA for high-risk processing (SDF) or major new processing
• Training and awareness for staff handling personal data
• Board-level reporting cadence for DPDP programme status