What is a DPDPA compliance checklist?

A DPDPA compliance checklist is a structured self-audit covering the operational obligations of the Digital Personal Data Protection Act, 2023. AMLEGALS uses 12 questions covering consent architecture, multi-language privacy notices, data inventory, retention, Data Principal rights, breach notification, security safeguards, vendor contracts, children's data, cross-border transfers, Significant Data Fiduciary obligations, and audit-ready evidence packs.

What score on the DPDPA checklist is considered audit-ready?

A score of 10 to 12 reflects operational maturity and audit readiness. Scores of 7 to 9 indicate progress with informal gaps. Scores of 4 to 6 reflect theatre compliance — controls exist on paper but are not defensible. Scores of 0 to 3 represent critical exposure and require immediate remediation before 13 May 2027.

Is a DPDPA self-assessment legally sufficient?

A self-assessment is a starting point, not a defence. The DPDPA requires Data Fiduciaries to demonstrate compliance with operational evidence. A documented self-audit must be followed by independent verification, evidence collection, and remediation against identified gaps.

How often should DPDPA compliance be reviewed?

DPDPA compliance should be reviewed at least quarterly, with the data inventory refreshed every 90 days. Significant Data Fiduciaries are required to conduct periodic Data Protection Impact Assessments and submit to independent audit at intervals notified under the DPDP Rules 2025.

What is the deadline for DPDPA compliance?

The Digital Personal Data Protection Act was enacted on 11 August 2023. The DPDP Rules 2025 were notified on 13 November 2025. Phased implementation runs through to full compliance on 13 May 2027 — the date by which all operational provisions of the Act become fully binding on Data Fiduciaries in India.

What is the maximum penalty under DPDPA for non-compliance?

The maximum penalty under DPDPA is ₹250 Crore for failure to maintain reasonable security safeguards under Section 8(5). Other penalty tiers in the Schedule include ₹200 Crore for breach notification failures under Section 8(6), ₹200 Crore for children's data violations under Section 9, ₹150 Crore for Significant Data Fiduciary obligations under Section 10, and ₹50 Crore catch-all for any other breach.

Who is required to comply with the DPDPA?

Every entity that processes digital personal data of individuals in India is a Data Fiduciary under DPDPA and must comply with the Act. The DPDPA has extraterritorial reach — foreign entities offering goods or services to Indian Data Principals are also covered, regardless of where the processing occurs.

What are the most common DPDPA compliance gaps?

The most common DPDPA compliance gaps are English-only privacy notices that fail the 22 Indian language requirement under Rule 3, legitimate-interest defaults inherited from GDPR programs that do not exist as a lawful basis under DPDPA, retention policies documented in PDFs but not enforced in code, and the absence of an audit-ready evidence pack that can be shared with the Data Protection Board within 7 days of inquiry.

Does the DPDPA apply to small businesses and startups?

Yes — the DPDPA applies to every Data Fiduciary that processes digital personal data of individuals in India, regardless of business size. The Central Government may exempt certain classes of Data Fiduciaries from specific obligations under Section 17, but the core compliance obligations on consent, notice, security, breach notification, and Data Principal rights apply uniformly.

What is the difference between a Data Fiduciary and a Significant Data Fiduciary?

A Data Fiduciary is any entity that determines the purpose and means of processing personal data under the DPDPA. A Significant Data Fiduciary is a Data Fiduciary notified by the Central Government as such, based on volume of personal data, sensitivity, risk to Data Principals, sovereign considerations, or national security. SDFs face heavier obligations under Section 10 including appointment of an India-based DPO, periodic DPIAs, and independent audits.

Audit Yourself · Before The Regulator Does 12 Questions · Honest Answers Only

DPDPA compliance checklist. Twelve questions. One number.

This is not a marketing checklist. These are the twelve questions the Data Protection Board of India will ask you — in some form, in some order, on some Tuesday. Tick only what you can defend with evidence today. Watch the score change as you go. The number at the top is the same number your Board will see.

Your Live Readiness Score

Start ticking. Honest answers only.

Most companies score under 50% on first audit. The score is not the verdict — it is the starting point.

The 12 DPDPA Compliance Questions

Tap each row to tick

We have a defensible consent architecture with logged consent, granular purpose, and one click withdrawal

Consent must be free, specific, informed, unconditional, and unambiguous. Pre-ticked boxes are not consent.
Section 6 · DPDPA
Privacy notices are available in English plus 22 Indian languages as required by the Eighth Schedule

Notice must be in plain language and accessible in any of the languages listed in the Eighth Schedule of the Constitution.
Rule 3 · DPDP Rules 2025
A data inventory and processing map exists, is current within 90 days, and ties data to lawful basis

If you cannot answer "what personal data is where, processed for what purpose, on which lawful basis" in five minutes, you do not have a map.
Section 8(7) · DPDPA
A retention and deletion policy is enforced in code — not just documented in a policy PDF

