DPDP readiness scorecard: where does your company stand in 2026?
Last quarter we ran a DPDP readiness call with the COO of a 220-person Mumbai logistics SaaS. Her IT head opened with, “we have policies in place.” Thirty-five minutes later we had counted 14 obligations missing entirely and 7 more where the policy existed on paper but nobody followed it. The DPDP readiness score landed at 11 out of 40. That is not unusual. Across approx 23 mid-size scoping calls in the last six months, the median DPDP readiness score we measured sat at 14 out of 40. The audit floor we tell clients to clear before they sleep is 28. The scorecard below is the same one we run on those calls, condensed to a self-assessment a COO can finish in 30 minutes with the IT head and the legal counsel in the room.
On this page
- How to use this DPDP readiness scorecard
- The 40-question scorecard, mapped to the 9 obligations
- Score interpretation: the five audit-risk bands
- The 6 biggest-lift fixes by score band
- What a DPDP audit actually looks like below score 20
- 90-day, 180-day, and 365-day gap-close plans
- How to put the score on slide 2 of the board memo
- Frequently asked questions
This post hands you the 40-question scorecard, the score bands, the gap-close plan by band, the board-memo template, and a free 30-minute scoring call if you would rather have a third party do the read-out. Boss, the most useful thing the scorecard does is end the argument between IT and legal about who owns what.
How to use this DPDP readiness scorecard
Three rules before you start. Skipping any one of them is what turns a defensible baseline into a feel-good number nobody trusts.
Rule 1: Score honestly. Mark 1 only if the obligation is met and enforced. A privacy notice that exists but nobody updates is a 0. A consent withdrawal flow that the engineering team built but the support team forgets to honour is a 0. The whole point of a DPDP readiness baseline is to surface the gap between policy and practice, not to make the COO feel better. DPDP readiness is measured in enforcement, not in PDFs filed.
Rule 2: Two people in the room. IT head plus legal counsel, ideally. If legal is external, the in-house Compliance Lead or COO sits in for legal. Single-person DPDP readiness scoring drifts optimistic by approx 8 to 12 points on average; we have measured this on repeat scoping calls.
Rule 3: Document the 0s, not the 1s. Every 0 needs one line of note: what is missing, what would close it, rough effort estimate. Those notes become the gap-close plan in the next section. The 1s do not need documentation today; you will revisit them at the next quarterly review.
The 40-question DPDP readiness scorecard
The scorecard is organised by the 9 obligations of the DPDP Act, sections 4 to 11. Score each question 0 (not met or not enforced) or 1 (met and enforced). Total possible: 40.
Obligation (DPDP Act section) Question Score 1. Lawful basis and notice (Sec 4-5) 1. Every collection point (signup, vendor onboarding, candidate form, support chat) has a written notice in English or a scheduled Indian language 0/1 2. The notice itemises what data, why, retention period, and onward recipients (not a buried “you agree” footer) 0/1 3. Each data category in the inventory has a documented lawful basis (consent, contract, legal obligation, vital interest, public interest, or legitimate interest) 0/1 4. Notice is updated within 60 days of any new data field, new purpose, or new processor added 0/1 5. Notice is published at the URL the data principal lands on, not three clicks deep in the footer 0/1 2. Consent and withdrawal (Sec 6-7) 6. Consent is captured through a clear affirmative action (checkbox, button click, signed form), never pre-ticked 0/1 7. Consent is granular: separate consents for separate purposes (marketing, analytics, third-party sharing) 0/1 8. A working consent-withdrawal flow exists, as easy to use as the original signup 0/1 9. Withdrawal triggers an actual data action: erasure, anonymisation, or processing-halt, logged and time-stamped 0/1 10. Consent and withdrawal records are stored with an audit trail for at least 6 years 0/1 3. Purpose limitation and minimisation (Sec 5(1)(b), 5(1)(c)) 11. Each field on every collection form is mapped to one or more documented purposes 0/1 12. Fields not tied to a documented purpose are removed or marked optional with separate consent 0/1 13. Aadhaar, PAN, and KYC documents are collected only where another law mandates it (KYC norms, GST, EPF) 0/1 14. Marketing analytics, behavioural tracking, and