You know you need to comply with the DPDP Act. You have read the overviews, skimmed the Act, maybe bookmarked a few articles. What you need now is a sequence: what to do first, what to do next, and how long each step actually takes.
I have built compliance programs from scratch at four companies over the past eight years. Two of those were under GDPR, two under India's older IT Act framework. With the DPDP Act 2023 and the DPDP Rules 2025 now both published, the full picture is finally clear. What follows is the exact checklist I would use if I were starting DPDP compliance today at a 50-person Indian company.
Every step maps to a specific section of the Act or Rules. Every step has a time estimate. The steps are ordered by dependency: you cannot do Step 7 properly without completing Steps 1 through 4.
Key Takeaways
- DPDP compliance breaks into three phases: Foundation (discovery and mapping), Implementation (building compliance infrastructure), and Operations (ongoing maintenance and response).
- The full enforcement deadline is May 13, 2027. Children's data provisions activate six months earlier, in November 2026.
- Every step in this checklist maps to a specific section of the DPDP Act 2023 or the DPDP Rules 2025.
- A 50-person company should budget 12 to 16 weeks for Phases 1 and 2. Phase 3 is continuous.
- The single most common mistake is starting with consent banners (Step 7) before completing data mapping (Steps 2 and 3). Without knowing what data you hold, your consent mechanism is guesswork.
How Should You Think About DPDP Compliance?
Before the 15 steps, a framing note. DPDP compliance is not a one-time project. It is an operating discipline with a setup phase and an ongoing phase. The setup gets you to a defensible baseline. The ongoing work keeps you there.
I have structured this checklist into three phases:
| Phase | Steps | Focus | Typical Timeline |
|---|---|---|---|
| Phase 1: Foundation | Steps 1-5 | Discovery, mapping, and gap analysis | Weeks 1-4 |
| Phase 2: Implementation | Steps 6-10 | Building consent, security, and rights infrastructure | Weeks 5-12 |
| Phase 3: Operations | Steps 11-15 | Breach response, audits, training, and continuous compliance | Ongoing from Week 8 |
Some steps overlap. You can start drafting your privacy notice (Step 6) while finishing your data map (Step 3). But the dependencies are real: skip the foundation, and everything you build on top of it has cracks.
Phase 1: Foundation (Weeks 1-4)
Step 1: Determine Your Data Fiduciary Status
DPDP Act Reference: Section 2(i) Time Estimate: 1-2 days Owner: Legal / Compliance Lead
Every entity that determines the purpose and means of processing personal data is a Data Fiduciary. This sounds straightforward until you consider that the same company can be a Data Fiduciary for some data and a Data Processor for other data.
Here is exactly what that looks like: a B2B SaaS company is a Data Fiduciary for its own employee data, for visitor data on its website, and for user account data in its product. It may be a Data Processor for the customer data that flows through its platform on behalf of its clients.
Document every role your company plays. For each category of personal data you handle, record whether you are the Fiduciary (you decide the purpose and means) or the Processor (you act on someone else's instructions).
Output: A role classification document listing every data category and your status (Fiduciary or Processor) for each.
Step 2: Inventory All Personal Data You Collect
DPDP Act Reference: Section 2(t), Section 8(1) Time Estimate: 3-5 days for a 50-person company; 2-3 weeks for 200+ Owner: IT / Engineering Lead with input from every department
This is the step most companies underestimate. You need a complete inventory of every piece of personal data your organisation collects, stores, processes, or shares. Not what you think you collect. What you actually collect.
Walk through every system, every form, every integration:
- Customer-facing: Website forms, checkout flows, account registration, support tickets, chatbots, mobile apps
- Employee-facing: HR systems, payroll, attendance, performance reviews, background checks
- Marketing: Email lists, analytics tools, ad platforms, CRM records, social media integrations
- Operations: Vendor contacts, partner databases, visitor logs, CCTV footage (if digitised)
For each data point, record:
- What personal data is collected (name, email, phone, Aadhaar, payment details, etc.)
- Where it is stored (which system, which server, which third-party platform)
- Who has access to it (which roles, which teams, which vendors)
- How it entered your system (direct collection, third-party sharing, public source)
Output: A personal data inventory spreadsheet. Every row is a data element. Every column answers one of the four questions above.
