Digital Personal Data Protection Act 2023: Compliance Checklist for Indian Companies

Last updated: 20 March 2026

1. Why This DPDP Act Compliance Tracker Matters

At Virtual Auditor, our company secretarial and compliance practice helps Indian companies navigate the evolving regulatory landscape. The DPDP Act represents a paradigm shift in how Indian businesses handle personal data. With penalties of up to ₹250 crore, non-compliance is not merely a regulatory risk — it is an existential business risk.

This article serves as a comprehensive compliance checklist and regulatory tracker. We cover the Act’s provisions, the DPDP Rules 2025, the Data Protection Board’s role, and practical compliance steps for Indian companies. We update this tracker as new rules, notifications, and guidance are issued.

1.1 Who Must Comply?

The DPDP Act applies to:

• Data Fiduciaries: Any person (individual, company, firm, government body) that determines the purpose and means of processing digital personal data. This includes virtually every business that collects customer, employee, or vendor data.
• Data Processors: Entities that process data on behalf of data fiduciaries (e.g., cloud service providers, payroll processors, CRM vendors).
• Significant Data Fiduciaries (SDFs): A subset of data fiduciaries notified by the Central Government based on the volume and sensitivity of data processed, risk to data principals, and potential impact on national security. SDFs face enhanced obligations.

1.2 Tracker Organisation

• Consent Management — Lawful bases for processing, consent requirements, and notice obligations.
• Data Fiduciary Obligations — Core duties, data quality, retention, and security.
• Significant Data Fiduciary Obligations — Enhanced requirements for large data processors.
• Data Principal Rights — Access, correction, erasure, and grievance redressal.
• Cross-Border Data Transfer — Restrictions and permitted jurisdictions.
• Data Protection Board — Structure, powers, and penalty framework.
• Impact on SaaS/IT Companies — Sector-specific compliance considerations.

2. Consent Management — The Foundation of DPDP Compliance

2.1 Lawful Bases for Processing

The DPDP Act recognises two primary lawful bases for processing digital personal data:

1. Consent (Section 6): The data principal gives free, specific, informed, unconditional, and unambiguous consent for processing their data for a specified purpose. Consent must be obtained through a clear and accessible notice.
2. Certain Legitimate Uses (Section 7): Processing is permitted without consent in specific situations:
   • Where the data principal voluntarily provides data and does not indicate unwillingness to consent.
   • For compliance with a legal obligation (e.g., tax filings, regulatory reporting).
   • For performance of any function under law or in the interest of sovereignty, integrity, and security of India.
   • For medical emergencies involving a threat to life or health.
   • For employment purposes (processing of employee data by employers for onboarding, payroll, and similar functions).
   • For public interest purposes, including mergers, insolvency proceedings, and fraud prevention.

2.2 Consent Notice Requirements

Before or at the time of seeking consent, the data fiduciary must provide a notice to the data principal that includes:

• An itemised description of the personal data being collected and the purpose of processing.
• The manner in which the data principal can exercise their rights (access, correction, erasure, grievance redressal).
• The mechanism to make a complaint to the Data Protection Board.

The notice must be in clear, plain language. For digital platforms, the notice must be presented in a user-friendly format, accessible within three clicks or equivalent interactions.

2.3 Consent Manager Framework

The DPDP Rules, 2025 introduce the concept of a Consent Manager — a registered entity that acts as an intermediary between data principals and data fiduciaries to manage consent. Key requirements:

• Consent Managers must be registered with the Data Protection Board.
• They must maintain an interoperable, technology-agnostic platform for consent management.
• Minimum net worth of ₹2 crore for registration.
• Consent Managers must maintain auditable logs of all consent transactions.
• Data fiduciaries may (but are not required to) use Consent Managers to obtain and manage consent.

2.4 Withdrawal of Consent

Data principals have the right to withdraw consent at any time. The withdrawal must be as easy as giving consent. Upon withdrawal:

• The data fiduciary must cease processing the data for the consented purpose.
• Data must be erased unless retention is required under law or for a legitimate use.
• The withdrawal does not affect the lawfulness of processing done prior to withdrawal.

