DPDP Act 2023 Compliance Checklist for Indian SMBs (2026 Practical Guide)

What the DPDP Act 2023 Actually Requires

The Digital Personal Data Protection Act 2023 is India's federal law governing processing of digital personal data of Indian individuals (Data Principals). It applies to any organisation (Data Fiduciary) that processes personal data, regardless of where they are headquartered, as long as they offer goods or services to Indian individuals or process personal data of Indian individuals.

Unlike GDPR or DPDP-equivalent laws in other jurisdictions, DPDP is structured around consent as the default lawful basis, with a narrow set of legitimate uses (Section 7) that allow processing without explicit consent. This pushes most Indian businesses toward consent-driven workflows, which is a meaningful operational shift if you have been relying on implied consent or terms-of-service blanket clauses.

The Data Protection Board of India (DPB) is the enforcement body. Penalties under the Act: up to INR 250 crore per instance for failure to take reasonable security safeguards, INR 200 crore for breach notification failures, INR 50 crore for other obligations including notice, consent and rights workflow failures.

Who Is In Scope (Hint: Probably You)

DPDP Act 2023 applies to processing of digital personal data of Indian Data Principals by any Data Fiduciary. The Act's scope is broader than most Indian SMBs realise.

You Are Definitely In Scope If

You collect any personal data of Indian individuals (names, emails, phone numbers, addresses, IDs, transaction details, location data, biometrics, health data, financial data, payment information). This covers virtually every Indian SaaS, fintech, e-commerce, healthcare, education and B2C business.

You process personal data on behalf of someone else as a Data Processor (BPOs, IT services, outsourcing providers serving foreign or domestic Data Fiduciaries).

You operate from outside India but offer goods or services to Indian individuals or process their personal data (extraterritorial application similar to GDPR Article 3).

You Might Be a Significant Data Fiduciary (SDF)

Section 10 designates certain Data Fiduciaries as 'Significant' based on volume and sensitivity of personal data processed, risk to Data Principals, electoral democracy risk, security of state and public order. The government will notify the criteria. SDFs have additional obligations: appoint a Data Protection Officer, conduct DPIAs, undergo independent annual audits, register with the DPB.

Likely SDFs: large social media intermediaries, e-commerce platforms above thresholds, fintech and payment processors, health-tech platforms, major SaaS platforms, NBFCs and banks. Most Indian SMBs are NOT SDFs but should still maintain SDF-equivalent documentation as enterprise customers increasingly require it in vendor due diligence.

The 12-Item DPDP Compliance Checklist

This is the operational checklist Codesecure uses in client DPDP engagements. Items are sequenced for a 12-week implementation timeline.

1. Personal Data Inventory and Mapping

Document every system, platform and process that collects, stores or transmits personal data of Indian individuals. Capture: data categories (basic, sensitive, special), purpose of processing, retention period, recipients (internal teams, external vendors, sub-processors), cross-border transfer destinations. Use a Record of Processing Activities (RoPA) document similar to GDPR Article 30. Most Indian SMBs need a few days for first inventory, then quarterly updates.

2. Lawful Basis Selection (Section 6 vs Section 7)

For each processing purpose, determine the lawful basis: Section 6 explicit consent (default) or Section 7 legitimate uses (employment, public interest, court orders, medical emergencies, etc.). Document this in your RoPA. Misuse of legitimate uses to bypass consent is the most common compliance failure we see in client gap analyses.

3. Plain-Language Notice (Section 5)

Section 5 mandates a clear, plain-language notice at the time of seeking consent. Required elements: personal data being processed, purpose of processing, manner of exercising rights (access, correction, erasure, grievance), how to lodge a complaint with the DPB. Available in English plus regional language where required (Draft DPDP Rules 2025 specify the language requirements). Most Indian businesses need to rewrite their privacy notices because legacy notices are too long, too legal and not section-aligned.

4. Consent Capture and Withdrawal Mechanics

Consent must be free, specific, informed, unconditional and unambiguous, signified by a clear affirmative action (Section 6). Pre-ticked boxes and implied consent do not work. Consent withdrawal must be as easy as giving consent: a single-click mechanism, not buried in account settings. Retain evidence of consent (timestamp, version of notice consented to, source) for audit. Plan for Consent Manager integration if your business model involves multiple Data Fiduciaries (account aggregators, broad-coverage platforms).