third-party tags have separate consent, not bundled with primary consent 0/1 4. Accuracy (Sec 8(3)) 15. Data principals can view and correct their personal data through a self-service flow 0/1 16. Correction requests are honoured within 30 days, logged, and reflected across all downstream systems 0/1 17. Periodic data-quality checks run at least quarterly on the master records (CRM, HRIS, customer DB) 0/1 5. Reasonable security safeguards (Sec 8(5)) 18. Encryption at rest on every system holding personal data (CRM, HRIS, payroll, ATS, backups, shared drives) 0/1 19. Encryption in transit on every external connection (TLS 1.2 or higher, no plain HTTP, no FTP for personal data) 0/1 20. Role-based access control with documented join-mover-leaver workflows for every personal data system 0/1 21. Quarterly access review: every privileged account on every personal data system reviewed and re-justified 0/1 22. Audit logs retained for at least 12 months, tamper-evident, accessible to the DPO or grievance officer 0/1 23. Endpoint controls (DLP, USB block, screen lock) enforced on every laptop holding personal data, including tier-2 city offices 0/1 24. Vendor processor agreements (DPA) signed before personal data is shared with any third party 0/1 25. Annual penetration test or vulnerability assessment on every internet-facing personal data system 0/1 6. Breach reporting (Sec 8(6)) 26. Documented breach-response runbook with named owner and a 72-hour notification clock 0/1 27. Notification template for the Data Protection Board and a separate template for affected data principals, both pre-approved by legal 0/1 28. Breach-response tabletop exercise run at least annually with IT, legal, comms, and the CEO or COO in the room 0/1 29. CERT-In incident reporting integration documented (CERT-In’s 6-hour direction is separate from DPDP’s 72-hour clock; both apply) 0/1 7. Erasure on purpose completion (Sec 8(7)) 30. Each data category has a documented retention period mapped to lawful basis 0/1 31. Automated or scheduled erasure jobs delete records when the retention period lapses 0/1 32. Ex-employee personal data is purged within the retention window after exit (typically 7 years for payroll, then erased) 0/1 33. Old CRM, ATS, and support records older than the documented retention period have been swept and erased 0/1 8. DPO or grievance officer (Sec 8(9), 10) 34. A grievance officer is appointed, named, and contactable via a published email and a published SLA 0/1 35. If you are a Significant Data Fiduciary or expect to be classified, a DPO based in India is appointed (in-house or outsourced) 0/1 36. Grievances are logged, time-stamped, and closed within the published SLA, with a quarterly review by the COO or CISO 0/1 37. The DPO or grievance officer has documented escalation paths to the board’s audit committee 0/1 9. Children’s data (Sec 9) 38. If you process children’s personal data, verifiable parental consent is captured before processing 0/1 39. No tracking, behavioural monitoring, or targeted advertising aimed at children, in any product surface 0/1 40. Age-gating logic is in place at the signup or collection point to identify minors 0/1
Add the column. Your total DPDP readiness score is out of 40. The next section is the read-out.
Score interpretation: the five audit-risk bands
We have measured this distribution across approx 23 mid-size Indian companies. The bands below are not aspirational; they map to real audit outcomes from clients who went through a notice, an audit-committee challenge, or a PE-due-diligence pass.
Score band Audit risk posture What happens if a notice arrives in this band 0 to 12 Critical. Not recoverable in less than 90 days. Penalty likely. Document discovery alone exposes more violations. Press risk if the breach was reported externally. 13 to 20 High audit risk. Defensible only with a written 90-day plan in hand. Penalty possible. A documented remediation plan + cooperation may reduce the cap. Board notification likely. 21 to 28 Functional but unaudited. Most Indian mid-size companies sit here. Penalty unlikely unless the notice flags one of the 18 to 25 controls (security safeguards). Coopereative posture matters. 29 to 34 Audit-ready. The privacy programme is real, enforced, and documented. Penalty unlikely. The Data Protection Board’s posture shifts to advisory. Reputational risk is the main exposure. 35 to 40 SDF-grade. You could pass a Significant Data Fiduciary audit today. Penalty almost zero. The board, the regulator, and the PE-nominee director can sleep.
