DPDP compliance checklist: 10 things to fix before May 2027
A DPDP compliance checklist for an Indian mid-size company comes down to ten controls: appoint a DPO, classify your personal data, rewrite your consent flows, build a 72-hour breach drill, audit every vendor that touches user data, fix data retention, set up a deletion request workflow, lock down endpoint exit routes, document everything, and run a tabletop exercise. The rest is detail. This page is the detail.
A DPDP compliance checklist for a 100 to 500 person Indian company should cover ten concrete fixes: appoint a contact, map your personal data, rewrite consent, fix vendor contracts, plug data exit routes, set up breach detection, train people, retention rules, a grievance channel, and a board-level sign-off. Anything else is theatre.
The MeitY DPDP Rules notification clock is ticking. Most rule-classes give Data Fiduciaries an 18-month transition window from notification, with the operational backstop now widely planned around May 2027 for material parts of the Act. If you’re a 100 to 500 person Indian company and you’ve been “watching the space,” you have approx 12 working months left to actually fix things, not approx 24.
This is a working list. I built it from the last twelve DPDP readiness reviews we ran for mid-size firms across BFSI, pharma, and IT/ITES. Six of those firms had board-level paper that said “DPDP, covered.” None of them were covered. The gap between the paper and the reality is what this DPDP compliance checklist is meant to close.
What a DPDP compliance checklist actually has to do
Two things. First, give you a defensible answer when a Data Principal asks “what personal data of mine do you hold and why?” Second, give the Data Protection Board a clean trail when they come knocking after a breach. Every item on the DPDP compliance checklist below maps to one of those two outcomes. If a task doesn’t, drop it.
A real DPDP compliance checklist is not a 200-line spreadsheet from a Big-4 deck. It is ten things, in priority order, that a 100 to 500 person company can actually finish. Treat the DPDP compliance checklist as a 12-month operating plan, not a one-week policy refresh.
1. Appoint a named contact, not a “designated team”
Section 8(9) of the DPDP Act requires every Data Fiduciary to publish the business contact of a person responsible for answering Data Principal queries. For Significant Data Fiduciaries this becomes a formal Data Protection Officer with a separate set of duties. For everyone else, a named “Data Privacy Contact” works, provided it’s a real human with a real email. This is item one on any working DPDP compliance checklist.
Most of our reviews find a generic `privacy@company.in` inbox that nobody owns. That fails the test. The Board will want a name, a designation, and an SLA. Pick one: usually the Compliance Lead or the Head of IT. Print it on the website. Put it in the privacy policy. Tell the receptionist who handles a walk-in query.
Cost: approx ₹0 if you reassign internal headcount. Approx ₹6 to 12 lakh annually if you appoint a part-time external DPO under a consulting arrangement. Either way, item one on the DPDP compliance checklist closes in a week.
2. Map your personal data, every category, every system
You cannot protect what you can’t list. Section 8(4) requires accurate processing; that’s impossible without an inventory. Map every category of personal data you handle (employee, customer, vendor, candidate, visitor), every system it lives in (HRMS, CRM, billing, helpdesk, finance, marketing automation), and every third party who touches it.
A 250-person company typically has approx 14 to 22 systems holding personal data. We’ve seen one with 47. The point of the map isn’t to look thorough, it’s so you can answer a breach question in hours, not weeks. The data map is item two on the DPDP compliance checklist and the single most leveraged piece of work in the programme.
A simple table per system works: data category, fields, source, legal basis, retention period, downstream sharing, encryption status. Excel is fine. The map is a living document; review it quarterly. Every other item on this DPDP compliance checklist runs off the map, so don’t skip it.
3. Rewrite consent, clear, specific, withdrawable
Section 6 of the DPDP Act sets a high bar for consent: free, specific, informed, unconditional, unambiguous, with clear affirmative action. Most existing privacy policies on Indian B2B sites don’t clear that bar. They bundle marketing, analytics, vendor-sharing, and product use into one tick-box.
You’ll need to unbundle. Each processing purpose gets its own consent. Each consent gets a clear withdrawal route. Hindi (or the user’s chosen Indian language) availability is a statutory right, not a nice-to-have, Section 6(3) says so. We see this missed often: the English policy is detailed, the regional-language version is a Google-translated stub.
