DPDP Compliance Checklist (2026): 12 Steps Every Indian Startup Must Complete
A practical DPDP compliance checklist for Indian startups. 12 steps to comply with the DPDP Act 2023, covering consent, data retention, breach response, and grievance handling.
The DPDP Act compliance checklist consists of 12 operational requirements every Indian startup should implement before the November 2026 soft-enforcement deadline: consent management, retention schedules, breach response, grievance handling, and Data Principal rights.
Most Indian startups will not miss that deadline because they ignored it. They will miss it because nobody turned the Act into a task list their team could actually execute. This checklist does that, ordered the way an audit would probe it rather than the way the statute happens to be numbered.
Who must comply with the DPDP Act?
Every entity that determines the purpose and means of processing digital personal data of individuals in India, called a Data Fiduciary, must comply, regardless of company size. This includes SaaS products, mobile apps, and B2B software, not only consumer-facing platforms. A narrower set of extra obligations, including an annual Data Protection Impact Assessment, applies only to companies designated as Significant Data Fiduciaries [Rule 13]. For a fuller walkthrough of who counts and why, see what the DPDP Act actually is.
The DPDP enforcement timeline you are working against
The Digital Personal Data Protection Rules were notified on 13 November 2025, and compliance obligations arrive in phases:
| Date | What changes |
|---|---|
| 13 November 2025 | Rules notified. Data Protection Board of India (DPB) operational. |
| 13 November 2026 | Consent Manager provisions take effect. The soft-enforcement grace period effectively ends. |
| 13 May 2027 | All substantive obligations enforceable. Penalties up to ₹250 crore per violation apply. |
The DPDP compliance checklist: 12 steps
- 1.Map every place personal data lives. Databases, logs, analytics tools, spreadsheets, and vendor systems. You cannot protect (or delete) data you have not found. Shadow PII in logs is the most common gap we see in scans.
- 2.Rewrite your privacy notice for the DPDP Act, not the IT Act. If your policy cites the IT Act 2000 and never mentions the DPDP Act, it announces its own non-compliance. Notices must be clear, itemised by purpose, and available in the 22 Eighth Schedule languages [§5(3)].
- 3.Make consent specific, informed, and separate per purpose [§6]. One checkbox per purpose. Marketing consent is not analytics consent, and neither covers data sharing. "By using this app you agree" is usage, not consent, and it will not survive an audit. A Record of Processing Activities makes this easier to get right; see our RoPA template for the DPDP Act.
- 4.Record consent with timestamp, purpose, and the text shown. When the Board asks how a specific user consented in 2026, you need the exact answer, not the current version of your banner.
- 5.Set a retention period for every data category [Rule 8]. A number, a date, or a trigger; "as long as necessary" is a deferred decision, not a policy. Then automate the deletion, because a schedule nobody executes is worse than no schedule. Retention floors differ by sector; see our breakdowns for fintech and healthtech.
- 6.Build the erasure path. When consent is withdrawn or the purpose is served, personal data must actually be erased from primaries, replicas, backup policies, and processors. Test it end-to-end with a real record.
- 7.Name a Grievance Officer with a working contact [Rule 9, Rule 14]. A named human, a reachable email, and a grievance redressal system that responds within 90 days [Rule 14(3)]. A contact form does not count.
- 8.Stand up a Data Principal rights workflow [§11 to §14]. Access, correction, erasure, and nomination. You have defined timelines to respond, and manual email threads will not scale past your first dozen requests.
- 9.Write the 72-hour breach playbook before you need it [§8(6), Rule 7]. Define "aware", name an incident owner, and pre-draft the DPB and Data Principal notifications. The clock starts when you become aware, not when you finish investigating.
- 10.Verify parental consent for children's data [§9]. If any users are under 18, you need verifiable parental consent and zero tracking or targeted advertising directed at them. Penalties here are among the steepest.
