DPDP Compliance Checklist 2026: Complete Step-by-Step Guide for Indian Businesses
A practical checklist covering all DPDP Act requirements — consent management, data principal rights, breach notification, security measures, and more. Updated for the May 2027 enforcement deadline.
The Digital Personal Data Protection Act, 2023 (DPDP Act) comes into full force on May 13, 2027. There is no grace period. Penalties reach up to Rs 250 Crore.
Whether you’re a startup or an enterprise, this checklist covers everything you need to do — in plain language, with specific actions.
Who Needs This Checklist?
Every business that processes digital personal data of individuals in India. This includes:
- E-commerce stores collecting names, addresses, payment details
- SaaS companies storing user accounts and usage data
- Mobile apps collecting device data, location, contacts
- Websites using analytics, advertising pixels, or cookies
- Service businesses maintaining customer databases
There are no small business exemptions for core DPDP obligations.
DPDP Compliance Checklist
1. Consent Management
| # | Requirement | Status |
|---|---|---|
| 1.1 | Obtain explicit, informed consent before processing any personal data | ☐ |
| 1.2 | Provide consent notice in clear, plain language | ☐ |
| 1.3 | Offer consent in 22 Indian languages (Schedule 8 of the Constitution) | ☐ |
| 1.4 | Collect separate consent per purpose — no bundled consent | ☐ |
| 1.5 | Implement easy consent withdrawal — as easy as giving consent | ☐ |
| 1.6 | No pre-checked boxes, implied consent, or cookie walls | ☐ |
| 1.7 | No conditional access — cannot gate website behind consent | ☐ |
| 1.8 | Maintain consent records for 7 years (auditable) | ☐ |
| 1.9 | Record timestamp, IP (pseudonymized), purpose, and categories per consent | ☐ |
Key difference from GDPR: DPDP does not recognize “legitimate interest” as a lawful basis. Consent is required for almost everything.
2. Privacy Notice
| # | Requirement | Status |
|---|---|---|
| 2.1 | Publish an accessible privacy policy on your website | ☐ |
| 2.2 | Include what personal data you collect | ☐ |
| 2.3 | State the purpose of processing for each data type | ☐ |
| 2.4 | Explain how users can withdraw consent | ☐ |
| 2.5 | List data principal rights (access, correction, erasure) | ☐ |
| 2.6 | Provide a complaint/grievance mechanism | ☐ |
| 2.7 | Include DPO/Grievance Officer contact details | ☐ |
| 2.8 | State data retention periods | ☐ |
| 2.9 | Disclose any cross-border data transfers | ☐ |
| 2.10 | Keep privacy policy separate from Terms of Service | ☐ |
3. Data Principal Rights
Under DPDP, individuals (“Data Principals”) have specific rights. You must respond within 7 days — not 30 like GDPR.
| # | Requirement | Status |
|---|---|---|
| 3.1 | Provide mechanism for data access requests (summary of data + who it’s shared with) | ☐ |
| 3.2 | Allow data correction requests (fix inaccurate/misleading data) | ☐ |
| 3.3 | Enable data erasure requests (delete when requested) | ☐ |
| 3.4 | Offer grievance redressal mechanism | ☐ |
| 3.5 | Respond to all rights requests within 7 days | ☐ |
| 3.6 | Track requests with SLA timers and audit trail | ☐ |
| 3.7 | Send auto-reminders as response deadline approaches | ☐ |
| 3.8 | Allow nomination (someone to act on behalf in case of death/incapacity) | ☐ |
4. Cookie & Tracker Compliance
| # | Requirement | Status |
|---|---|---|
| 4.1 | Install a consent management banner on all web properties | ☐ |
| 4.2 | Block non-essential cookies until explicit consent is given | ☐ |
| 4.3 | Provide a “Reject All” option alongside “Accept All” | ☐ |
| 4.4 | Classify cookies into categories: Essential, Analytics, Marketing, Preferences | ☐ |
| 4.5 | Implement Google Consent Mode v2 for analytics/ads | ☐ |
| 4.6 | Scan website for cookies/trackers monthly | ☐ |
| 4.7 | Maintain a cookie policy listing all cookies with their purpose and duration | ☐ |
5. Security Measures (Rule 6)
| # | Requirement | Status |
|---|---|---|
| 5.1 | AES-256 encryption (minimum) for data at rest | ☐ |
| 5.2 | TLS 1.2+ for data in transit | ☐ |
| 5.3 | Role-based access controls — authorized personnel only | ☐ |
| 5.4 | Real-time logging and monitoring | ☐ |
| 5.5 | Minimum 1-year log retention | ☐ |
| 5.6 | Key management policy documented | ☐ |
| 5.7 | Data remains unreadable even on unauthorized access | ☐ |
| 5.8 | Align security practices with IS/ISO/IEC 27001 | ☐ |
6. Breach Notification
| # | Requirement | Timeline | Status |
|---|---|---|---|
| 6.1 | Report cybersecurity incidents to CERT-In | 6 hours | ☐ |
| 6.2 | Notify Data Protection Board of India | Without undue delay | ☐ |
| 6.3 | Notify all affected individuals | Without undue delay | ☐ |
| 6.4 | Submit detailed report to DPBI (scope, root cause, impact, remediation) | 72 hours | ☐ |
| 6.5 | Maintain breach response plan with templates | Ongoing | ☐ |
| 6.6 | Document post-breach remediation actions | Ongoing | ☐ |
Key difference from GDPR: DPDP requires notification for ALL breaches, not just “high risk” ones.