The audit floor we tell clients to clear is 28. Below that, the board memo is a confession; at or above 28, it becomes a status update. The most common scoring pattern we see is “strong on obligations 1, 2, and 5 (notice, consent, security) and zero on 4, 7, and 9 (accuracy, erasure, children’s data).” Erasure is the obligation Indian companies most consistently fail. Old data lying around in CRMs and HRIS systems from 2018 is the single most common reason an otherwise functional company drops below 20.
The 6 biggest-lift fixes by score band
If you scored below 28, do not chase all 40 questions at once. The six fixes below are the ones that pull the DPDP readiness score up the fastest, in our measured experience across the last 23 scoping calls. None of them require a Big-4 retainer.
Fix 1, worth approx 4 points: Build the personal data inventory. Map every column in every system that holds personal data. CRM, HRIS, payroll, ticketing, ATS, ERP, email-marketing, support chat, the shared Google Drive folder. Tag by purpose, lawful basis, retention period, onward recipients. Cost: 60 to 90 hours of senior IT + process-owner time. This single artefact unlocks 4 to 6 questions in obligations 1, 3, 4, and 7 at once.
Fix 2, worth approx 3 points: Rewrite the privacy notice. Itemise the data, the purpose, the recipients, the retention period. Plain language. In English or a scheduled Indian language. Publish at the URL the data principal lands on, not buried in the footer. Cost: approx 20 hours of legal + product time.
Fix 3, worth approx 3 points: Build the consent withdrawal flow. As easy to use as signup. A single button or single email, not a five-step ticket queue. Cost: 40 to 80 hours of product engineering.
Fix 4, worth approx 4 points: Endpoint controls on the device fleet. Encryption, USB block, screen lock, role-based access. This is the obligation that the regulator will check first if a breach gets reported. Most companies have endpoint controls partially deployed; closing the laptop fleet gap (especially in tier-2 city offices) pulls 3 to 5 points. The control discipline lives or dies on the endpoint, which is why DPDP and device-lifecycle work map so tightly to each other in any 100-plus device fleet.
Fix 5, worth approx 3 points: Write the breach-response runbook. 72-hour clock to the Data Protection Board, 6-hour clock to CERT-In if cybersecurity, named owner, comms template, board notification trigger. Run a tabletop exercise once. Cost: 30 hours of CISO + legal + comms time.
Fix 6, worth approx 4 points: Appoint a grievance officer or outsourced DPO. Publish the email, publish the SLA, log every grievance, respond inside the SLA. If you are SDF-likely, the DPO must be based in India. Outsourced DPO retainers run approx Rs.3.5 to 7 lakh per year; in-house DPO lands approx Rs.18 to 30 lakh per year all-in.
Those six fixes, done in order, take a typical mid-size company from a 14 to 18 baseline to a 28 to 32 in approx 90 to 120 days. That is the gap-close most CFOs will sign off on once they see the math.
What a DPDP audit actually looks like below score 20
We have walked three clients through actual audit-committee challenges in the last 12 months, all with starting scores between 9 and 17. The pattern is consistent. First, the audit committee chair asks for the personal data inventory. Nobody has it. Second, the committee asks for the consent withdrawal log for the last quarter. Nobody has it. Third, the committee asks who is the named owner of the breach-response runbook. Silence. By the end of question three, the committee is no longer asking compliance questions. They are asking governance questions. Which is when the COO loses control of the conversation.
If your DPDP readiness score is below 20 today, the priority is not to fix every gap. The priority is to walk into the next audit committee meeting with the DPDP readiness scorecard already filled, the gaps already documented, the 90-day plan already drafted, and the owner of each gap already named. That posture alone shifts the committee from prosecution mode to oversight mode. Honestly, we have seen this work three times in three engagements. The board does not need you to be at 40 by Friday. The board needs you to know exactly where you are, and have a credible plan to get to 28 inside two quarters.