3. Data Fiduciary Obligations — Core Compliance Requirements

3.1 Purpose Limitation & Data Minimisation

Data fiduciaries must adhere to two fundamental principles:

• Purpose Limitation (Section 5): Personal data may only be processed for the specific purpose for which consent was obtained or for which a legitimate use exists. Any new purpose requires fresh consent.
• Data Minimisation: Only the minimum data necessary for the stated purpose should be collected. Over-collection is a compliance violation.

3.2 Data Quality & Accuracy

The data fiduciary must take reasonable steps to ensure that personal data processed is accurate, complete, and not misleading. This is particularly important for:

• Financial data used for credit decisions.
• Employee records used for payroll and benefits.
• Customer data used for service delivery.

3.3 Data Retention & Erasure

Personal data must not be retained beyond the period necessary for the stated purpose. Once the purpose is fulfilled and retention is no longer necessary (and no legal obligation requires continued storage), the data must be erased. The DPDP Rules, 2025 require data fiduciaries to:

• Establish and publish a data retention schedule.
• Implement automated erasure mechanisms for data that has exceeded its retention period.
• Maintain records of erasure activities for audit purposes.

3.4 Security Safeguards

Data fiduciaries must implement reasonable security safeguards to protect personal data from breaches, unauthorised access, loss, or destruction. The DPDP Rules, 2025 specify:

• Encryption of personal data at rest and in transit.
• Access controls limiting data access to authorised personnel on a need-to-know basis.
• Regular vulnerability assessments and penetration testing.
• Incident response procedures, including mandatory breach notification within 72 hours to the Data Protection Board and affected data principals.
• Data protection impact assessments for high-risk processing activities.

3.5 Data Breach Notification

In the event of a personal data breach, the data fiduciary must:

1. Notify the Data Protection Board within 72 hours of becoming aware of the breach.
2. Notify affected data principals without undue delay, providing details of the nature of the breach, the types of data affected, and remedial actions taken.
3. Maintain a register of all data breaches, including those that do not meet the notification threshold.

4. Significant Data Fiduciary (SDF) Obligations

4.1 Who Is a Significant Data Fiduciary?

The Central Government may notify certain data fiduciaries as Significant Data Fiduciaries (SDFs) based on:

• The volume and sensitivity of personal data processed.
• The risk of harm to data principals.
• The potential impact on the sovereignty and integrity of India.
• The risk to electoral democracy.
• The data fiduciary’s turnover and data processing capacity.

While the specific thresholds for SDF notification are expected to be defined in subsequent government notifications, it is widely anticipated that major technology companies, large financial institutions, telecom operators, and significant healthcare providers will be among the first to be designated as SDFs.

4.2 Enhanced SDF Obligations

Significant Data Fiduciaries face additional obligations beyond those applicable to all data fiduciaries:

• Data Protection Officer (DPO): SDFs must appoint a DPO based in India, who serves as the primary point of contact for the Data Protection Board and data principals. The DPO must have appropriate qualifications and independence.
• Independent Data Auditor: SDFs must appoint an independent data auditor to conduct an annual data protection audit. The audit report must be submitted to the Data Protection Board.
• Data Protection Impact Assessment (DPIA): SDFs must conduct DPIAs before undertaking any significant new processing activity or making material changes to existing processing.
• Algorithmic Fairness: SDFs that use algorithmic decision-making (including AI and machine learning) must ensure that such systems do not result in unfair outcomes for data principals. This includes periodic audits of algorithmic systems for bias.
• Periodic Compliance Reporting: SDFs must file periodic compliance reports with the Data Protection Board, demonstrating adherence to all DPDP Act requirements.

4.3 SDF Compliance Timeline

The DPDP Rules, 2025 provide a phased compliance timeline for SDFs:

5. Rights of Data Principals

5.1 Overview of Rights

The DPDP Act grants data principals (individuals whose data is processed) the following rights:

• Right to Access (Section 11): The right to obtain a summary of personal data being processed, the processing activities undertaken, and the identities of all data fiduciaries and data processors with whom the data has been shared.
• Right to Correction and Erasure (Section 12): The right to have inaccurate or incomplete personal data corrected, and to have personal data erased when it is no longer necessary for the stated purpose.
• Right to Grievance Redressal (Section 13): The right to lodge a complaint with the data fiduciary’s grievance redressal mechanism, and if unresolved, with the Data Protection Board.
• Right to Nominate (Section 14): The right to nominate another individual to exercise data principal rights in the event of death or incapacity.

