DPDP Compliance Checklist for Indian Businesses (2025)

Your privacy policy must be publicly accessible on your website and cover: what personal data you collect, why you collect it, how long you keep it, who you share it with, what rights users have (access, correction, erasure, nomination), how to withdraw consent, how to submit a grievance, and your breach notification commitment. It must be written in plain language, not legal boilerplate. Link to it from your website footer and all data collection forms.

Every Data Fiduciary must designate a named Grievance Officer and publish their name and a contact mechanism (email address) on the website. The Grievance Officer receives and resolves complaints from users about how their personal data is handled. No specific qualification is required. You can appoint any employee to this role. The contact details must be published — it is not sufficient to list a generic contact email. The CompliSeal scanner checks for a published Grievance Officer as one of its 13 checkpoints.

Before collecting personal data, you must present a consent notice that specifies: what data is being collected, for what purpose, for how long, and to whom it will be disclosed. Consent must be free, specific, informed, and unambiguous. Bundling consent into terms and conditions is not valid. For each distinct purpose (analytics, marketing, service delivery), consent must be obtained separately. The consent notice must be in plain language and, where required, in Indian scheduled languages.

Users must be able to withdraw consent as easily as they gave it. This means providing a clear, accessible way for users to revoke consent for any or all processing purposes at any time. A preference centre on your website or a link in your privacy policy to a withdrawal form both satisfy this requirement. Once consent is withdrawn, processing for those purposes must stop. The Consent Banner SDK in CompliSeal provides this automatically through a preference centre.

Users have four rights under the DPDP Act: the right to access a summary of their personal data, the right to correct inaccurate data, the right to erasure, and the right to nominate a successor. You must have a documented process for receiving, tracking, and responding to these requests within a reasonable time. Publish the submission mechanism (typically a form or email address) in your privacy policy. CompliSeal provides a public intake form and a dashboard to manage requests with deadline tracking.

You must notify the Data Protection Board of a significant personal data breach promptly after discovery. DPDP Rules 2025 prescribe a 72-hour window for Board notification. You must also notify the affected Data Principals. Before a breach occurs, document your incident response process: who is responsible, how to assess severity, what to include in the notification, and where to submit it. Preparing notification templates in advance is strongly recommended. CompliSeal's Breach Response module provides a 72-hour countdown and pre-drafted notification templates.

A consent banner that appears before any non-essential cookies or tracking scripts run is required under the DPDP Act. The banner must allow users to accept or decline each category of processing (necessary, analytics, marketing, preferences) separately. Third-party tracking scripts such as Google Analytics or Meta Pixel must be blocked until the user consents. Every consent event must be logged with a timestamp and a user identifier for audit purposes. The CompliSeal Consent Banner SDK handles all of this with a single script tag.

You are responsible under the DPDP Act for how your Data Processors (vendors who handle personal data on your behalf) process that data. This requires a written Data Processing Agreement with each processor specifying: what data they process, for what purposes, the security measures they have in place, their sub-processor arrangements, their breach notification obligations to you, and their data deletion procedures on contract end. Review agreements with your analytics provider, CRM, email platform, cloud storage, and payment gateway as a priority.

A RoPA is a documented inventory of every type of personal data your organisation collects and processes. For each processing activity, record: the data categories, the purpose, the legal basis, the data processors involved, the retention period, and any international transfers. While a RoPA is explicitly mandated only for Significant Data Fiduciaries, maintaining one is strongly recommended for all businesses. It forms the foundation for your privacy policy, your DPIA assessments, and your vendor DPAs, and it is the first document the Data Protection Board will ask for in an investigation.

A DPIA is required for Significant Data Fiduciaries and is best practice for any business before launching a high-risk processing activity: large-scale profiling, processing sensitive personal data, sharing data with new third parties, or implementing new tracking technologies. A DPIA documents the necessity and proportionality of the processing, the risks to individuals, and the controls in place to mitigate those risks. Complete and record a DPIA before launching any significant new data processing activity.

Processing personal data of individuals under 18 requires verifiable parental or guardian consent. Behavioural tracking and targeted advertising directed at minors are prohibited under the DPDP Act. If any part of your platform is accessible to or targeted at users under 18, you need an age verification mechanism, a separate parental consent flow, and a children's-specific privacy policy section. The CompliSeal Children's Data module generates the required documents and assesses your current compliance gaps.

DPDP compliance is not a one-time activity. Your privacy policy must be updated when processing purposes change. Vendor DPAs must be renewed. Consent banners must be reviewed when new processing is introduced. Staff handling personal data should be trained. DPIAs for high-risk activities should be reviewed annually. Set up a compliance calendar with recurring tasks to ensure these obligations do not fall through the gaps. CompliSeal's Compliance Calendar comes pre-loaded with standard DPDP recurring tasks.