90-day, 180-day, and 365-day gap-close plans
The plans below assume a starting score between 12 and 20. Companies above 20 can compress the timelines; companies below 12 may need 180 days minimum for the first jump.
90 days: 12 to 22 (10-point lift). Fixes 1, 2, and 6 from above. Personal data inventory complete. Privacy notice rewritten and published. Grievance officer or outsourced DPO appointed. This is the minimum credible posture for the next board meeting.
180 days: 22 to 30 (8-point lift). Add Fixes 3, 4, and 5. Consent withdrawal flow built. Endpoint controls deployed across the laptop fleet, including tier-2 city offices. Breach-response runbook written and tabletop exercise run once. Now you are audit-ready.
365 days: 30 to 35 (5-point lift). Annual access review cycle live. Pen-test cycle live. Quarterly grievance review at the COO desk. DPIA template applied to every new product feature. SDF-grade controls for children’s data if applicable. At 35-plus you can absorb a regulatory inspection without an emergency war room.
How to put the score on slide 2 of the board memo
We give every client the same one-slide template. Slide 2 of the quarterly board memo. Three blocks.
Block 1 (top of slide): “We have measured our DPDP readiness at [SCORE] out of 40 as of [DATE].” Single sentence. No qualifier. The number does the work.
Block 2 (middle of slide): “We are below / within / above the audit floor of 28.” State the band. Critical, high risk, functional, audit-ready, or SDF-grade.
Block 3 (bottom of slide): “Our 90-day plan to move from [SCORE] to [TARGET] is owned by [NAME], with an estimated cost of Rs.[X] lakh.” The named owner is what the PE-nominee director is actually looking for. The dollar number is what the CFO is looking for. Both on the same slide.
That is the entire memo. One slide, three blocks, one number, one named owner, one cost line. We have built this template across BFSI, edtech, SaaS, and logistics clients; the format does not change because the audit committees do not change.
For the full operational depth on each of the 9 obligations, including DPIA templates, the breach-response runbook, and the consent withdrawal UX patterns, work from our Secure Data Guard practice page. If you are still figuring out whether the 10-thing minimum checklist is even in place, start with the DPDP compliance checklist for May 2027. And if the board is asking about penalty exposure in rupee terms, the worked example for mid-size firms sits in our DPDP penalty math for mid-size companies post, which is the closest thing the Indian market has to a board-ready exposure number.
By the way, Arjun and I had a 25-minute disagreement at last Monday’s team review on whether the endpoint-controls question (number 23 on the scorecard) belongs under obligation 5 or under a separate DLM obligation outside DPDP. Arjun’s case is that device-lifecycle work is operational, not regulatory. My case is that under DPDP Sec 8(5), “reasonable security safeguards” explicitly includes the endpoint where personal data lives. We landed on: the question stays in obligation 5 of the scorecard, but the fix lives in the DLM contract. That hand-off is where most policy-not-enforced gaps occur in real life.
For the authoritative legal text and Rules-watch updates, the PRS India DPDP Act page is the source we cross-check against on every scoping call. PRS tracks the consultation drafts and gazette notifications faster than most consulting firms publish their summaries.
Priya’s take
I have run approx 40 DPDP readiness scoping calls in the last 18 months. The single common thread is this. Companies that score below 14 are not behind because they are bad at compliance. They are behind because nobody owned the work, and DPDP is the first regulation in India that punishes that specific lazy assumption. The COO assumed the IT head was on it. The IT head assumed legal was on it. Legal assumed the COO would tell them when it was time. None of them were wrong individually. The team was wrong collectively. The scorecard above breaks that loop because once you have a number, you have an owner, and once you have an owner, you have a plan. Theek hai, that is the real lift.