Step 3: Map Your Data Flows
DPDP Act Reference: Section 8(1), Section 8(2) Time Estimate: 3-5 days (runs parallel to Step 2) Owner: IT / Engineering Lead
The inventory tells you what data exists. The flow map tells you where it moves. These are different things, and you need both.
For each data category in your inventory, trace the complete lifecycle:
- Collection point: Where does the data enter your system?
- Processing: What happens to it? Who touches it? What automated processes act on it?
- Storage: Where does it rest? For how long? Across how many systems?
- Sharing: Does it leave your environment? To whom? Under what agreement?
- Deletion: When and how is it removed?
Pay particular attention to third-party integrations. Every analytics tool, payment gateway, CRM, email service, and cloud provider that touches personal data is either a Data Processor (acting on your instructions) or another Data Fiduciary (making their own decisions about the data). Section 8(2) requires a valid contract with every Data Processor.
Output: A data flow diagram showing collection, processing, storage, sharing, and deletion for each major data category.
Step 4: Identify Your Lawful Basis for Each Processing Activity
DPDP Act Reference: Section 6 (consent), Section 7 (legitimate uses) Time Estimate: 2-3 days Owner: Legal / Compliance Lead
For every processing activity in your data flow map, you need a lawful basis. Under the DPDP Act, there are exactly two: consent (Section 6) or one of the enumerated legitimate uses (Section 7).
There is no "legitimate interest" balancing test like GDPR offers. You either have consent, or your processing falls into one of these categories:
- The Data Principal voluntarily provided data for a specified purpose (Section 7(a))
- Employment-related processing (Section 7(b))
- Medical emergency (Section 7(c))
- Safety and security (Section 7(d))
- Legal compliance (Section 7(e))
- Public interest or State functions (Section 7(f))
For most Indian SMBs, the majority of processing will require consent. Employment data and certain government-mandated reporting will fall under legitimate uses. Everything else needs a consent mechanism.
Output: A lawful basis register. Every processing activity mapped to its legal basis (consent or specific Section 7 ground), with a justification note.
Step 5: Conduct a Gap Analysis
DPDP Act Reference: All of Section 8 Time Estimate: 2-3 days Owner: Compliance Lead
You now have four documents: your fiduciary status classification, your data inventory, your data flow map, and your lawful basis register. Compare what you have against what Section 8 requires.
Here is the gap analysis framework I use:
| Section 8 Obligation | What It Requires | Your Current State | Gap? | Priority |
|---|---|---|---|---|
| Notice before consent (Section 5) | Standalone privacy notice specifying data collected, purpose, rights, complaint mechanism | Do you have one? Is it standalone? Is it complete? | Yes/No | High |
| Valid consent (Section 6) | Free, specific, informed, unconditional, clear affirmative action | Are your consent mechanisms compliant? Pre-ticked boxes? Bundled consent? | Yes/No | High |
| Purpose limitation (Section 8(1)) | Data used only for stated purpose | Are you using data for purposes beyond what was disclosed? | Yes/No | High |
| Data accuracy (Section 8(3)) | Complete, accurate, consistent data for decision-making | Do you have data quality processes? | Yes/No | Medium |
| Security safeguards (Section 8(4)) | Encryption, access controls, logging, monitoring, backup | Do you meet the DPDP Rules 2025 specifications? | Yes/No | Critical |
| Breach notification (Section 8(6)) | 72-hour notification to DPBI + individual Data Principal notification | Do you have a breach response plan? | Yes/No | Critical |
| Data erasure (Section 8(7)) | Erase data when purpose is fulfilled | Do you have retention policies and deletion mechanisms? | Yes/No | High |
| Processor contracts (Section 8(2)) | Valid data processing agreements with all processors | Do all vendor contracts include DPDP-compliant DPA clauses? | Yes/No | High |
Output: A prioritised gap register. Each gap tagged with severity (Critical, High, Medium) and an estimated remediation effort.
