Updated April 2026 — DPDP Rules 2025 Final

DPDP Act Compliance Checklist 2026
— 65+ Items for Indian Companies

The most comprehensive DPDP Act compliance checklist available — covering all 8 obligation areas of the Digital Personal Data Protection Act, 2023 and DPDP Rules 2025. Built for CIOs, CTOs, DPOs, and compliance leads at Indian startups, SaaS companies, fintechs, and enterprises.

65+ action items
8 compliance categories
Penalty reference included
Sector tags: SaaS · Fintech · Health · E-com

Contents

  1. Consent Management
  2. Notice & Transparency
  3. Data Principal Rights
  4. Data Fiduciary Obligations
  5. Security Safeguards
  6. Breach Notification
  7. Data Processors & Third Parties
  8. Children's Data
  9. Penalty Reference
  10. FAQ

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection law. The DPDP Rules 2025 were notified on 13 November 2025, triggering an 18-month phased implementation period ending May 2027.

This checklist maps every core obligation of the Act and Rules into actionable items. Use it to assess your current compliance posture, assign ownership, and prioritise remediation before enforcement begins. This is not legal advice — consult qualified legal counsel for your specific situation.

Sector tags indicate items with heightened obligations for specific industries: SaaS Fintech Health E-com

DPDP Enforcement Timeline

Phase 1 — Active Now
Nov 2025 onwards
Core obligations active. Consent, notice, security safeguards, rights fulfilment, and breach notification requirements in force. Start your gap assessment immediately.
Phase 2 Deadline
November 2026
Consent Manager registration deadline. Entities acting as Consent Managers must register with the DPBI by this date.
Full Enforcement
May 2027
All provisions of the Act and Rules become fully operational. DPBI empowered to investigate and impose penalties across all violation categories.
2

Notice & Transparency

Privacy Notice covers: what data is collected, why, how long it is retained, and who it is shared with
Privacy Notice available in English and at least one language listed in the Eighth Schedule of the Constitution of India
Notice provided before or at the time of data collection — not buried in multi-page Terms & Conditions
Notice accessible without requiring login or account creation SaaS
All data collection forms clearly indicate which fields are mandatory and which are optional E-com
Privacy Notice updated and republished whenever processing purposes change materially
All previous versions of the Privacy Notice archived with their effective dates
Website and app have a clearly labelled, easily accessible Privacy Policy link in the footer and at data collection points E-com
Section 2 Score __ / 8 items
RED <4 AMBER 4–7 GREEN 8/8
3

Data Principal Rights

Process in place to receive and fulfil Right to Access requests within a defined SLA→ Data Principal can request a summary of all personal data held and all processing purposes
Right to Correction: mechanism to update inaccurate or incomplete personal data on request
Right to Erasure: deletion request triggers removal across all systems including backups (within retention policy) SaaS
Right to Grievance Redressal: DPO or designated contact published and responsive within 30 days
Right of Nomination: mechanism for individual to nominate another person to exercise rights in case of death or incapacity
All rights requests logged: date received, action taken, date resolved, and outcome
Rights fulfilment workflow tested end-to-end at least once per year
Automated rights request intake available (web form or dedicated email alias) — not manual only SaaS
Data Principals informed of their right to raise complaints with the Data Protection Board of India (DPBI)
Section 3 Score __ / 9 items
RED <5 AMBER 5–8 GREEN 9/9
4

Data Fiduciary Obligations

Data Protection Officer (DPO) appointed if classified or likely to be classified as Significant Data Fiduciary (SDF)→ DPO must be based in India and report directly to the Board — not just senior management
Independent Data Auditor appointed (for SDFs) — annual audit conducted and findings presented to Board
Data Protection Impact Assessment (DPIA) conducted for all high-risk processing activities before commencement
Data minimisation enforced — only data strictly necessary for the stated purpose is collected SaaS
Purpose limitation enforced — personal data not used beyond consented purpose without fresh consent or legitimate use basis
Storage limitation policy in place — data deleted or anonymised when the purpose for which it was collected is fulfilled Health
Data accuracy controls ensure personal data is correct and up to date at the point of use
Register of all processing activities (RoPA) maintained and reviewed at least quarterly
Privacy-by-Design principles applied to all new product features and systems that process personal data
Section 4 Score __ / 9 items
RED <5 AMBER 5–8 GREEN 9/9
5