One thing I would add for the COOs reading this: do not wait until you can score a 32 before the board memo. Score yourself at the actual baseline, even if it is a 9. Boards in 2026 reward the honesty of a low number with a credible plan more than they reward a 32 that turns out to have been measured optimistically. I have watched two PE-nominee directors close out the DPDP exposure topic at the audit committee on a 14 score with a 90-day plan; I have seen one keep it open on a 28 score that the IT head had inflated. The number is not the test. The discipline behind the number is.
Get your DPDP readiness scored by our team
If you would rather have a third party run the 40-question scorecard with you, book a free 30-minute DPDP readiness check with the Sirius Star compliance desk. We will score the company on the call, identify the two or three biggest-lift gaps in your DPDP readiness posture, and hand you a 90-day plan you can put in front of your CFO and the audit committee by next quarter. No invoice unless we sign a retainer. Worst case, you walk away with the scorecard filled and the gap notes documented.
Book your free DPDP readiness check or WhatsApp +91 91375 93228 with the message “SCORECARD” and we will respond within one business day.
P.S. The 40-question DPDP readiness scorecard as a one-page PDF, plus the personal data inventory template (Excel), the board-memo slide 2 template (PPT), and the breach-response runbook outline (Word) sit in our compliance toolkit. Reply SCORECARD on WhatsApp (+91 91375 93228) and we will send the kit. Approx Rs.8,000 of compliance consulting time, free, no email gate.
Frequently asked questions
How accurate is a self-scored DPDP readiness scorecard versus a Big-4 audit? A self-scored result with IT head + legal counsel in the room lands within approx 2 points of a Big-4 readiness audit on average. The gap is usually optimism on obligations 4 and 7 (accuracy and erasure) where day-to-day enforcement is hard to measure from a desk. The scorecard gets you to a defensible baseline at zero cost; a Big-4 audit costs approx Rs.6 to 14 lakh and adds about 18 months of vendor-lock-in. For most 100 to 500 person Indian companies, the self-scored version is enough for the first board memo.
What if the DPDP Rules change after I score myself today? The 9 obligations under sections 4 to 11 of the DPDP Act are unlikely to change because they are in the parent legislation. What the Rules will sharpen is the quantum of reasonable security safeguards (likely to specify encryption standards, audit log retention, breach notification timeline) and the threshold for Significant Data Fiduciary classification. Your scorecard score will move by approx 2 to 4 points either way once the Rules finalise. The order-of-magnitude band you sit in today (critical / high risk / functional / audit-ready / SDF-grade) will not change.
Can I run the scorecard for a single business unit instead of the whole company? Yes, and we recommend it for groups with diverse data exposure. A logistics SaaS with a separate fintech subsidiary should score each unit separately because the personal data footprint, the lawful basis stack, and the SDF classification are different. Roll the scores up to a parent-company readiness number for the board memo, but keep the unit scores for the operational gap-close plans.
Is a score of 28 actually enough to avoid a penalty? A score of 28 means you have met the baseline the Data Protection Board is likely to expect from a mid-size data fiduciary on enforcement day. It is not a guarantee. The two failure modes at 28 are: a security breach that exposes one of the unaddressed 12 questions, and a single egregious violation in obligation 5 or 8 (security safeguards or DPO). The path from 28 to 34 closes both. We tell clients 28 is the floor; 32 is the target; 35-plus is for companies that expect SDF designation.
Who in the company should own the scorecard? The COO if there is no CISO. The CISO if there is one. The CIO can own it if there is no CISO and the COO is overloaded. Never the legal team alone, because half the scorecard questions are operational. Never the IT team alone, because the other half are legal interpretation. The named owner appears on slide 2 of the board memo; that is what the audit committee tracks quarter to quarter.
About the author
Priya Sharma leads Sirius Star’s compliance practice for DPDP and adjacent data-protection regulation in India. She has run approx 40 readiness scoping calls in the last 18 months across BFSI, edtech, healthcare, SaaS, and logistics, and co-built the firm’s 40-question DPDP readiness scorecard with the in-house IT-GRC team. Her background is in audit-committee reporting for mid-cap companies, and her writing focuses on the space between the legal text and the operating-day reality. She is certified CIPM and CIPP/E. Read more from Priya.
