DPDP readiness check: 10 questions for your company
Last month an IT head at a Pune fintech texted me at 7:40 on a Sunday evening. The audit committee had moved the DPDP review forward by six weeks. He had fifteen minutes before dinner and the board memo was due Monday. He did not want a 90-minute scoping call. He wanted to know, with one number, where his company stood. The 10-question DPDP readiness check below is the test we built for that exact moment. It maps to the 9 obligations of the DPDP Act, scores out of 10, and reads out in under 15 minutes. Across approx 31 scoping conversations in the last seven months the median DPDP readiness check score landed at 3 out of 10. The audit floor we recommend before any board memo goes out is 7. Boss, that is the gap most companies do not see until the regulator already has.
On this page
- How to use this DPDP readiness check
- The 10-question DPDP readiness check
- Score interpretation: the four audit-risk bands
- The three lowest-cost first moves by score band
- What to do after the score: board memo vs deeper scorecard
- Frequently asked questions
This post hands you the 10-question test, the score bands, the first-move shortlist by band, a one-paragraph board-memo template, and a free 30-minute scoping call if you would rather have a third party do the read-out. How to fix DPDP readiness for an Indian mid-size company even if your legal counsel is external and your IT head is already at 9-hour days. That is the contract.
How to use this DPDP readiness check
Three rules before you start. Skip any one and the number turns from a defensible baseline into a Sunday-evening guess.
Rule 1: Score honestly. Mark 1 only if the obligation is met and enforced. A privacy notice that exists on the website footer but nobody updates is a 0. A consent withdrawal flow that engineering built but support forgets to honour is a 0. A grievance officer named on the website who never responds inside the SLA is a 0. The whole point of the test is to surface the gap between policy and practice, not to make the IT head feel better. The regulator measures enforcement, not PDFs filed.
Rule 2: Two pairs of eyes, ideally. IT head plus one of: legal counsel, COO, or compliance head. Single-person scoring drifts optimistic by approx 1.5 to 2 points on the 10-point scale; we have measured this on the same companies between solo and joint reviews. If you are scoring alone tonight, fine. Then re-score with one other person before the board memo. It saves the embarrassment of presenting 7 and finding out the real number is 5.
Rule 3: Note the 0s. Every 0 gets one line: what is missing, what would close it, rough cost or effort. Those notes become the first-move shortlist later in the post. The 1s do not need documentation today; they get revisited at the next quarterly review. It it the 0s the audit committee will ask about.
The 10-question DPDP readiness check
The 10-question DPDP readiness check below covers the 9 obligations of the DPDP Act, sections 4 to 11, condensed to one critical question each, with question 10 covering breach readiness as a tenth standalone. Score 0 (not met, or met but not enforced) or 1 (met and enforced).
| # | Obligation (DPDP Act section) | The one question that matters | Score |
|---|---|---|---|
| 1 | Lawful basis and notice (Sec 4 to 5) | Does every collection point on every form, every API, every vendor onboarding portal, every support chat carry a written privacy notice in English or a scheduled Indian language that itemises what data, why, retention period, and onward recipients? It tells the data principal what they are signing up for so you can defend the consent later which means a regulator asking “did the principal know?” gets a yes in writing. | 0 / 1 |
| 2 | Consent and withdrawal (Sec 6 to 7) | Is consent captured by a clear affirmative action (checkbox, button click, signed form, never pre-ticked), granular per purpose, and paired with a working withdrawal flow that is as easy to use as the original signup? It captures the consent so you can prove lawful basis which means a grievance asking “I withdrew, why are you still emailing me” closes without an apology. | 0 / 1 |
| 3 | Purpose limitation and data minimisation (Sec 5(1)(b), 5(1)(c)) | Is every field on every collection form mapped to one or more documented purposes, with fields not tied to a documented purpose either removed or marked optional with separate consent? It strips the data inventory to what you actually need so you can defend the collection at audit which means the auditor asking “why are you collecting PAN here?” gets a one-line answer, not a meeting. | 0 / 1 |
| 4 | Accuracy and correction (Sec 8(3)) | Can a data principal view and correct their personal data through a self-service flow or a documented written request, with corrections honoured inside 30 days and reflected across all downstream systems? It gives the principal a path so you can show accuracy is enforced which means a grievance escalation lands at advisory, not penalty. | 0 / 1 |
