INTRODUCTION

This is a working operational checklist for Indian businesses approaching DPDP Act compliance. It's not legal advice. It's a practitioner's reference distilled from active engagements across BFSI, fintech, healthcare-tech, and SaaS sectors over 2024-2026. Maintained by the SecureRoot team — for service inquiries visit secureroot.co

TIER 1 — IMMEDIATE (Week 1-4)

Designate a DPO (Data Protection Officer): Internal employee or contracted external. Authority must be real, not nominal.

Privacy policy compliance audit: Existing privacy policy reviewed against DPDP requirements. Lawyer review at ₹15-30K.

Initial data inventory (high-level): Map your top 10 systems handling personal data. Document type, volume, location, access.

Identify your processing activities: What data, why, what's the legal basis (consent, contract, legitimate use).

Initial breach notification draft: Documented playbook for first-72-hours breach response.

TIER 2 — NEAR-TERM (Week 4-12)

Comprehensive Record of Processing Activities (RoPA): Detailed inventory of every category of personal data, where it lives, retention period, access controls. 4-8 weeks of cross-functional work.

Consent management implementation: Customer-facing flows redesigned for clear affirmative action. No pre-checked boxes. No bundled consent.

Data subject rights process: Operational mechanism for handling access, correction, erasure, and grievance redressal requests.

Vendor data processing agreements (DPAs): All vendors handling personal data on your behalf require updated DPAs. Inventory + remediate.

Internal training: All employees handling personal data trained on DPDP basics + your internal procedures.

TIER 3 — ONGOING (Quarterly)

Quarterly RoPA refresh: Update data inventory as systems and processing activities change.

Quarterly access reviews: Verify who has access to personal data. Revoke unnecessary access.

Annual privacy impact assessment (PIA): Especially for new processing activities, new vendors, or new product features.

Annual breach notification tabletop exercise: Test the playbook before you need it.

Quarterly DPO report to leadership: Compliance posture, complaint handling, regulatory developments, gaps requiring attention.