DPDPAComplianceChecklist2026:EveryObligation,OneList

Why this checklist exists

The Digital Personal Data Protection Act, 2023 stopped being a theoretical exercise the moment the DPDP Rules were notified on 14 November 2025. Since then, the compliance clock has been running on two tracks: a soft-enforcement window that ends in November 2026, when the Data Protection Board shifts to active supervision, and hard enforcement on 13 May 2027, when the full obligation set — consent, notices, security safeguards, breach protocol, DSR infrastructure and Significant Data Fiduciary duties — becomes enforceable with penalties attached.

If you think the Board will wait until 2027 to act, look at what already happened: the first DPB enforcement actions landed on app developers in Q1 2026 over invalid consent. The regulator is not warming up slowly.

This checklist is the obligation set, organised the way an implementation team actually works through it. I run ISO 27001 programmes professionally, and the honest advice is the same as for any management system: do the scoping and data mapping first, because everything downstream depends on it.

How to use this list

Work top to bottom. Items 1–4 are foundations you need before November 2026, when the Board begins scrutinising legacy-data consent. Items 5–9 are the operational machinery that must be running by 13 May 2027. Item 10 is what keeps you out of trouble after that.

Penalties stack across breach categories, with the highest tier — up to ₹250 crore — reserved for failure of reasonable security safeguards. A single incident can trigger findings in multiple categories at once, so partial compliance is not a hedging strategy.

1. Governance and scoping

• Appoint an accountable owner. Even if you are not (yet) a Significant Data Fiduciary, someone must own DPDPA compliance with board-level visibility.
• Build a personal data inventory. Map every system, vendor and process that touches digital personal data of individuals in India. A Record of Processing Activities (ROPA) is the practical artefact here, and the Privacy Management module supports ROPA building today.
• Determine your SDF exposure. Significant Data Fiduciary designation brings an India-based Data Protection Officer, periodic Data Protection Impact Assessments, independent audits and algorithmic due diligence. Assess now whether your volume and sensitivity of processing puts you in that tier.
• Document your lawful basis for every processing activity. Under the DPDPA, consent is the primary basis. If you have been relying on GDPR-style legitimate interests reasoning, that reasoning does not transplant.

2. Consent

• Audit every consent flow. Consent must be free, specific, informed, unconditional and unambiguous, given through clear affirmative action. The Q1 2026 enforcement actions against app developers turned on exactly this: consent that did not meet the bar.
• Make withdrawal as easy as giving consent. This is an explicit requirement. If sign-up takes one tap and withdrawal takes an email to support, you fail.
• Maintain consent records. You need to evidence who consented to what, when, through which notice, and whether it was later withdrawn.
• Prepare for Consent Managers. The Consent Manager framework is being operationalised between June and August 2026 with interoperable APIs. Your systems need to be able to receive and honour consent signals from registered Consent Managers, not just your own forms.

3. Notices in 22 languages

• Rewrite privacy notices to DPDPA standards. Notices must describe the personal data collected, the purpose, how rights can be exercised and how complaints reach the Data Protection Board.
• Translate into all 22 scheduled languages. Notices must be available in every language listed in the Eighth Schedule of the Constitution. This is a content-operations problem as much as a legal one — version control across 22 languages is exactly what Document Management exists for.
• Version and date-stamp every notice. When the Board asks which notice a consent was given against, you need the answer in minutes, not weeks.

4. Children's data

• Implement verifiable parental consent. Processing a child's personal data requires verifiable consent from a parent or lawful guardian. "A checkbox that says I am over 18" is not verification.
• Switch off behavioural advertising to minors. Tracking and targeted advertising directed at children is prohibited. Audit your ad stack and analytics configuration for this specifically.

5. Security safeguards

• Implement reasonable security safeguards. This is the highest penalty tier — up to ₹250 crore for failure of reasonable security safeguards — so treat it as the anchor obligation. Encryption, access control, logging, monitoring and vendor controls all belong here.
• Extend safeguards to processors. Your Data Processors act on your behalf; their failures are your exposure. Contract clauses plus actual verification, not contract clauses alone.
• Map safeguards to an existing framework. If you already run ISO 27001 or SOC 2, map DPDPA security expectations onto your existing control set rather than building a parallel universe. Audit Management handles the gap assessment and recurring verification.