- 11.Put contracts and purpose limits around every processor. Your analytics, support, and AI vendors process personal data on your behalf. Their gap is your liability, because the Act holds the Data Fiduciary responsible, not the vendor. See our vendor management and Data Processing Agreement guide for the specific clauses to add.
- 12.Keep audit-ready evidence of all of the above. Immutable logs of consent, deletion, and breach handling. Under the DPDP Act the operating assumption is that you can prove compliance on request. Claims without records are just claims. A DPIA is the fastest way to surface what evidence you are still missing.
For the order to actually build these in, and why sequence matters more than the list itself, see our step-by-step DPDP implementation guide.
DPDP Act penalties and fines
| Failure | Maximum penalty |
|---|---|
| Failure of security safeguards | ₹250 crore |
| Failure to notify a breach to the Board / Data Principals | ₹200 crore |
| Violations involving children's data | ₹200 crore |
| Other violations of the Act | ₹50 crore |
These are per-violation ceilings, and the Board weighs the nature, gravity, and duration of the breach. For a funded startup, the realistic risk is not only the fine. It is failing enterprise vendor due diligence, investor data-room questions, and B2B audits that now routinely ask "are you DPDP-compliant?" (see why this matters beyond the penalty). The Rules themselves are published on MeitY's official Digital Personal Data Protection Rules 2025 page.
How to get through this list in weeks, not quarters
Items 1, 4, 5, 6, 8, and 12 are engineering problems: data discovery, consent records, retention automation, erasure, rights workflows, and audit logs. That is exactly the surface Privacy Labs automates. Run a discovery scan, deploy layered consent, and export audit-ready proof, with setup measured in about 60 minutes rather than months. For the realistic manual-vs-automated breakdown, see how long DPDP compliance actually takes.
Start with the free Compliance Score. It checks your privacy policy, cookie consent, and retention posture against this checklist and shows you exactly which items you are missing, in 60 seconds and with no signup.
Frequently asked questions
When do I need to be DPDP compliant?
The DPDP Rules were notified on 13 November 2025. Consent Manager provisions take effect on 13 November 2026, and all substantive obligations become enforceable by 13 May 2027. Practically, startups should be compliant by November 2026, since implementation takes months and enterprise customers are already asking for DPDP readiness in vendor due diligence.
Does the DPDP Act apply to small startups?
Yes. The DPDP Act applies to any entity processing digital personal data of individuals in India, regardless of company size. Some obligations are heavier for Significant Data Fiduciaries, but consent, notice, retention, breach notification, and Data Principal rights apply to startups of every size.
What is the penalty for DPDP non-compliance?
Penalties range up to ₹250 crore per violation for failures of security safeguards, ₹200 crore for breach-notification failures and children's data violations, and ₹50 crore for other breaches of the Act.
Is GDPR compliance enough for the DPDP Act?
No. The DPDP Act differs from GDPR in material ways: consent must be itemised per purpose, notices must be available in 22 Indian languages, breach notification runs to the Data Protection Board on a 72-hour clock, and the Consent Manager framework has no GDPR equivalent. A GDPR programme is a head start, not a finish line.
Does the DPDP Act apply to SaaS and B2B software companies?
Yes. The Act applies to any Data Fiduciary processing digital personal data of individuals in India, which includes B2B SaaS products that store employee, customer, or end-user data on behalf of business clients. There is no exemption for B2B-only products.
What is a Data Fiduciary?
A Data Fiduciary is the entity that determines the purpose and means of processing personal data, roughly equivalent to a "data controller" under GDPR. If your company decides why and how user data is collected and used, you are the Data Fiduciary.
What is a Consent Manager under the DPDP Act?
A Consent Manager is a Board-registered platform that lets a Data Principal give, review, and withdraw consent across multiple companies from one place. Consent Manager obligations take effect on 13 November 2026 [Rule 4]. It has no direct GDPR equivalent.
Can I use one consent checkbox for everything?
No. §6 of the DPDP Act requires consent to be specific to each purpose. Marketing, analytics, and data sharing each need their own itemised consent; a single bundled "I agree" checkbox does not meet the standard.