Phase 2: Implementation (Weeks 5-12)
Step 6: Draft and Publish Your Privacy Notice
DPDP Act Reference: Section 5, DPDP Rules 2025 Time Estimate: 3-5 days for drafting and legal review; 1-2 days for publishing Owner: Legal + Product/Engineering
Section 5 requires a standalone notice before collecting consent. The DPDP Rules 2025 specify it must be accessible and readable on its own, not buried in your Terms of Service.
Your notice must include:
- What personal data you collect
- The specific purpose for each category of data
- How Data Principals can exercise their rights (access, correction, erasure, nomination)
- How to file a complaint with the Data Protection Board of India
- Contact details for your grievance officer
If you serve customers across India, consider that the DPDP Rules 2025 support notices in 22 scheduled Indian languages. At minimum, publish in English and Hindi. Add regional languages if your customer base warrants it.
For businesses that collected personal data before the Act's enforcement, Section 5(2) requires a retrospective notice to existing Data Principals. This applies to your entire existing customer and employee database.
Output: A published, standalone privacy notice on your website/app, with a version date and a mechanism for notifying users of changes.
Step 7: Build Your Consent Collection Mechanism
DPDP Act Reference: Section 6 Time Estimate: 1-2 weeks for implementation and testing Owner: Product / Engineering
This is where most companies start. It should not be. Without the data inventory (Step 2), flow map (Step 3), and lawful basis register (Step 4), you do not know what consent you need to collect, for which purposes, or from whom.
Now that you have that foundation, here is what a compliant consent mechanism requires:
- Granular consent options: Each purpose gets its own toggle or checkbox. "I agree to everything" is not compliant.
- No pre-ticked boxes: Every consent signal must be an affirmative action by the Data Principal.
- Clear language: Explain what data you are collecting and why, in language a non-lawyer can understand.
- Easy withdrawal: Section 6(4) requires that withdrawing consent must be as easy as giving it. One-click consent means one-click withdrawal.
- Consent logging: Record what was consented to, when, by whom, and through what mechanism. You will need this evidence.
For websites, this means a consent management banner or modal that captures granular preferences. For apps, it means in-app consent flows at the point of data collection. For offline-to-digital scenarios (retail stores collecting phone numbers for bills), it means a digital consent capture mechanism at the point of collection.
Output: A live consent mechanism across all customer touchpoints, with a backend that logs and stores consent records.
Step 8: Implement Security Safeguards
DPDP Act Reference: Section 8(4), DPDP Rules 2025 Time Estimate: 2-4 weeks (depends on current security posture) Owner: IT / Engineering / Security
Section 8(4) requires "reasonable security safeguards." The DPDP Rules 2025 converted this into specific technical requirements:
- Encryption, obfuscation, masking, or virtual tokenisation of personal data
- Access controls on all computer resources processing personal data
- Logging and monitoring of data access activity
- Retention of access logs for at least one year
- Backup and business continuity systems that are tested and verified
A practical implementation roadmap:
| Safeguard | If You Already Have It | If You Need To Build It |
|---|---|---|
| Encryption at rest | Verify it covers all personal data stores, including backups | Implement database-level encryption; enable S3/Blob encryption for file storage |
| Encryption in transit | Verify TLS 1.2+ on all endpoints handling personal data | Upgrade certificates; enforce HTTPS across all services |
| Access controls | Audit who has access; apply least-privilege principle | Implement RBAC; remove overly broad admin access |
| Activity logging | Verify logs capture personal data access events | Instrument data access layers; route logs to a centralised system |
| Log retention | Check current retention; extend to 1 year minimum | Configure log rotation and archival policies |
| Backup verification | Test a restore procedure | Implement automated backup testing; document recovery procedures |
This step carries the highest penalty exposure under the Act: ₹250 crore for a failure that results in a personal data breach.
Output: A security implementation report documenting what safeguards are in place, what was added or updated, and evidence of testing.
Step 9: Build Data Principal Rights Infrastructure
DPDP Act Reference: Sections 11-14, DPDP Rules 2025 Time Estimate: 2-3 weeks Owner: Product / Engineering
Data Principals have four rights under the Act, and you need operational infrastructure for each:
- Right to Access (Section 11): A mechanism for Data Principals to request a summary of their data and who it has been shared with.
- Right to Correction and Erasure (Section 12): Workflows to correct, complete, update, or erase personal data across all systems, including downstream processors.