Security Safeguards (Section 8 — ₹250 Cr penalty)

Encryption of personal data at rest and in transit (TLS 1.2+ for transit, AES-256 or equivalent at rest) Fintech
Role-based access controls (RBAC) — personal data accessible on strict need-to-know basis only
Access logs maintained for all systems processing personal data — retained for minimum 12 months SaaS
Vulnerability Assessment & Penetration Testing (VAPT) conducted at least annually by a qualified firm→ Banks and NBFCs must use CERT-IN empanelled firms; quarterly VAPT recommended for internet-facing SaaS
Patch management policy in place — critical vulnerabilities remediated within 30 days of public disclosure
Multi-factor authentication (MFA) enforced for all systems and admin accounts processing personal data Fintech
Data Loss Prevention (DLP) controls in place for sensitive personal data categories Health
Security assessment conducted for every vendor and third party with access to personal data
Security awareness training for all employees handling personal data — at least annually, with attendance records
Incident response plan documented, tested, and explicitly includes DPDP breach notification workflow steps
Section 5 Score __ / 10 items
RED <5 AMBER 5–9 GREEN 10/10
6

Data Breach Notification (₹200 Cr penalty)

Breach detection mechanisms in place: SIEM, alerting, and monitoring across all personal data systems Fintech
Breach classification process defined — clearly distinguishes reportable breaches from non-reportable incidents
Process to notify the Data Protection Board of India (DPBI) promptly upon discovery of a personal data breach→ DPDP Rules will specify exact timelines; current expectation is prompt notification without undue delay
Process to notify affected Data Principals in plain language — template prepared and approved in advance
Breach notification template (to DPBI and Data Principals) drafted, reviewed by legal, and approved before an incident occurs
Breach register maintained — all security incidents logged regardless of whether they meet the reportability threshold
Post-breach root cause analysis conducted for every reportable breach — remediation actions documented and reviewed
Breach response tabletop exercise conducted at least annually — results documented and lessons incorporated SaaS
Section 6 Score __ / 8 items
RED <4 AMBER 4–7 GREEN 8/8
7

Data Processors & Third-Party Management

Complete inventory of all Data Processors (vendors who process personal data on your behalf) maintained and current
Data Processing Agreement (DPA) signed with every Data Processor before any personal data is shared
DPA binds the processor to process personal data only per Data Fiduciary instructions — no independent use permitted
Data Processors contractually prohibited from engaging sub-processors without prior written approval SaaS
Annual security assessment or independent audit conducted for all critical Data Processors
Cross-border data transfers verified — personal data transferred only to countries notified by the Central Government Fintech
All vendor contracts include data deletion or return obligations upon contract exit or termination
Processor breach notification clause in all DPAs: processor must notify Data Fiduciary immediately upon discovering any breach
Section 7 Score __ / 8 items
RED <4 AMBER 4–7 GREEN 8/8
8

Children's Data & Special Obligations (₹200 Cr penalty)

Age verification mechanism in place to identify users under 18 before collecting or processing their personal data E-com
Verifiable parental consent obtained before processing any personal data of children (under 18 years)
Processing of children's data that is detrimental to their well-being is strictly prohibited and controls are tested
Behavioural tracking, targeted advertising, and profiling of children is strictly prohibited across all products E-com
Privacy-by-Design applied to all product features accessible by child users SaaS
Children's personal data not shared with third parties without explicit, verifiable parental consent
Age gate implemented on platforms not intended for users under 18 — restricts access before registration E-com
Section 8 Score __ / 7 items
RED <4 AMBER 4–6 GREEN 7/7
Overall Compliance Score
__ / 68 items
0–33 = RED — High risk. Immediate remediation required before enforcement begins.   34–61 = AMBER — Partial compliance. Prioritise gap closure.   62–68 = GREEN — Strong posture. Focus on evidence and maintenance.

