Law in Force — Act Now

India's DPDP Act Is Enforced Now.
Is Your Business Ready?

The Digital Personal Data Protection Act 2023 carries penalties of up to ₹250 crore per violation. Most Indian businesses are not compliant. Download our free checklist and find out exactly what you need to do.

₹250 Cr

Max Penalty Per Violation

Compliance Categories

Specific Action Items

Free

No Credit Card Needed

What the checklist covers

40 specific, actionable items across every major requirement of the DPDP Act. Written for business owners and compliance teams — not lawyers.

Consent Mechanisms 4 items
Data Mapping & Inventory 4 items
Privacy Notice Requirements 4 items
Grievance Officer Appointment 4 items
Data Breach Response Protocol 4 items
Cross-Border Transfer Controls 4 items
Children's Data Policy 4 items
Retention Schedules 4 items
Vendor & Processor Agreements 4 items
Security Safeguards 4 items

Get your free checklist instantly

Fill in your details below. The full checklist appears on screen immediately — no email wait.

Your Name *

Work Email *

Company Name *

No spam. Your data is used only to send you the checklist.

The risk is real.

Under the DPDP Act, the Data Protection Board of India can impose penalties up to ₹250 crore for significant data breaches and up to ₹50 crore for failures like missing consent mechanisms or inadequate security. Non-compliant businesses face not just fines, but mandatory audits and public disclosure.

You're all set!

Your checklist is below. Bookmark this page or use your browser's Print function (Ctrl+P / Cmd+P) to save a PDF copy.

iSocialize Technologies · Mumbai

DPDP Act 2023 Compliance Checklist

40 specific action items across 10 compliance categories

How to use this checklist: Check off each item as you implement it. Items marked with a red dot require legal or technical expertise — consider engaging a specialist for those.

Category 01

Consent Mechanisms

Add a granular consent checkbox on every web form that collects personal data — consent must be separate from your T&C acceptance. Store consent records with timestamp, IP address, form URL, and the exact consent text shown at time of collection. Provide a clearly visible, easy-to-use mechanism to withdraw consent — it must be as easy as giving consent was. Ensure that withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal, and communicate this to users.

Category 02

Data Mapping & Inventory

Create a data inventory spreadsheet listing every category of personal data you collect (name, email, phone, location, financial, health, etc.). Document the purpose of collection for each data category — "marketing" is not sufficient; be specific (e.g., "send transactional order confirmations"). Map data flows: where data enters your systems, where it is stored, who has access, and where it goes (third parties, cloud regions). Identify and tag all systems that process "sensitive personal data" (financial, health, biometric, religious belief, political views) for elevated controls.

Category 03

Privacy Notice Requirements

Publish a Privacy Notice that is written in plain language — it must be available in all languages listed in the Eighth Schedule of the Constitution of India if requested. The notice must clearly state: what data is collected, the purpose, who it is shared with, the retention period, and how to exercise data principal rights. Link your Privacy Notice prominently at every point of data collection (forms, app sign-up, checkout) — not just in the website footer. Review and update your Privacy Notice whenever processing activities change — date-stamp each version and keep prior versions archived.

Category 04

Grievance Officer Appointment

Formally appoint a Grievance Officer (can be an existing employee) with a written appointment letter defining their responsibilities under the DPDP Act. Publish the Grievance Officer's name and contact details (at minimum: email address) on your website and Privacy Notice. Establish a documented process for receiving, acknowledging (within 48 hours), and resolving data principal complaints (target: within 30 days). Maintain a register of all grievances received, actions taken, and resolution dates — this forms your compliance audit trail.

Category 05

Data Breach Response Protocol

Draft and test a written Data Breach Response Plan — who is notified first, what is their role, what decisions can they make without escalation. Define your breach notification trigger: the DPDP Act requires notification to the Data Protection Board and affected individuals without undue delay. Maintain a breach log even for minor incidents (suspected breaches, near-misses) — regulators look for a culture of reporting, not just major incidents. Conduct a tabletop breach simulation at least once per year — walk your team through a scenario and identify gaps in your response plan.

Category 06

Cross-Border Transfer Controls

Identify all third-party tools and services that transfer personal data outside India (e.g., AWS us-east-1, US-based CRMs, analytics platforms). Check whether each destination country is on the Government of India's approved list of countries for data transfer — monitor for updates. For transfers to non-approved countries, implement contractual safeguards (standard contractual clauses) and document the legal basis. Review your cloud infrastructure: choose India-region endpoints where available; if not, document the business justification for cross-border transfer.

Category 07

Children's Data Policy

Determine whether your product or service is likely to be accessed by children (under 18) — if yes, additional obligations apply. Implement an age verification mechanism at the point of registration or data collection to identify minors. Obtain verifiable parental consent before processing any personal data of a child — document the consent method used. Prohibit any behavioural monitoring or targeted advertising directed at children, and configure your ad platforms accordingly.

Category 08

Data Retention Schedules

Define a retention period for every data category in your inventory — retention must be limited to what is necessary for the stated purpose. Implement automated deletion or anonymisation workflows triggered at the end of the retention period — manual processes are error-prone. Document the legal or business basis for each retention period (e.g., GST records: 8 years per law; lead data: 2 years from last interaction). Review and enforce retention for backups and archives — data in cold storage is still subject to DPDP obligations.

Category 09

Vendor & Data Processor Agreements

Identify all third-party vendors who process personal data on your behalf (cloud providers, payment gateways, HR software, email platforms, analytics). Execute a Data Processing Agreement (DPA) with each vendor — it must specify purpose limitation, security obligations, sub-processor rules, and deletion requirements. Require vendors to notify you within 72 hours of any breach involving your data — include this as a contractual obligation. Periodically audit or request security certifications (ISO 27001, SOC 2) from critical data processors — keep copies on file.

Category 10

Security Safeguards

Enforce encryption at rest (AES-256 or equivalent) and in transit (TLS 1.2+) for all systems storing personal data. Implement role-based access controls (RBAC): employees should only access personal data necessary for their role — review and audit access quarterly. Enable multi-factor authentication (MFA) on all systems that store or process personal data, especially admin panels and cloud consoles. Conduct a vulnerability assessment and penetration test (VAPT) at least annually — remediate critical and high findings within 30 days.

Prepared by iSocialize Technologies, Mumbai. This checklist is provided for informational purposes and reflects the key obligations under the Digital Personal Data Protection Act, 2023 as understood at time of publication. It is not legal advice. Engage a qualified legal or compliance professional for your specific situation.

Need help implementing these controls? We offer DPDP compliance consulting, privacy policy drafting, and technical implementation. Talk to us →

Book a Compliance Review

About iSocialize Technologies

We are a Mumbai-based software development and cybersecurity firm helping Indian businesses build compliant, secure digital products. We've supported fintech, healthtech, and e-commerce companies with DPDP readiness assessments, technical controls, and policy documentation.

Get in touch

India's DPDP Act Is Enforced Now.Is Your Business Ready?