| 5 | Reasonable security safeguards (Sec 8(5)) | Is encryption at rest enforced on every system holding personal data (CRM, HRIS, payroll, ATS, backups, shared drives) with role-based access, quarterly access review, endpoint controls on every laptop, and signed Data Processing Agreements with every third-party processor? It hardens the surface so you can demonstrate reasonable safeguards which means a breach notice does not become a penalty notice. | 0 / 1 |
| 6 | Breach response readiness (Sec 8(6)) | Do you have a written breach-response runbook with a named owner, a 72-hour clock to the Data Protection Board, a 6-hour CERT-In integration, pre-approved comms templates for the regulator and the affected principals, and at least one tabletop exercise run in the last 12 months? It rehearses the response so you can stay inside the clock which means the regulator sees cooperation, not panic. | 0 / 1 |
| 7 | Erasure on purpose completion (Sec 8(7)) | Does every data category have a documented retention period mapped to lawful basis, with automated or scheduled erasure jobs that delete records when the period lapses, including the old CRM data and ex-employee records from before 2022? It clears the historical exposure so you can prove minimisation discipline which means the auditor stops asking why 2018 records still exist. | 0 / 1 |
| 8 | Grievance officer (Sec 8(9), 10) | Is a grievance officer appointed, named, contactable through a published email, with a published SLA, with grievances logged, time-stamped, and closed inside the SLA, and a quarterly review by the COO or CISO? It opens the door for the principal so you can defend responsiveness which means an escalation lands as a closed ticket, not a notice. | 0 / 1 |
| 9 | Children’s data and SDF readiness (Sec 9 and Sec 10) | If you process children’s personal data, do you capture verifiable parental consent, suppress behavioural tracking and targeted advertising aimed at minors, and apply age-gating at the collection point? And if you are a Significant Data Fiduciary candidate, is a DPO based in India already appointed (in-house or outsourced)? It limits the high-risk surface so you can avoid the SDF overlay which means the regulator does not bring the heavier rulebook to your audit. | 0 / 1 |
| 10 | Vendor and processor accountability (Sec 8(5)(g), cross-obligation) | Have you signed a Data Processing Agreement with every third-party processor that touches personal data (cloud, payroll, CRM, ATS, helpdesk, analytics, marketing), with the DPA listing purpose, security obligations, sub-processor approval, breach-notification timeline, and audit rights? It pins accountability on the vendor so you can transfer some of the risk which means a vendor breach does not become solely your DPDP exposure. | 0 / 1 |
Add the column. Your DPDP readiness check score is out of 10. The next section is the read-out.
Score interpretation: the four audit-risk bands
We have measured the distribution below across approx 31 mid-size Indian companies in the last seven months, mostly NBFCs, logistics SaaS, mid-market pharma, and B2B IT services. The bands map to real audit-committee and regulator outcomes from clients who went through a notice, a grievance escalation, or a PE due-diligence pass.
| Score band | What the number means | What happens if a notice arrives in this band |
|---|---|---|
| 0 to 3 | Critical. The privacy programme is paper-only or non-existent. Most Indian mid-size companies sit here today. | Penalty likely. Document discovery alone exposes more violations. Press risk if the breach was reported externally. Board notification mandatory. |
| 4 to 6 | High audit risk. Some obligations are met on paper but enforcement is inconsistent. Defensible only with a 90-day plan in hand. | Penalty possible. A documented remediation plan and cooperation can reduce the cap. The grievance officer’s responsiveness becomes a tiebreaker. |
| 7 to 8 | Functional and defensible. This is the audit floor we recommend before any board memo goes out. | Penalty unlikely unless the notice flags Q5 (security safeguards) or Q6 (breach response). Cooperative posture matters. |
| 9 to 10 | Audit-ready. The privacy programme is real, enforced, documented, and rehearsed. SDF-grade. | Penalty almost zero. The Data Protection Board’s posture shifts to advisory. Reputational risk is the main residual exposure. |
The audit floor is 7. Below that, the board memo is a confession; at or above 7, it becomes a status update. The most common scoring pattern we see is “strong on Q1 and Q2 (notice, consent), weak on Q5 and Q6 (security, breach), missing on Q7 and Q8 (erasure, grievance).” Erasure is the single obligation Indian companies most consistently fail. Old data sitting in a CRM from 2018 with no documented retention period is the most common reason a company that scored 6 on Q1 to Q5 still lands below 5 overall.
The three lowest-cost first moves by score band
If you scored below 7, do not chase all 10 questions at once. The three moves below are the ones that pull a DPDP readiness check score up the fastest, in our measured experience across the last 31 scoping calls. None of them require a Big-4 retainer first.