Save this checklist as a PDF — includes RAG scoring boxes, compliance tracker, penalty reference, and enforcement timeline. Print-ready, boardroom-ready.

Download PDF →

DPDP Act Penalty Reference — Schedule to the Act

₹250 Cr
CRITICAL
Failure to implement reasonable security safeguards (Section 8)
₹200 Cr
CRITICAL
Failure to notify data breach to DPBI or affected Data Principals
₹200 Cr
CRITICAL
Non-compliance with children's data processing obligations
₹50 Cr
HIGH
Failure to fulfil Data Principal rights (erasure, correction, nomination)
₹50 Cr
HIGH
Failure to register as Consent Manager (where applicable)
₹50 Cr
MEDIUM
Breach of any other provision of the Act or Rules

Penalties are per violation and may be cumulative. The Data Protection Board of India (DPBI) has adjudicatory powers. Repeat violations may attract higher penalties.

Frequently Asked Questions — DPDP Act Compliance

What are the main compliance requirements under the DPDP Act 2023?
The DPDP Act 2023 requires Indian companies to obtain valid consent before processing personal data, provide a clear Privacy Notice in plain language, fulfil Data Principal rights (access, correction, erasure, nomination), implement reasonable security safeguards, notify data breaches to the DPBI promptly, manage Data Processors through signed Data Processing Agreements, and apply special protections for children's data. Significant Data Fiduciaries must also appoint a DPO and conduct annual Data Audits.
What is the maximum penalty under the DPDP Act?
The maximum penalty under the DPDP Act 2023 is ₹250 crore for failure to implement reasonable security safeguards. Failure to notify a data breach to the DPBI or affected Data Principals carries a penalty of up to ₹200 crore. Non-compliance with children's data obligations also attracts up to ₹200 crore. Failure to fulfil Data Principal rights carries penalties up to ₹50 crore. Penalties are imposed by the Data Protection Board of India (DPBI).
When does full DPDP Act enforcement begin in India?
The DPDP Rules 2025 were notified on 13 November 2025. Phase 1 obligations are active immediately. The Consent Manager registration deadline is November 2026. Full enforcement with all provisions operational is expected by May 2027 — 18 months after the Rules notification date.
Who is a Significant Data Fiduciary under the DPDP Act?
A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on criteria including volume and sensitivity of personal data processed, risk to Data Principals, national security implications, and impact on sovereignty. SDFs have additional obligations: appointing a Data Protection Officer (DPO) based in India, conducting an annual Data Audit by an independent auditor, and undertaking Data Protection Impact Assessments (DPIAs).
Does the DPDP Act apply to startups and small businesses?
Yes. The DPDP Act applies to all entities processing digital personal data of individuals in India, regardless of company size. However, the Central Government may exempt certain classes of Data Fiduciaries such as startups from specific provisions. Until such exemptions are formally notified, all companies processing personal data of Indian residents must comply with the Act's core obligations.
What is the difference between a Data Fiduciary and a Data Processor?
A Data Fiduciary is the entity that determines the purpose and means of processing personal data — typically the company collecting data directly from customers or employees. A Data Processor processes personal data on behalf of the Data Fiduciary — typically a vendor, SaaS platform, or outsourcing partner. Data Fiduciaries must sign Data Processing Agreements (DPAs) with all their Data Processors, binding them to process data only as instructed.

Need help implementing DPDP Act compliance?

MYITMANAGER.IN provides end-to-end DPDP compliance — gap assessment, consent framework design, DPO advisory, Data Processing Agreement templates, and breach response planning. Trusted by Zomato, Tata 1mg, Magicpin, RenewBuy, and 100+ Indian organisations. Led by Saurabh — ex-Bain India IT Head, CISM, CIPP/E.

Book a Free Consultation Download PDF Version

Related Guides from MYITMANAGER.IN

DPDP Act Compliance Services → DPDP Act Penalties Guide → DPDP Act vs GDPR → ISO 27001 Certification Guide →