7. Children’s Data (Under 18)
| # | Requirement | Status |
|---|---|---|
| 7.1 | Obtain verifiable parental consent for users under 18 | ☐ |
| 7.2 | No tracking, profiling, or behavioral monitoring of children | ☐ |
| 7.3 | No targeted advertising to children | ☐ |
| 7.4 | Implement age verification mechanisms | ☐ |
8. Vendor & Third-Party Management
| # | Requirement | Status |
|---|---|---|
| 8.1 | Audit all third-party data processors (Razorpay, Zoho, AWS, etc.) | ☐ |
| 8.2 | Execute Data Processing Agreements with all processors | ☐ |
| 8.3 | Verify processor security standards | ☐ |
| 8.4 | Conduct periodic reassessment of vendor compliance | ☐ |
9. Governance & Documentation
| # | Requirement | Status |
|---|---|---|
| 9.1 | Complete data mapping (what data, where stored, who accesses, why) | ☐ |
| 9.2 | Enforce purpose limitation — only process for stated purpose | ☐ |
| 9.3 | Implement data minimization — collect only what’s needed | ☐ |
| 9.4 | Set storage limitation — delete when purpose is fulfilled | ☐ |
| 9.5 | Appoint a Grievance Officer with published contact details | ☐ |
| 9.6 | Conduct employee DPDP training annually | ☐ |
| 9.7 | Generate monthly compliance reports | ☐ |
10. For Significant Data Fiduciaries Only
If your organization is classified as a Significant Data Fiduciary (SDF):
| # | Requirement | Status |
|---|---|---|
| 10.1 | Appoint a Data Protection Officer (DPO) | ☐ |
| 10.2 | Conduct annual Data Protection Impact Assessment (DPIA) | ☐ |
| 10.3 | Commission annual independent compliance audit | ☐ |
| 10.4 | Ensure algorithmic fairness if using AI on personal data | ☐ |
DPDP Penalties at a Glance
| Violation | Maximum Penalty |
|---|---|
| Security failure leading to breach | Rs 250 Crore |
| Failure to notify breach | Rs 200 Crore |
| Children’s data violations | Rs 200 Crore |
| SDF obligation violations | Rs 150 Crore |
| Any other violation | Rs 50 Crore |
Key Dates
- November 13, 2025 — DPDP Rules 2025 notified
- November 13, 2026 — Consent Manager registration opens
- May 13, 2027 — Full enforcement. Penalties from Day 1. No grace period.
How ZenoComply Helps
Instead of manually checking all 50+ items on this list, scan your website with ZenoComply to instantly check your cookie consent, privacy policy, security headers, tracker compliance, and data principal rights mechanisms.
Our free scanner gives you a compliance score (0-100) with specific, actionable recommendations to fix every gap — in under 60 seconds.
This checklist is based on the DPDP Act, 2023 and DPDP Rules, 2025 as published by MeitY. It is not legal advice. Consult a qualified legal professional for compliance decisions specific to your business.
Check your DPDP compliance now
Free scan. No signup. Results in 60 seconds.
Scan Your Website arrow_forward