A DPDP compliance checklist is the working list of obligations every Data Fiduciary must put in place under India’s Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025: lawful notice and consent, data principal rights, reasonable security safeguards, breach notification, retention and erasure, grievance redressal, and stricter duties if you are designated a Significant Data Fiduciary. The Rules were notified on 13 November 2025, which started an eighteen-month clock. Full compliance is expected by 13 May 2027. This guide gives you the complete list, tells you what to build now versus what can wait, and shows you how to measure where you stand today.

Who this DPDP compliance checklist is for

If you process the digital personal data of people in India, this applies to you. The DPDP Act reaches Indian companies and, under Section 3, foreign companies that process personal data in connection with offering goods or services to people in India. Your registration address does not get you out of it.

Two terms you will see throughout:

  • Data Fiduciary: the organisation that decides why and how personal data is processed. That is you.
  • Data Principal: the individual the data is about. Their rights are the spine of the law.
  • Data Processor: a vendor that processes data on your behalf, only under contract with you.

The obligations below sit with the Data Fiduciary. You can outsource the work to a processor, but you cannot outsource the accountability.

The deadline that actually matters

The Rules do not switch on all at once. The government built a staggered commencement so you can sequence the work. Here is what activates and when.

PhaseEffective fromWhat switches on
Immediate13 November 2025Definitions, the Data Protection Board of India, Board procedures and appointments (Rules 1, 2, 17 to 21)
One yearNovember 2026Consent Manager registration and obligations (Rule 4)
Eighteen months13 May 2027Notice standards, security safeguards, breach notification, retention and erasure, DPO or contact publication, children’s data, SDF duties, rights and grievance timelines, cross-border transfers (Rules 3, 5 to 16, 22, 23)

A note on the exact day: most advisers count the eighteen-month gate as 13 May 2027 from the 13 November 2025 notification, though a few cite 12 May 2027 depending on how the months are reckoned. The practical answer is the same. Build to be ready by mid-May 2027, and do not bank on a later date.

One thing to watch. In a January 2026 stakeholder consultation, MeitY reportedly discussed compressing the timeline. As of now there is no gazette notification shortening it, so eighteen months stands. But a regulator that floats acceleration is telling you something. Treat 2026 as your build year, not your buffer.

→ Related reading: The DPDP Act explained in plain English

The DPDP compliance checklist

This is the full list. Each item names the Rule or section it comes from so you can take it to your legal team without a treasure hunt.

  • Serve a standalone notice to every Data Principal at or before collection. It must be independent of your other terms, written in plain language, and available in English and the languages in the Eighth Schedule of the Constitution on request.
  • In the notice, give an itemised list of the personal data you collect, the specific purpose for each, and the goods or services it enables.
  • Make the notice carry a direct link or mechanism to withdraw consent, to exercise rights, and to complain to the Board.
  • Capture consent that is free, specific, informed, unconditional and unambiguous, given by clear affirmative action. Pre-ticked boxes and bundled consent do not count.
  • Make withdrawal as easy as giving consent, and stop the relevant processing once consent is withdrawn.
  • For data you collected before the Rules, send existing Data Principals a fresh notice as soon as reasonably practicable, so your legacy base rests on valid notice and consent.

2. Data principal rights (Sections 11 to 14)

Build the workflows to honour each of these, with identity verification and a clear service level:

  • Right to access: a summary of the personal data you hold and how it is processed.
  • Right to correction, completion and updating, and erasure where the purpose is served or consent is withdrawn.
  • Right to grievance redressal through a published, easy-to-find channel.
  • Right to nominate another person to exercise rights in case of death or incapacity.

3. Reasonable security safeguards (Rule 6)

  • Encryption, masking or tokenisation of personal data, at rest and in transit.
  • Role-based access controls and multi-factor authentication for anyone touching personal data.
  • Monitoring and logging of access and processing, with logs retained for at least one year to support breach investigation.
  • Backups that preserve integrity for the required period.
  • Documented breach response protocols, tested, not theoretical.
  • Contractual safeguards flowing these duties down to every processor.

4. Breach notification (Rule 7)

This is the one that catches people off guard, because the clock starts when you become aware, not when the breach happened, and it runs continuously through nights, weekends and holidays. There is no minimum threshold: a breach affecting one person carries the same duty as one affecting a million.

