Delhi HCSupreme CourtNCLTNCLATCCIDRTRERADPDP 2023
CallEmail
Technology & Data Privacy24 pagesFree Download

DPDP Act 2023 Compliance Checklist for Indian Companies

A structured checklist covering all DPDP Act compliance obligations — from consent management to Data Principal rights and breach notification. Suitable for compliance teams.

DPDP ActData PrivacyCompliance Checklist

Overview of the Digital Personal Data Protection Act 2023

The Digital Personal Data Protection Act 2023 (DPDP Act) received Presidential assent on 11 August 2023 and represents India's first comprehensive personal data protection legislation. The Act repeals section 43A of the Information Technology Act 2000 and supersedes the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. The DPDP Act regulates the processing of digital personal data within India, and also has extra-territorial application to the processing of personal data outside India where such processing is in connection with any activity related to offering goods or services to Data Principals within India.

The DPDP Act is structured around three principal actors: the Data Principal (the individual whose personal data is being processed), the Data Fiduciary (the entity that determines the purpose and means of processing), and the Data Processor (any entity that processes data on behalf of a Data Fiduciary). The obligations under the Act fall almost entirely on Data Fiduciaries. The Data Protection Board of India, established under section 18 of the Act, is the adjudicatory body with jurisdiction to impose penalties for breach of the Act.

The Act has been substantially notified but Rules thereunder are awaited as of March 2026. Companies must prepare their compliance frameworks on the basis of the Act itself, which is in force, while remaining alert to the Rules that will specify technical and procedural standards for consent management, grievance redressal, and breach notification.

Data Fiduciary Obligations

Every Data Fiduciary must comply with the following obligations under the DPDP Act regardless of the volume of data processed or the scale of operations.

Consent Notice and Consent Mechanism

Under section 6 of the DPDP Act, personal data may not be processed except with the free, specific, informed, unconditional, and unambiguous consent of the Data Principal, or in furtherance of certain legitimate uses enumerated in section 7 (such as performance of a contract, compliance with a legal obligation, protection of vital interests, or employment purposes). Prior to seeking consent, the Data Fiduciary must provide a consent notice in plain and clear language specifying: the personal data that will be collected; the purpose for which the personal data is proposed to be used; the manner in which the Data Principal may exercise rights under section 12; and the manner in which the Data Principal may make a complaint to the Data Protection Board. The consent notice must be made available in English and in any of the languages specified in the Eighth Schedule to the Constitution, as may be prescribed. Consent given for a specific purpose is not valid for a different purpose — a separate consent must be obtained for each distinct purpose of processing.

Legitimate Uses Without Consent

Section 7 of the DPDP Act permits processing of personal data without consent in prescribed legitimate use cases. These include: performance of a State function; compliance with any law or judgment of a court; medical emergency involving a threat to life; employment purposes (where the Data Principal is an employee or job applicant); or processing necessary for safeguarding public interest. Companies should map each processing activity to either a consent basis or a specific legitimate use under section 7 — a generic reliance on "legitimate interests" (a concept from GDPR) is not available under the DPDP Act.

Security Safeguards and Data Minimisation

Section 8(1) requires every Data Fiduciary to implement appropriate technical and organisational measures to ensure effective observance of the provisions of the Act. The specifics will be prescribed by Rules, but at a minimum companies should implement access controls, encryption of personal data at rest and in transit, data loss prevention mechanisms, and regular security audits. Section 8(3) imposes an obligation on the Data Fiduciary to take reasonable steps to ensure accuracy and completeness of personal data that may be used to make a decision affecting the Data Principal or disclosed to another Data Fiduciary. Section 8(4) requires erasure of personal data once the purpose for which it was collected is no longer served and retention is not necessary for legal compliance.

Significant Data Fiduciary Obligations

The Central Government is empowered under section 10 of the DPDP Act to notify any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary, having regard to the volume and sensitivity of personal data processed, the risk to the rights of Data Principals, and potential impact on national security and public order. Significant Data Fiduciaries are subject to enhanced obligations that go substantially beyond those applicable to ordinary Data Fiduciaries.

A Significant Data Fiduciary must: appoint a Data Protection Officer (DPO), who is a senior management official and the point of contact for the Data Protection Board; appoint an independent data auditor to evaluate compliance with the Act; conduct periodic Data Protection Impact Assessments (DPIAs); and comply with such other measures as may be prescribed. The DPO must be based in India, must report to the board of directors, and must not be conflicted by operational or business development responsibilities that would compromise independent oversight of data protection compliance.