Personal data must be erased once the purpose is served and no legal retention obligation applies. Manual deletion does not scale.
Section 8(7) · Rule 8
A Data Principal rights portal handles access, correction, erasure, and grievance — within statutory timelines

Email-based grievance redressal does not survive scrutiny. Rights must be exercisable through a published, auditable channel.
Sections 11–14 · DPDPA
A breach notification playbook exists with named owners, communication templates, and a 24 hour Board notification path

The Rules abolish the materiality threshold. Every personal data breach is reportable to the Data Protection Board and to affected Data Principals.
Section 8(6) · Rule 7
Reasonable security safeguards are deployed — encryption, access logs, MFA, vendor controls, monitored continuously

Failure attracts the highest penalty tier — ₹250 Crore. Documentation is necessary but not sufficient. Operational evidence is the standard.
Section 8(5) · DPDPA
Every Data Processor and vendor is governed by a written DPDPA-compliant contract, with audit rights

Liability for processor failures sits with the Data Fiduciary. A vendor's breach is your breach unless your contract proves otherwise.
Section 8(2) · DPDPA
Children's data is handled with verifiable parental consent and zero behavioural targeting under 18

A checkbox is not verification. Government ID-linked verification or equivalent is the standard the Rules prescribe.
Section 9 · Rule 10
A clear cross border transfer position exists — including monitoring of the Central Government's negative list

DPDPA is permissive by default. The list of restricted destinations is dynamic. Continuous monitoring is part of the compliance posture.
Section 16 · Rule 14
If we are an SDF — India based DPO, periodic DPIA, and independent audit are in place

Significant Data Fiduciary obligations are heavier. The threshold is set by the Central Government — and broad in practice.
Section 10 · Rule 12
An evidence pack exists — minutes, logs, reviews, training records — that can be shared with the Board within 7 days

The Board's first request after a complaint is documentary. Operational evidence must be packaged before it is asked for.
Section 28 · Powers of Inquiry

Get in Touch What is my score?

Interpreting Your Readiness Score

Four bands. One honest verdict.

The score above is descriptive, not exhaustive. Every "yes" must be defensible with evidence. The score helps you locate yourself on the AMLEGALS readiness curve. Where you sit decides what gets shipped first — and how much budget the board needs to release this quarter.

0–3

Critical Exposure

Smoking Privacy™ — Stage Five

Foundational obligations are missing. The penalty exposure is real and immediate. Diagnostic in the next two weeks is not optional.

4–6

Significant Gaps

Theatre Compliance

Privacy policy exists. Notice exists. Consent button exists. None of it is defensible in audit. The "yes" answers are aspirational, not operational.

7–9

In Motion

The Working Quarter

Most controls are in place. A few load-bearing items are still informal. The 90 day sprint closes the gap before May 2027.

10–12

Audit Ready

Operational Maturity

The program is defensible. The next move is privacy as a market position — converting compliance into competitive advantage. The Privacy Dividend™ stage.

"A checklist tells you where you are. A diagnostic tells you what to ship. The board needs both — and the regulator only respects the second."
— AMLEGALS · TCL Framework Position

Do This Now

If your score is under 80%, the diagnostic is overdue.

A self-audit produces a number. The diagnostic produces a defensible position. The two are not the same. Most companies find the gap between what they ticked and what they can actually defend is wider than they expected. Closing that gap before 13 May 2027 is what the next 18 months are for.

Verified readiness score across all 12 dimensions, with evidence requirements per item.
Quantified penalty exposure from your score, mapped to the five Schedule tiers.
Prioritised remediation backlog. Highest exposure first. Fastest fixes called out.
90 day sprint plan. Owners, timelines, and the audit ready evidence pack at the close.

Get in Touch.

One conversation. Confidential. Bring the score from the top of this page. We will tell you which of the ticks are defensible and which are not.

Get in Touch

Or write directly to dataprivacy@amlegals.com and info@amlegals.com — quote the page name "DPDPA Compliance Checklist" and your readiness score so the team can pre read before the call.

DPDPA compliance checklist. Twelve questions. One number.

Your Live Readiness Score

The 12 DPDPA Compliance Questions

We have a defensible consent architecture with logged consent, granular purpose, and one click withdrawal

Privacy notices are available in English plus 22 Indian languages as required by the Eighth Schedule

A data inventory and processing map exists, is current within 90 days, and ties data to lawful basis

A retention and deletion policy is enforced in code — not just documented in a policy PDF

A Data Principal rights portal handles access, correction, erasure, and grievance — within statutory timelines

A breach notification playbook exists with named owners, communication templates, and a 24 hour Board notification path

Reasonable security safeguards are deployed — encryption, access logs, MFA, vendor controls, monitored continuously

Every Data Processor and vendor is governed by a written DPDPA-compliant contract, with audit rights

Children's data is handled with verifiable parental consent and zero behavioural targeting under 18

A clear cross border transfer position exists — including monitoring of the Central Government's negative list

If we are an SDF — India based DPO, periodic DPIA, and independent audit are in place

An evidence pack exists — minutes, logs, reviews, training records — that can be shared with the Board within 7 days