When you become aware of a personal data breach, two obligations fire at once:

  1. Notify every affected Data Principal without delay, in concise, clear, plain language, through their account or a registered channel. Include the nature and timing of the breach, the likely consequences for them, what you are doing to mitigate, what they can do to protect themselves, and a contact for queries.
  2. Notify the Data Protection Board. First, an initial intimation without delay describing the nature, extent, timing and location and likely impact. Then a detailed report within 72 hours (or longer only if the Board grants a written extension request) covering facts and causes, mitigation, findings on who or what was responsible, steps to prevent recurrence, and a summary of the notices you sent to Data Principals.

Do not forget the parallel clock. Under the CERT-In Directions of April 2022 (Section 70B, IT Act 2000), cybersecurity incidents must be reported to CERT-In within six hours of becoming aware. That is a separate obligation, to a separate regulator, with its own penalties. One incident, three notifications, three deadlines. None of it is achievable without pre-built templates and a rehearsed team.

→ Related reading: The 72-hour DPDP breach notification playbook

5. Retention and erasure (Rule 8, Section 8(7), Third Schedule)

  • Erase personal data once the purpose is served, consent is withdrawn, or the retention period lapses, unless another law requires you to keep it.
  • If you are an e-commerce or social media intermediary with at least 2 crore registered users in India, or an online gaming intermediary with at least 50 lakh users, the Third Schedule treats the purpose as no longer served after three years of inactivity. Erase accordingly.
  • Send a 48-hour advance alert to the Data Principal before scheduled erasure under these rules.
  • Keep a defensible retention schedule that reconciles DPDP erasure with sectoral laws that mandate longer holds (tax, KYC, company law).

6. Grievance redressal (Rule 14)

  • Publish a clear point of contact for queries and complaints.
  • Respond to and resolve grievances within 90 days of receipt. This is a hard outer limit, not a target.

7. Processor and vendor contracts (Section 8(2))

  • Put a valid contract in place with every processor before they touch personal data.
  • Require processors to notify you without delay of any incident, with enough detail to make your own filings.
  • Include clauses for security standards, breach reporting timelines, erasure on instruction, audit rights and third-party risk management.

8. Children’s data (Rule 10, Section 9)

  • Obtain verifiable parental consent before processing the data of anyone under 18, and guardian consent for persons with disabilities.
  • Do not engage in tracking, behavioural monitoring or targeted advertising directed at children.
  • Check whether your sector falls within any notified exemptions before you rely on one. Exemptions are narrow and specific.

9. Cross-border transfers (Section 16, Rule 15)

  • You may transfer personal data outside India unless the government restricts a country or territory by notification. This is a negative-list approach, not a whitelist.
  • Maintain data mapping good enough to respond fast if a restriction is announced, especially if you run multi-region cloud.

10. Significant Data Fiduciary duties (Section 10, Rule 13)

You become a Significant Data Fiduciary (SDF) only when the Central Government designates you as one. It is not self-declared. The government weighs factors such as the volume and sensitivity of data, risk to data principals’ rights, risk to the sovereignty and integrity of India, security of the State, and public order. If you are designated, add:

  • An annual Data Protection Impact Assessment (DPIA).
  • An annual independent data audit.
  • Algorithmic due diligence to ensure your systems do not pose risks to Data Principals’ rights.
  • Data localisation for any categories of personal data the government notifies under Rule 13(4).
  • Appointment of a Data Protection Officer based in India, answerable to your board.

→ Related reading: Are you a Significant Data Fiduciary under the DPDP Act?

What to do now, and what can wait

You have a long list and a real deadline. The mistake is to start with the visible work (privacy policy edits) and leave the hard foundation (knowing what data you hold) for later. Run it in this order.

Do now (the foundation):

  1. Data mapping and gap assessment. Inventory every system, vendor and workflow that collects, stores or processes India-linked personal data. You cannot serve a notice, honour a right, or report a breach if you do not know what you hold and why.
  2. Stand up breach response. Templates, an incident team, the CERT-In six-hour and Board seventy-two-hour playbooks, a rehearsal. Breaches do not wait for May 2027.
  3. Fix consent and notice architecture. Redesign onboarding so notices are standalone, itemised and plain, with real withdraw-and-rights mechanisms.