6. Breach protocol — two clocks, one incident

• Build a breach response runbook for the DPB. Personal data breaches must be reported to the Data Protection Board regardless of any risk threshold — there is no "unlikely to result in risk" carve-out to lean on.
• Do not forget CERT-In. A separate, pre-existing duty requires reporting of cyber incidents to CERT-In within 6 hours. One personal-data breach can trigger both the DPB and CERT-In clocks simultaneously, and they run on different timelines with different content requirements.
• Rehearse it. A tabletop exercise that simulates both notification tracks will surface the gaps a document review never will. Incident Management runs these dual-clock workflows so the timers, evidence and notifications live in one place.

7. Data Principal rights infrastructure

• Stand up DSR intake. Data Principals have rights to access, correction, erasure and grievance redressal. You need a channel to receive requests, verify identity, route to data owners and respond within published timelines.
• Track every request against an SLA. Spreadsheet-based DSR handling collapses at volume. The Privacy Management module handles DSR workflows and PIAs operationally today.
• Plan for grievance escalation. Unresolved grievances can go to the Board. Your internal redressal process is the buffer — make it real.

8. Legacy data

• Inventory pre-Act data. Personal data collected before the DPDPA regime still needs a defensible consent position. The Board has signalled that legacy-data consent scrutiny begins when the soft-enforcement window ends in November 2026.
• Decide: re-consent, anonymise or delete. For each legacy dataset, pick one and document why.

9. Training

• Train everyone who touches personal data. Engineers, support, marketing, HR. Most consent and notice failures are execution failures by people who never read the policy. Security Awareness Training covers DPDPA-specific awareness alongside the security basics.

10. Audit, evidence and SDF duties

• Schedule periodic DPIAs if you are an SDF — and arguably even if you are not, for high-risk processing.
• Prepare for independent audits. SDFs face mandatory independent audits; collecting evidence continuously beats scrambling annually.
• Run algorithmic due diligence. SDFs must verify that algorithmic processing does not harm Data Principals. Document the assessment, not just the conclusion.
• Keep everything inspection-ready. Active supervision from November 2026 means the Board can ask questions and expect organised answers. Consent records, notice versions, DSR logs, training completions and breach runbooks should be retrievable in days, not weeks.

The failure modes I keep seeing

Having watched DPDPA programmes start and stall over the past year, three patterns repeat.

Consent treated as a legal review instead of a product change. Legal signs off on new consent language; nobody changes the actual sign-up flow, the SDK configuration or the withdrawal path. The Q1 2026 actions were about how consent worked in the app, not how it read in the policy.

The checklist run in the wrong order. Teams start with the visible items — notices, a privacy page refresh — before doing data mapping. Then every later item gets done twice, because nobody knew what data existed where.

One deadline instead of two. Plans built around 13 May 2027 ignore that legacy-data scrutiny and active supervision begin in November 2026, and that consent enforcement started in Q1 2026. The real programme deadline is November 2026; May 2027 is when the remaining machinery must be production-grade.

Tooling this without overspending

DPDPA point solutions focused on consent management alone are pricing at ₹15–40 lakh per year — and consent is only one of the ten sections above. The economics favour running DPDPA on a platform you already use for ISO 27001, SOC 2 or vendor risk, rather than bolting on a single-purpose tool.

On Compliance Enablers, Privacy Management (DSRs, ROPA, PIAs), Incident Management (breach clocks), Document Management (notices and policies), Audit Management and Security Awareness Training are operational today. The DPDPA Operations Suite — consent registry, DSR SLA clocks and SDF obligation tracker — is rolling out ahead of the November 2026 deadline.

Start with the framework guide

Work through the DPDPA framework guide for the obligation-by-obligation detail behind this checklist, or book a demo and we will walk your team through mapping your current state against it. November 2026 is closer than it looks; the organisations that treat it as the real deadline will find 13 May 2027 uneventful.

This is general information, not legal advice.