If you sell into a regional market, get the policy professionally translated. The cost is approx ₹15-25k per language. The cost of doing it via free machine translation and getting flagged later is much higher. The consent rewrite is item three on the DPDP compliance checklist for good reason: it is the single most visible Data Principal touchpoint you control.
4. Fix every vendor contract, Data Processor clauses
Under Section 8(7) the Data Fiduciary stays accountable for whatever a Data Processor does on its behalf. Translation: if your payroll vendor leaks employee PAN data, you are liable. Not them. You.
Two things go into every vendor contract that touches personal data:
A data processing addendum (DPA) clause that names the purpose, lists the data categories, sets retention, requires the same security level you operate at internally, requires breach notification to you within a defined SLA (we use 24 hours), and grants audit rights.
A liability and indemnity clause that mirrors the DPDP penalty exposure. ₹250 crore per violation is the regulatory cap, your vendor SLA should make that exposure flow upstream if their lapse caused yours.
For a 250-person company, “vendors that touch personal data” usually runs to 18 to 35 contracts: HRMS, payroll, expense-management, helpdesk, marketing automation, email provider, CRM, cloud storage, courier, background-check, employee insurance, gifting vendor, AMC partners. Each one needs the DPA. None of them have it by default. Item four on the DPDP compliance checklist is the slowest one to close, because it depends on the vendor side, not you.
5. Plug your three biggest data exit routes
Most insider data leakage at Indian mid-size companies happens through three routes: USB drives copied to personal storage, company files attached to personal email, and customer lists pasted into WhatsApp. That’s not a guess, it’s the pattern across every forensic review we’ve run on a 100 to 500 person firm in the last two years.
You need an endpoint posture that monitors or blocks all three. The technology stack is well-understood: a data loss prevention layer with endpoint coverage, USB device control, email content inspection, and a clear policy on instant-messaging use of company data.
A note on personal devices. BYOD without an MDM container is a DPDP compliance gap by default, you cannot prove you protect personal data on a device you don’t manage. If you allow BYOD, either deploy a container (Knox, Intune, Hexnode) or restrict access to personal-data systems from managed devices only. Item five on the DPDP compliance checklist is where the device and the data conversations meet, so the answer here also feeds your device lifecycle management policy.
Cost for a 250-device endpoint DLP rollout: approx ₹12 to 28 lakh in year one, depending on whether you go with an India-based managed service or a global product. This is the heaviest technical line item on the DPDP compliance checklist, so budget for it early.
6. Detect a breach before the regulator does
Section 8(6) requires you to notify the Data Protection Board and affected Data Principals of a personal data breach. The widely-discussed operational window for notification is 72 hours from awareness. You cannot meet 72 hours if you depend on someone in IT noticing a problem on a Tuesday morning.
You need three things working together: an endpoint detection and response (EDR) tool that flags anomalous data movement, a SIEM (or managed SOC) that correlates the alerts, and a written incident response playbook with named roles. The playbook should run quarterly as a tabletop exercise.
For a 250-person firm with a small IT team, a fully managed detection-and-response service costs approx ₹18 to 35 lakh annually. In-house with one full-time analyst plus tooling lands roughly in the same range when you load salary, attrition, and tool licences. Pick based on your appetite, not the headline number. Breach detection sits at item six on the DPDP compliance checklist, but it is the item the Data Protection Board will examine first after an incident.
7. Train your people, but make it specific, not generic
A 30-minute generic privacy e-learning module satisfies an auditor for exactly one cycle, then loses all behavioural effect. What actually changes behaviour is short, role-specific training tied to the data each role touches.
HR sees employee personal data, train HR on consent, retention, and exit-day data handling. Sales sees customer contact data, train Sales on the WhatsApp leakage problem and the email-to-personal-account risk. Finance sees PAN, bank, and salary data, train Finance on access controls and segregation of duties. IT sees everything, train IT on breach detection, audit logs, and vendor management.
Run training quarterly, not annually. Test recall with a five-question quiz. Log attendance. The DPB doesn’t ask if you trained people; they ask for proof. Training is the item most teams under-resource on the DPDP compliance checklist, and the easiest one to fix.