- Right to Grievance Redressal (Section 13): A designated grievance officer and an accessible complaint mechanism.
- Right to Nominate (Section 14): A way for Data Principals to register a nominee for death or incapacity scenarios.
The DPDP Rules 2025 set a 90-day response deadline for all requests. Your system needs to track request receipt, assign responsibility, manage the response workflow, and log the outcome.
At minimum, you need:
- A public-facing intake form or portal where Data Principals can submit requests
- An internal workflow that routes requests to the correct team
- Deadline tracking with escalation alerts
- An audit trail for every request (received, processed, responded, closed)
Output: A functional DSR (Data Subject Request) portal or process, with intake, routing, tracking, and logging capabilities.
Step 10: Review and Update All Processor Contracts
DPDP Act Reference: Section 8(2) Time Estimate: 2-4 weeks (depending on number of vendors) Owner: Legal / Procurement
Section 8(2) makes it a statutory requirement to have a valid contract with every Data Processor. You remain liable for their handling of personal data regardless of what the contract says.
Pull your data flow map from Step 3. Every entity that processes personal data on your behalf needs a Data Processing Agreement (DPA) that includes:
- The scope and purpose of processing
- Types of personal data processed
- Duration of processing
- Obligations regarding security safeguards (matching your own under Section 8(4))
- Sub-processing restrictions or approval mechanisms
- Breach notification obligations (the processor must notify you without unreasonable delay so you can meet the 72-hour window)
- Data return or deletion procedures upon contract termination
- Audit rights
Start with your highest-risk processors: cloud hosting, payment gateways, CRM systems, analytics platforms, email service providers. Then work through the rest of your vendor list.
Output: Updated DPAs with all Data Processors, signed and stored in your compliance records.
Phase 3: Operations (Ongoing from Week 8)
Step 11: Establish Your Breach Response Plan
DPDP Act Reference: Section 8(6), DPDP Rules 2025 Time Estimate: 1-2 weeks to draft and table-test; ongoing maintenance Owner: Security + Compliance Lead
The DPDP Rules 2025 specify a 72-hour window to notify the Data Protection Board of India after identifying a personal data breach. That clock starts at identification, not at assessment completion.
Your breach response plan needs:
- Detection protocols: How will you know a breach has occurred? Automated alerting, log monitoring, third-party notifications.
- Classification criteria: What qualifies as a personal data breach under the Act? Not every security incident triggers the notification obligation.
- Response team: Named individuals with defined roles. The plan must work at 2 AM on a Saturday.
- Notification templates: Pre-drafted templates for the DPBI notification and for Data Principal notifications. Under pressure, you do not want to be drafting legal language from scratch.
- Communication protocols: Who contacts the Board? Who communicates with affected individuals? Who handles media inquiries?
- Post-incident review: Document what happened, what was done, and what will change to prevent recurrence.
Run a tabletop exercise. Pick a realistic scenario (ransomware encrypting your customer database, a vendor reporting unauthorised access, an employee downloading a contact list) and walk your team through each step. Time the response. Identify bottlenecks. Fix them before a real incident forces the issue.
Output: A documented breach response plan, tested through at least one tabletop exercise, with named personnel and pre-drafted templates.
Step 12: Implement Data Retention and Deletion Policies
DPDP Act Reference: Section 8(7), DPDP Rules 2025 Time Estimate: 1-2 weeks to define policies; 2-4 weeks to implement automated deletion Owner: Legal + Engineering
Section 8(7) requires data erasure once the purpose for which it was collected has been fulfilled. The DPDP Rules 2025 add a specific provision: for certain data categories, if a Data Principal has not approached the Data Fiduciary for a specified period, the data must be erased after providing a 48-hour notice.
You cannot retain customer data indefinitely on the theory that you "might need it someday." Every record needs a defensible retention period tied to a specific purpose.
