All articles
Checklist 14 min read 14 May 2026 Primitra

The Complete DPDP Act Compliance Checklist for Indian SMEs (2026 Edition)

A 32-point, six-pillar checklist mapped to every principal obligation under the Digital Personal Data Protection Act, 2023 — what to do, in what order, with realistic timelines and budgets for a 50–500 person Indian business.

India's Digital Personal Data Protection Act, 2023 (the "DPDP Act") is no longer a distant regulatory concept — it is the operating law for every Indian business that processes personal data of natural persons in India. For SMEs, the practical question is rarely "does this apply?" It applies. The real question is: what do we actually do, in what order, and how much will it cost?

This checklist is our field-tested answer. It is organised around six pillars, mirrors the Data Fiduciary obligations in Sections 4 through 10, and reflects the operational reality of a 50–500 person Indian business.

Not legal advice. This is practical guidance drawn from client engagements. Confirm your specific position with counsel, especially on cross-border transfers and Significant Data Fiduciary status.

Pillar 1 — Governance and accountability

  1. Appoint an accountable owner. Even if you are not a Significant Data Fiduciary (SDF) required to appoint a Data Protection Officer under Section 10(2)(a), name a senior person — usually the COO, CTO, or General Counsel — who owns the program. Without a named owner, nothing else on this list happens.
  2. Board-level approval of a Privacy Policy. Not the website consent notice — the internal policy that describes how the company handles personal data end-to-end.
  3. Risk register. A single spreadsheet listing the top 10–15 data-related risks, each mapped to an owner and a mitigation.
  4. Annual training plan. DPDP Act awareness for every employee, plus role-specific training for engineering, HR, sales, and support.

Pillar 2 — Data mapping and lawful basis

  1. Personal data inventory. Every system that stores or processes personal data (CRMs, HRIS, product database, analytics, marketing tools, spreadsheets on shared drives). For each: purpose, categories of data subjects, categories of personal data, retention period, and downstream recipients.
  2. Lawful basis analysis. Under the DPDP Act, processing generally requires either consent (Section 6) or a defined "legitimate use" (Section 7 — employment, legal obligation, medical emergency, etc.). Document which one applies to each processing activity.
  3. Consent notice review. Consent must be free, specific, informed, unconditional, and unambiguous (Section 6(1)). It must be preceded or accompanied by a notice in plain language listing the personal data collected, the purpose, and the mechanism for withdrawal (Section 5).
  4. Age gating for children. If your product could be used by anyone under 18, you need verifiable parental consent (Section 9). This is one of the highest-risk areas for edtech and consumer apps.

We cover the full readiness process on our DPDP Act services page.

Pillar 3 — Consent and preference management

  1. Consent Manager integration path. Even if the Data Protection Board hasn't registered your organisation with a specific Consent Manager, design your architecture so a Consent Manager can be plugged in.
  2. Withdrawal mechanism. As easy to withdraw as to give (Section 6(4)). This is the single most-audited item.
  3. Preference centre. A user-facing screen that shows every purpose the user has consented to, with individual toggles.
  4. Consent audit log. Immutable log of every consent event — what was shown, what was accepted, when, and from which IP/device.

Pillar 4 — Data principal rights

  1. Rights request intake channel. A published email (privacy@yourdomain.in at minimum) and a form. Sections 11–13 grant rights to access, correction, erasure, and grievance redressal.
  2. Grievance officer. A named individual whose contact details are published on the website. You must respond to grievances within the timeline you publish; regulators expect no more than 30 days.
  3. Identity verification workflow. How you confirm the requestor is the actual data principal before disclosing or deleting.
  4. Response SLAs. Internal SLAs — usually 15 days for access and correction, 30 days for erasure — with escalation to the accountable owner if breached.

Pillar 5 — Vendor and processor governance

  1. Vendor register. Every third party that processes personal data on your behalf.
  2. Data Processing Addendum (DPA). Updated to reference the DPDP Act's Data Processor obligations under Section 8(2). GDPR-style DPAs need clause-by-clause review — they usually miss India-specific breach notification and Consent Manager provisions.
  3. Sub-processor approval workflow. Written approval before your vendor engages a new sub-processor.
  4. Vendor risk tiering. Not every vendor needs a full assessment. Tier vendors by data sensitivity and volume, and match diligence depth to tier. See our vendor risk assessment service.

Pillar 6 — Security, breach response, and cross-border

  1. Reasonable security safeguards. Section 8(5) requires "reasonable security safeguards" — read as, at minimum: encryption at rest and in transit, MFA, access reviews, logging, and patching.
  2. Access control matrix. Who has access to what personal data, and why.
  3. Breach response plan. Section 8(6) requires notification to the Board and to affected data principals. Your plan needs a decision tree: what is a "personal data breach", who declares it, and who drafts the notification.
  4. Tabletop exercise. Run one, at least annually. Half of the breach playbooks we review have never been tested.
  5. Cross-border data transfer register. Track every category of personal data transferred outside India. The Central Government may notify countries to which transfers are restricted (Section 16).
  6. Data retention schedule. Personal data must be erased when the purpose is no longer served and legal retention has expired (Section 8(7)).
  7. Deletion workflow. Technical implementation of the retention schedule — not just a policy PDF.
  8. Backup treatment. A defensible position on how deletion applies to backups (usually: exclude from restores, purge on cycle).
  9. DPIA process. Document a Data Protection Impact Assessment methodology, even if you are not yet required to run one. If you become an SDF, DPIAs are mandatory under Section 10(2)(c). See our DPIA services.
  10. Independent audit. SDFs must appoint an independent data auditor annually. Non-SDFs benefit from a lightweight yearly external review.
  11. Complaint escalation to the Board. Document your process for engaging with the Data Protection Board of India when a complaint escalates.
  12. Review cadence. This entire program should be reviewed twice a year, and after every material change to your product, vendors, or organisational structure.

Realistic timelines and budgets

For a 100–200 person SME with a mainstream tech stack:

  • Weeks 1–4: governance, owner appointment, data inventory kickoff.
  • Weeks 5–10: consent notice and preference centre, rights request workflow, breach plan.
  • Weeks 11–16: vendor register, DPA updates, security baseline, retention schedule.
  • Weeks 17–24: DPIA methodology, tabletop exercise, internal audit, board approval of the final policy suite.

Budget range for external support: ₹8–18 lakh for a first-year program. In-house effort: roughly 0.3–0.5 FTE across the year, concentrated in the first 90 days.

Where most SMEs actually get stuck

It is almost never the policies. It is (a) the consent architecture on the product side, (b) vendor DPAs, and (c) the retention/deletion workflow. If you tackle those three in the first quarter and treat the rest as background program work, you'll be materially compliant by end of Q2.

Ready to work through this in your business? Grab our free self-assessment checklist or book a 30-minute consultation and we'll walk you through your specific gaps.

Get help implementing this

Turn this reading into a compliance plan.

Book a free 30-minute consultation. We'll map your DPDP Act exposure and give you a prioritized 90-day action list — no obligation.

Book a free 30-minute consultation