8. Set a retention rule for every data category, and actually delete
Section 8(7) read with Rule 8 of the draft Rules requires that personal data be erased when the purpose for which it was collected is no longer served. “We keep everything forever, just in case” is not a DPDP-compatible policy.
Set a retention period for every category in your data map (item 2). Typical landing zones for an Indian mid-size firm:
| Data category | Retention period | Trigger to delete |
|---|---|---|
| Job applicants (not hired) | 6 months | From application date |
| Resigned employee, operational data | 90 days | From exit date |
| Resigned employee, payroll / tax records | 7 years (statutory) | From exit date |
| Customer enquiry forms (no conversion) | 12 months | From last contact |
| Customer transactional data | 7 years (statutory under tax/IT laws) | From last transaction |
| Marketing leads (cold) | 12 months | From last engagement |
| Visitor logs | 6 months | From visit date |
| CCTV / access logs | 30 to 90 days | Rolling |
| Helpdesk tickets | 24 months | From ticket close |
Build the delete actually into the system. A retention policy that says “delete after 12 months” but has no script, no scheduled job, and no audit log is not a retention policy, it is wishful thinking on a Word document. Item eight on the DPDP compliance checklist fails silently more than any other, because nobody notices that delete jobs are not running until the regulator asks.
9. Build a grievance channel that responds in days, not months
Section 13(2) gives Data Principals the right to grievance redressal. Section 13(3) makes this a precondition for them filing with the Board, they must come to you first. That’s actually good news. It means a working grievance channel keeps cases out of the Board’s pipeline.
Three things make a grievance channel real: a published email address on the website, a logging system (a ticket queue, not someone’s personal inbox), and an SLA published next to the channel, “we respond within 7 working days” is the floor most firms commit to.
Track the queue. If your grievance volume is zero, that doesn’t mean you have no grievances. It means the channel is invisible. Promote it in your privacy policy, on order confirmations, in employee onboarding, and on the contact-us page. A live, monitored queue is the proof point your DPDP compliance checklist needs for this item.
10. Get a board-level sign-off on the readiness paper
The last item, but the one that breaks most “we are compliant” claims. Until your board (or for proprietorships, the principal owner) has formally reviewed the DPDP readiness state, signed off the risk register, and approved budget for the gaps, you do not have organisational accountability. You have one person at IT or Compliance carrying the entire exposure.
Build a one-page status memo. List the ten items in this DPDP compliance checklist, the state of each (Green / Amber / Red), the gap-closure plan, the cost, and the named owner. Table it at the next board meeting. Get it minuted. The minute is your evidence of governance.
We’ve sat in approx forty board meetings on DPDP in the last year. The pattern is almost universal: the board treats the topic seriously when shown a concrete checklist, treats it as IT noise when shown a 40-page deck. Bring the one-pager. A signed DPDP compliance checklist sitting in the board minutes is the single strongest defence document you can build.
Where most companies are right now on the DPDP compliance checklist
Across the twelve readiness reviews we did in FY26 H1, here’s the typical “before” state for a 250-person Indian company:
- Items 1 to 3 (contact, data map, consent): approx 30% done. Privacy policy exists but is stale; consent is bundled; data map doesn’t exist.
- Items 4 to 6 (vendor DPA, exit routes, breach detection): approx 15% done. Vendor contracts vary wildly; endpoint posture inconsistent; no incident response playbook.
- Items 7 to 9 (training, retention, grievance): approx 25% done. Annual generic training; retention policy on paper but not in systems; grievance email goes to a shared inbox nobody monitors.
- Item 10 (board sign-off): approx 5% done. The board has been told “we are working on it.” That’s it.
So 12 months out from a May 2027 operational deadline, the average firm is roughly 20% compliant. That’s a lot of ground. But it is doable if you treat this DPDP compliance checklist as a quarterly programme, not a one-shot project. Three items per quarter for four quarters and you’re there.
Sequencing, what to do first
Don’t try to do all ten items in parallel. The dependencies matter. Order I use in client engagements:
Quarter 1: Item 2 (data map) and item 1 (named contact). The data map is the foundation; without it items 4, 5, 6, 8, and 9 are guesswork.
