DPDP Readiness Checklist
A step-by-step readiness guide for India's Digital Personal Data Protection Act compliance.

India's Digital Personal Data Protection Act introduces new obligations for how organisations collect, process and store personal data. Compliance is not just a legal task; it requires changes to technology architecture, data handling practices, vendor contracts and customer communication.
1. Establish Data Governance
Create a data inventory that identifies personal data, its purpose, lawful basis, retention period and cross-border transfer status. Assign ownership and accountability for each data category.
2. Update Privacy Notices and Consent
Review privacy notices for clarity and completeness. Ensure consent mechanisms are freely given, specific, informed and unambiguous. Implement granular consent where required and maintain audit trails.
3. Implement Rights Management
- Define processes for access, correction, erasure and grievance handling.
- Build workflows to respond to data principal requests within statutory timelines.
- Train customer-facing and IT teams on handling requests.
4. Secure Personal Data
Apply appropriate technical and organisational controls. Encrypt data at rest and in transit, enforce least-privilege access, maintain logging and monitoring, and conduct regular security assessments.
5. Review Vendor Contracts
Ensure processors and sub-processors have adequate data protection clauses, breach notification obligations and audit rights. Do not assume existing cloud or SaaS contracts meet DPDP requirements.
6. Prepare for Breach Notification
Establish an incident response process that can assess whether a personal data breach is reportable and notify the Data Protection Board within the required timeframe.
Discuss this topic
Want to apply this thinking to your board or executive agenda?
C3GEEK advises boards, CEOs, CIOs and CISOs on AI governance, cyber risk, cloud strategy and digital transformation.