5.2 Duties of Data Principals

Uniquely, the DPDP Act also imposes duties on data principals:

• Not to register a false or frivolous complaint with the Data Protection Board.
• Not to furnish false information or suppress material information while exercising their rights.
• Not to impersonate another person while providing personal data.

Penalties of up to ₹10,000 may be imposed on data principals who breach these duties.

5.3 Processing Children’s Data

The DPDP Act imposes special protections for children (individuals below 18 years):

• Verifiable consent from a parent or lawful guardian is required before processing a child’s personal data.
• Data fiduciaries must not undertake processing that is likely to cause any detrimental effect on the well-being of a child.
• Tracking, behavioural monitoring, or targeted advertising directed at children is prohibited.
• The Central Government may exempt certain data fiduciaries (e.g., educational institutions, healthcare providers) from specific child protection requirements, subject to conditions.

6. Cross-Border Data Transfer

6.1 Framework

The DPDP Act adopts a “negative list” approach to cross-border data transfers:

• Default Position: Transfer of personal data outside India is permitted to all countries except those specifically restricted by the Central Government.
• Restricted Countries: The Central Government may notify countries to which personal data transfer is restricted. As of March 2026, no countries have been formally placed on the restricted list, though the mechanism is in place.
• Sectoral Restrictions: Specific sectors (e.g., financial data under RBI guidelines, health data under proposed health data management policy) may have additional cross-border transfer restrictions under their respective regulatory frameworks.

6.2 Practical Implications for SaaS & IT Companies

For SaaS and IT companies, cross-border data transfer is a core business operation:

• Cloud Hosting: Companies using international cloud providers (AWS, Azure, GCP) must ensure that data hosting arrangements comply with the DPDP Act and any sectoral restrictions.
• Contractual Safeguards: Data processing agreements with international vendors and clients must include DPDP Act-compliant data protection clauses.
• Data Localisation: While the DPDP Act does not mandate data localisation as a general rule, certain categories of data (as may be notified) may require local storage. Companies should design flexible data architecture that can accommodate potential future localisation requirements.

7. Data Protection Board of India (DPB)

7.1 Structure & Powers

The Data Protection Board of India (DPB) is the adjudicatory body established under the DPDP Act. Key features:

• Digital by Design: The DPB operates as a digital office, with proceedings conducted virtually.
• Composition: The DPB comprises a Chairperson and members appointed by the Central Government, with expertise in data protection, information technology, and law.
• Adjudicatory Power: The DPB adjudicates complaints from data principals, references from the Central Government, and instances of non-compliance identified through its own monitoring.
• Penalty Imposition: The DPB has the power to impose monetary penalties as prescribed in the Schedule to the Act.

7.2 Penalty Framework

The DPDP Act prescribes significant penalties for non-compliance:

Note: These are maximum penalties per instance. The DPB may impose lower penalties based on the nature, gravity, and duration of the non-compliance, the type and purpose of processing, and mitigating actions taken by the data fiduciary.

8. Compliance Checklist for Indian Companies

Use this checklist to assess your organisation’s DPDP Act readiness. At Virtual Auditor’s company secretarial practice, we offer a comprehensive DPDP compliance assessment.

8.1 Governance & Organisation

• Appoint a data protection lead or Data Protection Officer (mandatory for SDFs).
• Establish a data protection governance committee at the Board or senior management level.
• Develop and publish a data protection policy aligned with the DPDP Act.
• Conduct employee training on data protection obligations and incident response.
• Integrate data protection into procurement and vendor management processes.

8.2 Consent & Notice

• Audit all existing consent mechanisms to ensure they meet DPDP Act requirements (free, specific, informed, unconditional, unambiguous).
• Update privacy notices to include itemised descriptions of data collected, processing purposes, and rights of data principals.
• Implement a consent management platform or engage a registered Consent Manager.
• Establish a mechanism for easy consent withdrawal.
• Review and update consent for existing data (consent obtained before the DPDP Act must be refreshed).