Quarter 2: Items 4 (vendor contracts), 8 (retention), and 3 (consent rewrite). These build on the data map.
Quarter 3: Items 5 (exit routes), 6 (breach detection), and 7 (training). The biggest cost and procurement lift lands here, so leave runway.
Quarter 4: Item 9 (grievance channel) and item 10 (board sign-off). Channel needs the policy + training to be in place; board sign-off needs everything else done so the memo can show Green/Amber states honestly.
If you start in May 2026 and follow this sequence, you reach approx 90% readiness by May 2027. The remaining 10% is calibration, every regulator gives you that. The DPDP compliance checklist is a 12-month programme run in four quarterly sprints, not a single weekend of policy writing.
Priya’s Take
I tell every IT head the same thing in the first meeting: the people who get burned by DPDP won’t be the ones who didn’t know. They’ll be the ones who knew, started a deck, and stopped. The Act will not punish ignorance, there’s a 12-month window for that excuse. It will punish documented inaction. The minute of a board meeting that says “noted, will revisit” reads, after a breach, as wilful neglect.
Honestly, the easy fix is to start with item 2, the data map, this quarter. Once you can see what you actually hold, the rest of the DPDP compliance checklist stops feeling abstract. Theek hai, bhai, I know it’s not glamourous work. But it pays for itself the first time a Data Principal emails asking what data you hold on them and you can answer in a day, not a week.
FAQ
What is a DPDP compliance checklist?
A DPDP compliance checklist is a working list of the operational fixes a company has to make to be compliant with India’s Digital Personal Data Protection Act 2023. For a mid-size company, the list runs to approx ten items: appointing a contact, data mapping, consent rewrite, vendor contracts, exit-route controls, breach detection, training, retention, grievance redressal, and board sign-off.
What is the DPDP compliance deadline in India?
The DPDP Act 2023 was enacted in August 2023 but operational provisions kick in after the MeitY Rules are notified, with an 18-month transition window for most Data Fiduciary obligations. Industry planning consensus places the operational deadline around May 2027 for material parts of the Act. Significant Data Fiduciaries face an earlier compliance ramp.
Who is a Data Fiduciary under the DPDP Act?
A Data Fiduciary is any person, company, or entity that decides the purpose and means of processing personal data of Indian residents. A 200-person Indian company that holds employee PAN, customer email, and vendor bank details is a Data Fiduciary by definition. The status applies regardless of company size, unlike GDPR.
What is the penalty for DPDP non-compliance?
The DPDP Act sets a regulatory cap of ₹250 crore per violation under Schedule 1. Specific failures attract specific caps: failure to notify a breach is up to ₹200 crore, failure to take reasonable security safeguards is up to ₹250 crore, and breach of additional Significant Data Fiduciary obligations is up to ₹150 crore. See our deeper read on the DPDP penalty math for mid-size companies.
Can a small company skip the DPDP compliance checklist?
No. The DPDP Act applies to all Data Fiduciaries regardless of size. The Central Government may notify certain classes (likely small startups and limited use cases) for exemption from specific obligations, but the base set, notice, consent, grievance redressal, breach notification, applies to everyone. Build the DPDP compliance checklist now, not after a notification arrives.
Get your DPDP readiness scored
We run a structured DPDP readiness check for Indian companies between 100 and 500 employees. Output is a one-page scorecard mapped to this DPDP compliance checklist, with a Green/Amber/Red on each item and a 90-day fix plan. Two-hour engagement, no slide deck.
200+ businesses trust us. Response within 4 hours.
WhatsApp: Hi Sirius Star, I read your DPDP compliance checklist and want a readiness check →
About the author
Priya Sharma is Compliance Lead at Sirius Star Enterprise Technologies, where she has run DPDP readiness reviews and DLP rollouts for Indian mid-size firms across BFSI, pharma, manufacturing, and IT/ITES. Before Sirius Star she spent seven years in risk and compliance at a Big-4 advisory practice. She works out of Vashi, Navi Mumbai.
Profile: /author/priya-sharma/