Cross-Border Data Transfer

Section 16 of the DPDP Act permits a Data Fiduciary to transfer personal data of a Data Principal to a country or territory outside India, except to countries or territories restricted by the Central Government by notification. This is a significant departure from the draft Personal Data Protection Bill 2019 framework, which required data localisation for sensitive personal data. Until the Central Government notifies restricted countries, transfers to any jurisdiction are technically permissible, but companies should document the basis for each cross-border transfer and implement contractual safeguards consistent with the jurisdiction of the receiving entity.

Children's Data Obligations

Section 9 of the DPDP Act imposes specific obligations in relation to the personal data of children (persons below the age of eighteen years). A Data Fiduciary must, before processing the personal data of a child, obtain verifiable consent from the parent or lawful guardian of the child. The Data Fiduciary must not undertake tracking or behavioural monitoring of children or conduct targeted advertising directed at children. The Central Government may, by Rules, specify a lower age threshold (not below thirteen years) for processing without parental consent for specific categories of Data Fiduciaries.

Personal Data Breach Notification

In the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board and each affected Data Principal in such form and manner as may be prescribed. The obligation to notify is triggered by any breach of the security of processing that leads to accidental or unauthorised acquisition, sharing, use, alteration, destruction, or loss of access to personal data. There is no materiality threshold — the obligation to notify is not qualified by the likelihood of harm. Companies must therefore implement breach detection and escalation procedures that ensure the DPO is notified of any potential breach within a timeframe that permits a timely notification to the Board.

Data Principal Rights

The DPDP Act confers the following rights on Data Principals in respect of their personal data processed by a Data Fiduciary:

  • Right of access (section 11): The Data Principal is entitled to obtain from the Data Fiduciary a summary of personal data being processed and the processing activities undertaken.
  • Right to correction and erasure (section 12): The Data Principal may request correction or erasure of inaccurate, incomplete, misleading, or outdated personal data.
  • Right of grievance redressal (section 13): The Data Principal is entitled to have grievances addressed by the Data Fiduciary, with a right to approach the Data Protection Board if the grievance is not resolved within a prescribed period.
  • Right to nominate (section 14): The Data Principal may nominate another individual to exercise rights on their behalf in the event of death or incapacity.

Penalties Under the DPDP Act

The Schedule to the DPDP Act sets out a penalty framework based on the nature of the breach. A Data Fiduciary that fails to take reasonable security safeguards to prevent personal data breach is liable to a penalty of up to two hundred and fifty crore rupees (approximately USD 30 million). Failure to notify the Data Protection Board of a personal data breach attracts a penalty of up to two hundred crore rupees. Breach of obligations in relation to children's data attracts up to two hundred crore rupees. Breach of the obligation to provide a consent notice, and breach of any other provision of the Act, attract penalties of up to fifty crore rupees and ten thousand rupees respectively. These penalties are per breach — multiple breaches can result in cumulative liability that substantially exceeds the individual breach cap.

  • Map all personal data processing activities across the organisation, identifying the category of data, the processing purpose, the legal basis, and the recipient of each category
  • Update or draft new privacy notices for each touchpoint at which personal data is collected (website, app, employment contracts, vendor agreements)
  • Implement a consent management platform that records the date, time, and scope of each consent obtained
  • Build a process for responding to Data Principal access, correction, and erasure requests within the prescribed timescales
  • Establish a data breach detection and response procedure, including escalation thresholds, DPO notification, Board notification, and Data Principal notification protocols
  • Audit all third-party data processors (IT vendors, payroll providers, cloud service providers) to ensure data processing agreements are in place with appropriate security standards
  • Assess whether the company is likely to be notified as a Significant Data Fiduciary and prepare for enhanced obligations including DPO appointment and DPIA programme
  • Implement age-verification mechanisms for digital services that process personal data of children
  • Conduct DPDP Act training for all employees who handle personal data, with refresher training upon publication of Rules
  • Retain records of consent, processing activities, breach incidents, and Data Principal requests for the period prescribed by Rules

Download Free Guide

Enter your work email to receive the full 24-page guide instantly.

All communications are strictly confidential. This form does not create an attorney-client relationship.

Related Resources