5. Data Principal Rights Workflow (Sections 11-14)

Operational workflow for: Section 11 right to access personal data being processed, Section 12 right to correction, completion, updating and erasure, Section 13 right to nominate a successor for personal data in case of incapacity, Section 14 right to grievance redressal. Provide a dedicated email or web form for each right. Respond within timelines specified by the Rules (Draft Rules 2025 suggest 90 days standard, 30 days for grievances). Document responses for audit.

6. Designate a Grievance Officer

Section 14 requires designating a person (officer, role) to address Data Principal grievances. Publish the officer's contact details in the privacy notice. For Significant Data Fiduciaries, this is the Data Protection Officer; for everyone else, it can be any responsible employee (HR head, ops lead, founder for small companies). Document the role with named accountability.

7. Breach Notification Playbook (Section 8(6))

Section 8(6) requires Data Fiduciaries to notify the DPB and affected Data Principals of personal data breaches within timelines the Rules will specify (likely 72 hours similar to GDPR). Build a playbook: breach detection criteria, initial assessment, severity classification, DPB notification format, Data Principal notification template, remediation steps, post-incident review. Tabletop exercise the playbook with your security and ops teams.

8. Cross-Border Transfer Mechanism

Section 16 covers cross-border transfers. Currently DPDP permits transfers to any country except those notified by central government as restricted. As of mid-2026 no restricted list has been published, but plan for it: document the destination, lawful basis, contractual safeguards (similar to GDPR Standard Contractual Clauses). For Indian SaaS hosting on AWS/Azure/GCP, document the regional architecture (Mumbai vs US East, etc.) and customer data location.

9. Reasonable Security Safeguards (Section 8(5))

Section 8(5) requires Data Fiduciaries to implement reasonable security safeguards to prevent personal data breaches. The Act does not specify what 'reasonable' means; the Rules and DPB enforcement decisions will clarify. Sensible baseline: encryption at rest and in transit, access controls with MFA, vulnerability management, employee security training, vendor security due diligence, incident response capability. Most ISO 27001 Annex A controls satisfy this directly.

10. Vendor and Sub-Processor Management

Document every third-party (vendor, sub-processor, integrated SaaS tool) that processes personal data on your behalf. Have a Data Processing Agreement (DPA) with each. Conduct security due diligence at onboarding. Maintain a vendor register. Map data flows including off-shore vendors. Audit vendor practices annually for critical vendors.

11. Children and Persons With Disability (Section 9)

Section 9 requires verifiable parental consent before processing personal data of children (under 18 in India). For persons with disability with a lawful guardian, guardian consent is required. If your business processes children's data (edtech, gaming, healthcare for minors), build age verification and parental consent flows. Most Indian SMBs are not in scope here but should explicitly document that they are not.

12. Significant Data Fiduciary Obligations (If Applicable)

If notified as SDF: appoint a DPO (separate from grievance officer), conduct Data Protection Impact Assessment (DPIA) for high-risk processing, undergo independent annual audit, register with DPB, additional reporting obligations. Most Indian SMBs are NOT SDFs but should maintain DPIA-equivalent documentation as enterprise customers increasingly ask for it in vendor due diligence.

Realistic DPDP Compliance Cost and Timeline for Indian SMBs

Codesecure DPDP engagement pricing for Indian businesses: INR 75K to 1.25L for startups (under 25 staff, single product), INR 1.25L to 2L for SMBs with multi-product operations, INR 2L to 2.5L+ for Significant Data Fiduciaries needing DPIA, DPO and independent audit.

Timeline: 8-12 weeks from kickoff to operational DPDP programme for typical Indian SMBs. Includes data mapping (weeks 1-2), notice and consent redesign (weeks 3-4), rights workflow build (weeks 5-7), breach playbook and tabletop (week 8), validation and DPB-readiness review (weeks 9-12).

There is no certification body for DPDP. Compliance is demonstrated through documented operations: RoPA, notices, consent records, rights response logs, breach incident records, vendor register, training records. Auditors (and the DPB during inquiries) will ask for these specifically.