Move 1, worth approx 2 points: Build the personal data inventory. Map every column in every system that holds personal data: CRM, HRIS, payroll, ATS, ticketing, ERP, email-marketing, support chat, the shared Google Drive folder, the SharePoint, the legacy MS Access database the finance team still uses. Tag by purpose, lawful basis, retention period, onward recipients. Cost: approx 60 to 90 hours of senior IT and process-owner time. This single artefact unlocks Q1, Q3, Q4, and Q7 at once and turns “we are at 3” into “we are at 5” in approx 3 weeks. It is the single biggest-lift move on the test.
Move 2, worth approx 1 to 2 points: Write the breach-response runbook and run one tabletop. 72-hour clock to the Data Protection Board, 6-hour clock to CERT-In, named owner, pre-approved comms templates, board notification trigger. Run one tabletop with IT, legal, comms, and the COO or CEO in the room. Cost: approx 30 hours of CISO or IT-head plus legal time, plus 2 hours of executive time for the tabletop. This closes Q6 entirely and pulls in approx 1 point on Q5 because the access-review discipline tends to fall out of the tabletop exercise. It is the cheapest single-point move on the test.
Move 3, worth approx 2 points: Sign DPAs with all third-party processors and publish a grievance officer. Pull the vendor list from procurement. Identify every processor of personal data: cloud, payroll, CRM, ATS, helpdesk, analytics, marketing automation, the email-newsletter platform. Send the standard DPA template, get them seperately signed, file in the contract repository. In parallel, publish a grievance officer name, email, and SLA on the website privacy page. Cost: approx 40 to 60 hours of legal plus procurement plus the time spent chasing vendor counter-signatures. This closes Q8 and Q10 together and is the cleanest pair of points to bank for the audit committee. We have run this exact 3-move sequence with approx 14 clients in the last year and every one moved from band 1 (0 to 3) to band 2 or 3 (4 to 8) inside 12 weeks.
A word on what we skip. We do not recommend the in-house DPO hire as a first move unless you are clearly SDF-likely. The Rs.18 to 30 lakh per year all-in cost lands before the data inventory is done, which means the new DPO spends the first six months building what should already exist. Outsourced DPO retainers run approx Rs.3.5 to 7 lakh per year and are the right answer for most mid-size companies for the first 18 months. The other thing we skip is the consent-flow rebuild. Engineering will quote approx 60 to 100 hours; until the personal data inventory and the lawful-basis map are done, the new consent flow gets rebuilt twice. Sequence matters more than enthusiasm.
What to do after the score: board memo vs deeper scorecard
Three paths open up after the 10-question DPDP readiness check, depending on the score and the deadline.
If you scored 7 or above and the board memo is due in 4 to 6 weeks: paste the score and a 4-line read-out into slide 2 of the memo. Format: “The 10-question DPDP readiness check, scored jointly by IT and legal on [date], landed at [N]/10. The audit floor we set is 7. We are above the floor. The three open obligations are [list]. Closure plan and cost estimate are on slide 3.” That is it. The board does not need the 10-question test attached; the appendix slot is for the next layer.
If you scored below 7 and you have more than 6 weeks: run the 40-question deep scorecard next, mapped to the 9 obligations at full granularity. The 10-question test surfaces band; the 40-question scorecard surfaces the specific gaps inside each obligation, so the remediation plan can be built without guessing. We use the DPDP readiness scorecard at the 40-question level on every implementation engagement; the same scorecard is open on this site. Pair it with the DPDP Act penalty math for mid-size companies so the board memo carries both the readiness number and the financial exposure in one paragraph.
If you scored below 7 and the deadline is tighter than 6 weeks: time-box. Pick Move 1 (data inventory) only. Get that to 70% complete in 14 days. Re-score the 10-question check. The score will likely move from band 1 to band 2 on the strength of the inventory alone. Memo the audit committee with the band 2 number and the 90-day plan to land at band 3. The board accepts forward motion if the plan is specific and the next-quarter number is committed.
Across approx 23 implementations we have now run end-to-end at the Secure Data Guard practice, the median time-to-band-3 (score 7-plus) from a starting band of 1 (score 0 to 3) was approx 18 weeks. The cheapest implementations clocked Rs.4.8 to 7.5 lakh in vendor cost over the 18 weeks, against an exposure on the table that ran into Rs.250 crore at the DPDP cap. Theek hai, the math is one-sided.
Most companies treat DPDP readiness like an annual checklist. That is why approx 70% land below score 5 when they finally measure. The regulator does not check annually; the regulator checks when something has already gone wrong. The buyer who scores in June, fixes in July through September, and presents a band-3 number to the board in October is the one whose audit committee meeting closes the topic for 90 days. The one who waits for the notice does not get to choose the schedule.