8.3 Data Inventory & Processing

• Conduct a comprehensive data inventory identifying all personal data collected, processed, and stored.
• Map data flows within the organisation and to external data processors and fiduciaries.
• Identify the lawful basis for each processing activity (consent or legitimate use).
• Implement purpose limitation controls — ensure data is not processed beyond the consented purpose.
• Apply data minimisation principles — collect only what is necessary.

8.4 Security & Breach Response

• Implement encryption for data at rest and in transit.
• Deploy access controls with role-based permissions.
• Conduct regular vulnerability assessments and penetration testing.
• Establish a data breach incident response plan with a 72-hour notification workflow.
• Maintain a breach register and conduct post-incident reviews.

8.5 Data Retention & Erasure

• Develop and publish a data retention schedule for all categories of personal data.
• Implement automated erasure mechanisms for data that has exceeded its retention period.
• Establish a process for responding to erasure requests from data principals.
• Ensure erasure extends to all copies, including backups (with a reasonable timeline for backup erasure).

8.6 Cross-Border Data Transfer

• Identify all cross-border data transfers and the jurisdictions involved.
• Monitor the Central Government’s restricted country list and comply with any restrictions.
• Update data processing agreements with international vendors to include DPDP Act-compliant clauses.
• Design flexible data architecture to accommodate potential future localisation requirements.

8.7 Data Principal Rights

• Establish a mechanism for data principals to exercise their rights (access, correction, erasure, grievance redressal).
• Implement identity verification procedures for rights requests.
• Respond to rights requests within the timelines prescribed under the DPDP Rules, 2025.
• Maintain records of all rights requests and responses for audit purposes.

9. Impact on SaaS & IT Companies

9.1 Dual Role as Data Fiduciary and Data Processor

SaaS and IT companies often operate in a dual capacity — as data fiduciaries for their own customer data and as data processors for their clients’ data. This dual role creates layered compliance obligations:

• As Data Fiduciary: The SaaS company must comply with all DPDP Act obligations regarding its direct customers, employees, and website visitors.
• As Data Processor: When processing data on behalf of clients, the SaaS company must process data only in accordance with the client’s instructions and the data processing agreement. However, the ultimate responsibility for compliance rests with the data fiduciary (client).

9.2 Key Compliance Considerations for SaaS Companies

• Multi-Tenancy Architecture: Ensure that data isolation between tenants is robust and auditable. A breach affecting one tenant must not expose another tenant’s data.
• Sub-Processing: If the SaaS company engages sub-processors (e.g., cloud infrastructure, analytics providers), these arrangements must be disclosed to the data fiduciary client and must comply with the DPDP Act.
• Data Processing Agreements: Update all customer agreements to include DPDP Act-compliant data processing clauses, covering scope of processing, security obligations, breach notification, sub-processing, and audit rights.
• API Security: For companies offering API-based services, ensure that API authentication, rate limiting, and data exposure controls are robust.
• Product Design: Adopt privacy-by-design principles. Build consent management, data access controls, and erasure functionality into the product architecture.

9.3 Impact on IT Services Companies

Large Indian IT services companies (TCS, Infosys, Wipro, HCL, and similar firms) face unique challenges:

• They process data for clients across multiple jurisdictions, requiring compliance with the DPDP Act alongside GDPR, CCPA, and other international data protection laws.
• Employee data processing (for hundreds of thousands of employees) must comply with the DPDP Act’s employment-related legitimate use provisions.
• Client contractual requirements may impose standards exceeding the DPDP Act’s minimum requirements, creating a need for “highest common denominator” compliance frameworks.

10. DPDP Act Regulatory Timeline — 2023 to 2026

This timeline is updated as new developments occur. Bookmark this page for the latest information.

