DPDP Compliance Checklist for Indian Businesses

The Digital Personal Data Protection Act, 2023 is about digital personal data. In plain terms, it covers data that can identify a person and is processed digitally, including offline information that is later digitised. DPDP readiness usually touches these areas:

• notice before or at the time of data collection;
• consent or another permitted basis for processing, depending on the facts;
• clear purpose for collecting personal data;
• data principal rights such as access, correction, erasure, grievance and withdrawal where applicable;
• reasonable security safeguards;
• breach response and reporting review;
• children and persons with disabilities data checks;
• vendor or data processor review;
• retention, deletion and access control records.

Website / App / HR / CRM / Vendor data
        ↓
List personal data fields
        ↓
Map purpose, storage, access and sharing
        ↓
Check notice, consent and grievance contact
        ↓
Prepare SOPs: request handling, deletion, breach response
        ↓
Review vendors and staff access
        ↓
Keep records and review when process changes

Write down the actual data fields. Do not write broad labels like "customer data". Write the field names. For example:

• name;
• mobile number;
• email ID;
• address;
• PAN or Aadhaar copy, if collected;
• payment details;
• employee bank details;
• student or patient records;
• documents uploaded through forms;
• IP address, cookies or device data, where applicable.

Then add four columns: purpose, storage place, access person and retention period. This one sheet becomes the base for your DPDP review.

Most businesses collect data from more places than they realise. Check these one by one:

Ask one direct question for every field: why do we need this?

• If a form only needs a callback, name and phone may be enough.
• If a service needs billing, address and GST details may be needed later, not at first enquiry.
• If KYC is required for a regulated process, collect it at the right stage and restrict access.
• If marketing messages are sent, check whether your consent language covers that use.

Collecting less data is often the cleanest compliance step.

Your privacy notice should not be a decorative page. It should match your real forms and workflow. At minimum, check whether it explains:

• what personal data is collected;
• why it is collected;
• how the user can contact the business;
• who may receive the data, such as vendors or service providers;
• how correction, withdrawal, grievance or deletion requests are handled, where applicable;
• how long data may be kept, at least at a policy level.

DPDP compliance is not only website text. Your team needs short process notes. Keep them simple.

1. Data request SOP: who receives user requests and how they are recorded.
2. Correction / deletion SOP: what the team checks before editing or deleting a record.
3. Retention SOP: how long leads, client files, employee records and vendor records are kept.
4. Breach SOP: who is informed first, how the incident is recorded and who checks reporting duties.
5. Vendor SOP: which vendors can access personal data and what clauses are needed.

• website and landing page URLs;
• screenshots or links of enquiry forms;
• current privacy policy and terms links;
• CRM or lead sheet field list;
• employee data form list;
• vendor and SaaS tool list;
• sample consent text used in forms;
• data storage details: drive, CRM, email, server, app backend;
• name and email of grievance/contact person;
• sample vendor agreement or service contract where data sharing happens.

Is DPDP compliance only for large companies?

No. A smaller business may have fewer documents, but if it collects digital personal data, it should still check notice, consent, access, vendor sharing and deletion practices.

Is a privacy policy enough?

No. A privacy policy is one document. DPDP readiness also needs data mapping, internal handling process, vendor review, request handling and breach response steps.

Do we need to stop collecting personal data?

No. The point is to collect data for a clear purpose, tell people what is being collected, restrict access, keep records and avoid unnecessary data collection.

Are there government fees for this checklist?

For advisory and documentation work, the expected government fee is usually nil unless a separate statutory process applies. Professional fees depend on the review scope.

• Create a data inventory sheet.
• Review every form and collection point.
• Update privacy notice and consent text.
• Name a grievance/contact person.
• Restrict access to CRM, sheets, drives and HR folders.
• Add vendor data clauses where personal data is shared.
• Prepare request, deletion, retention and breach response SOPs.
• Review the latest official DPDP Rules before final implementation.

If your team cannot answer where data is stored and who can access it, start there. That one fix makes the rest of the DPDP work much clearer.