By the way, did you know the median first-call DPDP readiness check score across our last 31 mid-size scoping conversations was 3 out of 10? Not 5, not 6. Three. The Indian mid-market is structurally underprepared and the audit committees know it, which is why the question is moving forward in board calendars across BFSI, logistics, pharma, and SaaS. The Sunday-evening test was built so an IT head could close that gap before the regulator did.
Sirius Star’s take
We have run the 10-question DPDP readiness check on approx 31 scoping calls in the last seven months. Median score: 3 out of 10. Companies that ran the test, picked the three moves, and re-scored at the end of 12 weeks landed at a median of 6.5 out of 10, with the highest-discipline client moving from 2 to 9 inside one quarter. The single recieved insight from those calls: the IT head almost always knows the gaps but has never been given a defensible structure to surface them. The test is not the answer. The test is the conversation-opener with legal, the COO, and the board. The answer is the data inventory, the runbook, the DPA pile, and the grievance officer published on the privacy page. Boss, the cheapest, most-defensible privacy programme in the Indian mid-market is the one that started with a 15-minute self-test on a Sunday evening and got the IT head, legal, and the COO to agree on the same number by Monday.
Frequently asked questions
Q1. How long does the 10-question DPDP readiness check take? Approx 15 minutes if scored alone, approx 25 to 30 minutes if scored jointly with legal or the COO in the room. The joint score is more defensible at the board and is the one we recommend.
Q2. Is this 10-question DPDP readiness check enough for an audit committee? For a status update yes. For a remediation plan no. The 10-question test gives the band; the 40-question DPDP scorecard gives the obligation-by-obligation gap map needed to build the remediation plan and the cost estimate. Use the 10-question test as the headline, the 40-question scorecard as the appendix.
Q3. What is a “passing” DPDP readiness check score? We set the audit floor at 7 out of 10. Below 7 the board memo is a confession, at or above 7 it is a status update. SDF-grade is 9 to 10. Most Indian mid-size companies score 2 to 4 on first measurement, ours included on Day 1 of our compliance practice in 2024.
Q4. The IT head does not want to score with legal in the room. What now? Score alone, then re-score with legal. Solo scoring drifts optimistic by approx 1.5 to 2 points; the joint score is the one that goes to the board. The first Sunday-evening pass is for the IT head to know where to look; the joint pass is for the audit committee.
Q5. Does this 10-question DPDP readiness check apply to SDF-classified companies? Yes, but it is the floor, not the ceiling. SDF candidates need additional controls: in-house India-based DPO, DPIA on every new product feature processing personal data, annual independent audit, and the Sec 10 SDF-specific obligations once the Central Government notifies the class. The 10-question test gives the band; SDF-readiness adds the next layer.
Q6. When do the DPDP Rules drop and will my score still be valid? The DPDP Rules consultation closed in March 2025 and the final Rules were notified in late 2025; most companies are still in the implementation grace period that runs through May 2027 for the bulk of obligations. The 10-question DPDP readiness check is mapped to the Act, not the Rules, so the band-level posture stays valid once the Rules are fully in force. Specific timing on the Consent Manager (Sec 6(7)) and the SDF classifications (Sec 10) is a separate readiness layer we cover in the DPDP Act penalty math guide.
Get your DPDP readiness check scored by Sirius Star, free, 30 minutes
Book a free 30-minute DPDP readiness check scoping call. One call. The 10-question test, scored jointly with our Compliance Lead and your IT head and (ideally) your legal counsel. You walk away with: a defensible band-level score, a one-paragraph board memo paste, the top 3 first-move shortlist scoped to your fleet size and sector, and a no-obligation cost estimate if you want us to run the 90-day remediation. No 90-minute discovery call before the test, no Big-4 retainer before the read-out. If we do not surface at least 2 of the 10 obligations as 0-rated and unaddressed on the call, the next quarter of monitoring is on the house. WhatsApp +91 91375 93228 with the keyword READINESS for a faster slot, or use the contact form linked above.
P.S. The 10-question DPDP readiness check we run on every scoping call is a one-page laminated PDF you can pin above the IT head’s desk. Reply READINESS on WhatsApp +91 91375 93228 and we will send it. It includes the 10 questions in single-line form, the score-band cheat sheet, and the three-move first-action shortlist. Free, no email gate on the PDF itself.
About the author
Priya Sharma is the Compliance Lead at Sirius Star and runs the Secure Data Guard practice. She has scoped DPDP readiness at approx 31 Indian mid-size companies in the last seven months across NBFC, logistics SaaS, pharma, and B2B IT services. She works with IT heads, COOs, and audit committees who need a defensible privacy posture without a Big-4 retainer. Reach her via the DPDP readiness check scoping call or WhatsApp +91 91375 93228 with the keyword READINESS.