Here is the framework I use:
| Data Category | Purpose | Retention Period | Legal Basis for Retention | Deletion Mechanism |
|---|---|---|---|---|
| Customer purchase records | Order fulfilment, returns | Duration of customer relationship + statutory requirement (e.g., GST records: 6 years) | Legal compliance (Section 7(e)) | Automated deletion after retention period |
| Marketing consent records | Proof of consent | Duration of consent + 3 years post-withdrawal | Accountability under Section 8 | Manual review trigger |
| Employee payroll data | Salary processing, tax compliance | Employment duration + statutory period (Income Tax: 6-8 years) | Employment purposes (Section 7(b)), Legal compliance | Automated archival and deletion |
| Website analytics | Traffic analysis | 14-26 months (based on consent and analytics platform) | Consent (Section 6) | Platform-level auto-deletion settings |
| Support ticket data | Issue resolution | 2 years post-resolution (unless ongoing dispute) | Consent or legitimate use | Automated deletion with exception handling |
Implement automated deletion where possible. Manual deletion processes fail at scale: someone forgets, someone leaves the company, the spreadsheet gets lost.
Output: A data retention schedule covering every data category, with defined retention periods, legal justifications, and automated or manual deletion mechanisms.
Step 13: Assess Whether You Are (or Will Be) a Significant Data Fiduciary
DPDP Act Reference: Section 10 Time Estimate: 1-2 days Owner: Compliance Lead
As of February 2026, the Central Government has not published the criteria for designating Significant Data Fiduciaries (SDFs). However, Section 10(1) identifies the factors: volume and sensitivity of data processed, risk to Data Principals' rights, potential impact on sovereignty and security, and risk to electoral democracy.
If your organisation processes data at significant scale (millions of Data Principals, high-sensitivity categories, cross-border transfers), you should plan for SDF designation. SDFs face four additional obligations:
- Appoint a Data Protection Officer based in India
- Appoint an independent data auditor
- Conduct periodic Data Protection Impact Assessments
- Submit to periodic compliance audits
Even if you are not designated as an SDF, implementing a DPIA for your highest-risk processing activities is good practice. It forces you to identify risks before they become breaches.
Output: A self-assessment of SDF likelihood, and (if applicable) a plan for meeting the additional SDF obligations.
Step 14: Train Your Team
DPDP Act Reference: Practical requirement under Section 8 Time Estimate: 2-3 days for initial training; quarterly refreshers Owner: HR + Compliance Lead
Compliance infrastructure is only as strong as the people operating it. A consent mechanism that nobody understands is a consent mechanism that fails.
Training should cover three tiers:
Tier 1: All employees (1-hour session)
- What is personal data under the DPDP Act
- What they should and should not do with customer or employee data
- How to recognise a potential data breach and whom to notify
Tier 2: Customer-facing and data-handling roles (half-day session)
- How consent works and what "free, specific, informed" means in their daily context
- How to handle Data Principal requests (access, correction, erasure)
- Common mistakes and scenarios specific to their role
Tier 3: IT, Security, and Compliance teams (full-day workshop)
- Technical security safeguards under the DPDP Rules 2025
- Breach detection, classification, and response procedures
- DPA management and processor oversight
- Record-keeping requirements for audit readiness
Document every training session: who attended, what was covered, when it happened. This record is evidence of good faith compliance if the Data Protection Board ever reviews your practices.
Output: Completed training across all three tiers, with attendance records and training materials stored in your compliance documentation.
Step 15: Establish a Compliance Review Cycle
DPDP Act Reference: Ongoing accountability under the Act Time Estimate: 1 day per quarter for review; 1 week annually for full audit Owner: Compliance Lead
Compliance is not a state you achieve once. It is a process you maintain. Your data inventory will change as you add products. Your vendor list will change as you switch tools. Your consent mechanisms will need updates as the Rules evolve.
Here is the review cadence I recommend:
Monthly:
- Review pending DSR requests and response times
- Check consent collection rates and withdrawal patterns
- Review security alerting and logging dashboards
Quarterly:
- Update data inventory and flow maps for new systems, products, or integrations
- Review and update vendor DPA status
- Conduct one tabletop breach exercise
- Review training completion rates for new hires
Annually:
- Full compliance audit against the DPDP Act 2023 obligations
- Data Protection Impact Assessment refresh (especially if you are or expect to be an SDF)
- Privacy notice review and update
- Retention schedule validation: are deletion mechanisms actually running?
Output: A documented compliance review calendar with assigned owners and completion tracking.