11. Comparison: DPDP Act vs. GDPR — Key Differences

For companies operating in both India and the EU, understanding the differences between the DPDP Act and the GDPR is critical:

• Scope: The DPDP Act applies only to digital personal data, while the GDPR covers all personal data (digital and non-digital).
• Lawful Bases: The DPDP Act recognises consent and “certain legitimate uses” (a narrower set than the GDPR’s six lawful bases, which include legitimate interest, contract performance, and vital interests).
• Cross-Border Transfers: The DPDP Act uses a negative list (transfer permitted unless country is restricted), while the GDPR requires positive adequacy determinations or safeguards (SCCs, BCRs).
• Data Principal Duties: The DPDP Act uniquely imposes duties on data principals, including penalties for false complaints.
• Penalties: The DPDP Act prescribes fixed maximum penalties per violation category, while the GDPR uses a turnover-based percentage model (up to 4% of global annual turnover).
• DPO Requirement: Under the DPDP Act, DPO appointment is mandatory only for SDFs. Under the GDPR, DPO appointment is mandatory for a broader range of controllers.

12. How Virtual Auditor Helps with DPDP Compliance

Our company secretarial and compliance team offers end-to-end DPDP Act compliance services:

• Gap Assessment: We conduct a comprehensive gap assessment of your current data protection practices against DPDP Act requirements.
• Data Inventory & Mapping: Our AI-powered tools help identify and map all personal data flows within your organisation.
• Policy Development: We draft customised data protection policies, consent notices, and data processing agreements.
• Compliance Implementation: We guide implementation of technical and organisational measures — from consent management platforms to breach response procedures.
• Ongoing Monitoring: Our regulatory intelligence service ensures you stay current with all DPDP Act rules, DPB guidance, and enforcement actions.
• SDF Advisory: For companies likely to be designated as SDFs, we provide specialised advisory on DPO appointment, DPIA methodology, algorithmic fairness audits, and compliance reporting.

13. Frequently Asked Questions — DPDP Act Compliance

Q1. When does the DPDP Act come into force?

The DPDP Act was enacted on 11 August 2023. The operational rules (DPDP Rules, 2025) were notified in mid-2025. Phased enforcement began in 2026, with the Data Protection Board now constituted and operational. Companies should be actively working towards compliance now.

Q2. Does the DPDP Act apply to non-digital data?

No. The DPDP Act applies only to digital personal data — data that is collected in digital form or is digitised after collection. Non-digital records (e.g., paper documents) are not within the Act’s scope unless they are subsequently digitised.

Q3. What is the maximum penalty under the DPDP Act?

The maximum penalty is ₹250 crore per instance, applicable to failures in implementing reasonable security safeguards that lead to a personal data breach. Other violations attract lower maximum penalties, ranging from ₹50 crore to ₹200 crore depending on the nature of the non-compliance.

Q4. Must every company appoint a Data Protection Officer?

No. The mandatory appointment of a Data Protection Officer is required only for Significant Data Fiduciaries (SDFs) as notified by the Central Government. However, we strongly recommend that all companies designate a data protection lead, even if not formally designated as an SDF, to oversee compliance activities.

Q5. Can Indian companies transfer data to the United States or European Union?

Yes. Under the DPDP Act’s negative list approach, cross-border data transfers are permitted to all countries unless specifically restricted by the Central Government. As of March 2026, no countries have been placed on the restricted list. However, companies must also comply with any sectoral restrictions (e.g., RBI data localisation requirements for payment data).

Q6. How does the DPDP Act affect employee data processing?

The DPDP Act permits processing of employee data under the “certain legitimate uses” provision (Section 7), covering purposes such as onboarding, payroll, benefits administration, and statutory compliance. However, employers must still provide a notice to employees describing the data collected and processing purposes. For processing beyond employment purposes (e.g., employee wellness programmes, satisfaction surveys), separate consent may be required.

Q7. What is the role of a Consent Manager?

A Consent Manager is a registered intermediary under the DPDP Rules, 2025 that manages consent on behalf of data principals. Consent Managers maintain interoperable, auditable platforms where data principals can view, grant, modify, or withdraw consent across multiple data fiduciaries. Using a Consent Manager is optional for data fiduciaries but can simplify consent management at scale.

Q8. How can Virtual Auditor help with DPDP Act compliance?

Virtual Auditor provides end-to-end DPDP Act compliance services, including gap assessments, data inventory and mapping, policy development, technical implementation guidance, and ongoing regulatory monitoring. For companies likely to be designated as SDFs, we offer specialised advisory on DPO appointment, DPIAs, and algorithmic fairness audits. Contact us for a complimentary initial consultation.