INTRODUCTION
This is a working operational checklist for Indian businesses approaching DPDP Act compliance. It's not legal advice. It's a practitioner's reference distilled from active engagements across BFSI, fintech, healthcare-tech, and SaaS sectors over 2024-2026. Maintained by the SecureRoot team — for service inquiries visit secureroot.co
TIER 1 — IMMEDIATE (Week 1-4)
Designate a DPO (Data Protection Officer): Internal employee or contracted external. Authority must be real, not nominal.
Privacy policy compliance audit: Existing privacy policy reviewed against DPDP requirements. Lawyer review at ₹15-30K.
Initial data inventory (high-level): Map your top 10 systems handling personal data. Document type, volume, location, access.
Identify your processing activities: What data, why, what's the legal basis (consent, contract, legitimate use).
Initial breach notification draft: Documented playbook for first-72-hours breach response.
TIER 2 — NEAR-TERM (Week 4-12)
Comprehensive Record of Processing Activities (RoPA): Detailed inventory of every category of personal data, where it lives, retention period, access controls. 4-8 weeks of cross-functional work.
Consent management implementation: Customer-facing flows redesigned for clear affirmative action. No pre-checked boxes. No bundled consent.
Data subject rights process: Operational mechanism for handling access, correction, erasure, and grievance redressal requests.
Vendor data processing agreements (DPAs): All vendors handling personal data on your behalf require updated DPAs. Inventory + remediate.
Internal training: All employees handling personal data trained on DPDP basics + your internal procedures.
TIER 3 — ONGOING (Quarterly)
Quarterly RoPA refresh: Update data inventory as systems and processing activities change.
Quarterly access reviews: Verify who has access to personal data. Revoke unnecessary access.
Annual privacy impact assessment (PIA): Especially for new processing activities, new vendors, or new product features.
Annual breach notification tabletop exercise: Test the playbook before you need it.
Quarterly DPO report to leadership: Compliance posture, complaint handling, regulatory developments, gaps requiring attention.