Skip to content
Singahi
Get an assessment

Compliance · checklist

The DPDP Act compliance checklist

Share

India's Digital Personal Data Protection Act, 2023 (DPDP) sets out how organisations must handle the personal data of individuals in India. If you collect data from Indian users, whether customers, employees or leads, it applies to you. This is a plain-language starting point, not legal advice.

Where the law stands now

The DPDP Rules, 2025 were notified on 14 November 2025, so the law is now operational rather than waiting on rules. They take effect in phases: the Data Protection Board of India and the core definitions are live already; consent-manager provisions follow in November 2026; and the substantive compliance obligations, the ones most companies need to act on, apply from 13 May 2027. That gives you a fixed window to get ready rather than an open-ended "someday".

The obligations, in plain terms

  • Lawful basis and consent. Process personal data on a clear, specific basis. Where you rely on consent, it must be free, informed, specific and revocable.
  • Notice. Tell people what you collect, why, and how they can exercise their rights, in clear language.
  • Purpose and data minimisation. Collect only what you need for the stated purpose, and keep it only as long as you need it.
  • Data-principal rights. Be able to honour access, correction, completion, erasure and grievance-redressal requests.
  • Security safeguards. Put reasonable technical and organisational measures in place to protect personal data.
  • Breach response. Be ready to detect, contain and notify a personal-data breach as required.
  • Children's data and sensitive contexts. Apply additional care where the law requires it.
  • Processors and contracts. Bind the vendors that process data on your behalf with appropriate terms.

How this connects to the rest of your security

DPDP is not a standalone project. The same controls that get you through an ISO 27001 or SOC 2 assessment, such as access control, encryption, logging, vendor management and incident response, are most of what DPDP expects in practice. Build once, satisfy several.

Get the full checklist

The downloadable version expands each item into the concrete steps and evidence to gather, in a format you can work through with your team.

How we can help

Working toward this?

If a certification or a customer's security questionnaire is what brought you here, tell us where you are. We'll give you an honest read on the work and the timeline, with no obligation.

Get an assessment