How Long Does DPDP Compliance Take? Manual vs. Automated
The timeline estimates above assume a mix of manual and tool-assisted work. Here is how the two approaches compare for a 50-person company:
| Activity | Manual Approach | With Compliance Platform | Time Saved |
|---|---|---|---|
| Data inventory and mapping | 2-3 weeks (spreadsheets, interviews) | 3-5 days (automated discovery + guided questionnaire) | 60-70% |
| Privacy notice drafting | 1-2 weeks (legal drafting, translation) | 1-2 days (template-based generation in 22 languages) | 80% |
| Consent mechanism implementation | 2-3 weeks (custom development) | 1-2 days (drop-in widget with configuration) | 85% |
| DSR portal setup | 2-3 weeks (custom build) | Same day (pre-built portal with workflow) | 90% |
| Breach notification templates | 3-5 days (legal drafting) | Pre-built, configurable templates | 80% |
| Ongoing compliance monitoring | 2-3 days/month (manual checks) | Automated dashboards with alerts | 70% |
| Total Phase 1-2 timeline | 12-16 weeks | 3-4 weeks | ~75% |
The manual approach works. Thousands of companies will do it that way. The trade-off is time and internal bandwidth, both of which are scarce at a growing SMB.
Frequently Asked Questions
How long does DPDP compliance take for a small business?
For a company with 20 to 50 employees, expect 12 to 16 weeks for the foundation and implementation phases (Steps 1-10) using a manual approach. With a compliance platform that automates consent management, privacy notices, and DSR workflows, this compresses to roughly 3 to 4 weeks. Phase 3 (operations) is ongoing: plan for quarterly reviews and annual audits as a permanent part of your operating rhythm.
Do I need a Data Protection Officer for DPDP compliance?
Only Significant Data Fiduciaries (SDFs) designated by the Central Government are required to appoint a DPO under Section 10(2)(a) of the DPDP Act 2023. As of February 2026, no SDF designations have been published. Ordinary Data Fiduciaries must designate a person to handle Data Principal grievances under Section 13 but are not required to appoint a formal DPO. That said, assigning a compliance lead internally is a practical necessity for any company running through this checklist.
What is the penalty for not complying with the DPDP Act by May 2027?
The DPDP Act 2023 specifies maximum penalties per violation: ₹250 crore for security failures leading to a breach, ₹200 crore for failing to notify the Data Protection Board and affected individuals, ₹200 crore for children's data violations, ₹150 crore for SDF-specific failures, and ₹50 crore for other obligation breaches (consent, notice, retention, accuracy). These are per-violation ceilings, not annual caps. The Data Protection Board has discretion to set the actual penalty based on severity, duration, and mitigating factors.
Can I use my existing GDPR compliance program for DPDP?
GDPR compliance provides a strong foundation, but it is not sufficient. Key gaps you will need to address: the DPDP Act does not recognise "legitimate interest" as a processing basis, the age threshold for children's data is 18 (not 16), breach notification goes to the DPBI (not a supervisory authority) within 72 hours, and the DPDP Rules 2025 specify distinct security safeguard requirements. Start with a gap analysis (Step 5 in this checklist) comparing your GDPR program against each DPDP obligation.
What should I prioritise if I only have three months before the deadline?
If time is short, prioritise in this order: (1) data inventory and flow mapping (Steps 2-3), because everything else depends on knowing what data you hold; (2) security safeguards (Step 8), because this carries the highest penalty at ₹250 crore; (3) consent mechanism (Step 7), because this is the most visible compliance obligation; (4) breach response plan (Step 11), because the 72-hour clock does not wait for you to get organised. The remaining steps reduce risk further but these four cover the highest-penalty areas first.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
Running through 15 steps with spreadsheets, custom code, and manual vendor outreach is possible, but it drains months of engineering and legal bandwidth from teams that have a product to build. ComplyZero's self-serve platform compresses this timeline: automated consent management, privacy notices in 22 Indian languages, a built-in DSR portal, and audit-ready compliance records, all designed for Indian businesses that need to get compliant without hiring a consultancy.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
ComplyZero handles the complexity for you: consent management, privacy notices in 22 languages, DSR workflows, and audit-ready compliance records. Get your business DPDP-ready in minutes, not months.