Build through 2026 (the systems):

  1. Stand up rights-request workflows, retention schedules with automated erasure, and a published grievance channel with the 90-day SLA wired in.
  2. Refresh vendor contracts with DPDP-grade processing clauses.
  3. If you are likely to be designated an SDF, start DPIA methodology, audit scoping and localisation contingency planning now. These take months.

Sequence against the gates:

  1. Align with Consent Manager registration from November 2026 if you intend to use or become one.
  2. Have everything operational, not just documented, before 13 May 2027.

The phrase to hold onto: move from policy to execution. A privacy policy is paper. The Rules ask for working consent flows, real breach drills, enforced retention and auditable trails.

What it costs to get this wrong

The penalties sit in the Schedule to the DPDP Act, and the Board can apply them per violation, which means a single incident can stack.

FailureMaximum penalty
Failure to take reasonable security safeguardsUp to ₹250 crore
Failure to notify a breach to the Board or affected Data PrincipalsUp to ₹200 crore
Breach of obligations relating to children’s dataUp to ₹200 crore
Breach of additional SDF obligationsUp to ₹150 crore
Any other breach of the Act or RulesUp to ₹50 crore

A single breach can trigger more than one of these at once: inadequate safeguards that allowed it, plus failure to notify. The exposure compounds. The Data Protection Board of India is already operational, and its complaint mechanisms are live, so this is no longer a future risk to be scheduled around.

How to know where you stand today

You do not need to read all twenty-three Rules before you can act. Start by measuring the gap between where you are and where the law expects you to be, then work the list above against that gap.

The free Axiom DPDP readiness assessment walks you through a short set of questions across notice, consent, rights, security, breach readiness, retention and SDF exposure, and gives you a clear picture of what is already in place and what is missing. It takes a few minutes and it points you to the items on this checklist that need attention first. If you would rather have the work done with you, Axiom’s DPDP compliance service takes you from gap assessment to operational controls.

Compliance before May 2027 is achievable. It is not optional, and it is not a one-week project. The companies that start with data mapping in 2026 will be calm in 2027. The ones that start with a policy edit in 2027 will not.

FAQs

When is the DPDP compliance deadline?

The DPDP Rules, 2025 were notified on 13 November 2025 and most obligations carry an eighteen-month runway, putting full compliance at around 13 May 2027. Some provisions are already in force, and Consent Manager registration opens in November 2026. A small number of advisers count the final gate as 12 May 2027 depending on how the months are reckoned, but the practical deadline is mid-May 2027. There is no confirmed extension, and a January 2026 consultation actually floated shortening the window.

Does the DPDP Act apply to my business if I am based outside India?

Yes, if you process personal data in connection with offering goods or services to people in India. Section 3 gives the Act extraterritorial reach, so a foreign company serving Indian users is a Data Fiduciary with the same obligations as a domestic one. Where your servers or headquarters sit does not change that.

Do I need a Data Protection Officer under the DPDP Act?

A formal DPO is mandatory only if the Central Government designates you a Significant Data Fiduciary. Every other Data Fiduciary must still publish a contact point and run a grievance mechanism that resolves complaints within 90 days, but it does not have to be a designated DPO. If you expect SDF designation, appoint one early, because the DPIA and audit duties that come with it take months to stand up.

What is the breach notification timeline under DPDP?

Two clocks run together. You must notify affected Data Principals without delay, and notify the Data Protection Board with an initial intimation without delay followed by a detailed report within 72 hours (extendable only on written request to the Board). Separately, the CERT-In Directions require reporting cybersecurity incidents within six hours. The DPDP clock starts when you become aware, and it runs continuously, including nights and weekends.

A Consent Manager is a Board-registered, interoperable platform through which a Data Principal can give, review, manage and withdraw consent across services. Registration opens in November 2026. Using one is not mandatory for every Data Fiduciary, but it is a clean way to maintain auditable consent records, run rights requests, and answer the question “whose data is affected” quickly when a breach hits. Consent Managers are required to keep consent records for seven years.

See where you actually stand

The free Axiom DPDP readiness assessment turns this guide into your number, your gaps, and your next move, in a few minutes.

Take the free assessment

Related articles

DPDP Act The DPDP Act Explained: India's Data Protection Law in Plain English Read more DPDP Act Significant Data Fiduciary Under the DPDP Act: Are You One, and What It Means Read more DPDP Act The 72-Hour DPDP Breach Notification Playbook for Indian Businesses Read more