DPDP Act

DPDP Act 2023 Compliance Checklist for Indian Businesses

Threat ResQ Team  ·  Feb 2026  ·  9 min read

The Digital Personal Data Protection Act is now enforceable. Are you a Data Fiduciary? Exactly what you need to implement — and the penalties for getting it wrong.

What Is the DPDP Act 2023?

The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law. If your organisation touches any personal data of Indian citizens — a customer database, employee records, website cookies — you are a Data Fiduciary with compliance obligations. Fines reach Rs.250 crore per violation.

DPDP Compliance Checklist

1. Consent Management

  • Identify lawful basis for each type of data processing
  • Implement clear, specific, and revocable consent mechanisms
  • Maintain records of when and how consent was obtained

2. Privacy Notice

  • Create comprehensive Privacy Notice explaining data collection, purpose, and sharing
  • Publish prominently on website and app
  • Notify users of any changes

3. Data Principal Rights

  • Mechanism for users to access their personal data
  • Allow users to correct inaccurate data
  • Implement data erasure capability
  • Mandatory grievance redressal contact point

4. Security Safeguards

  • Annual VAPT of systems handling personal data
  • Access controls — only authorised personnel access personal data
  • Encryption at rest and in transit
  • Data Loss Prevention (DLP) controls

5. Data Breach Notification

  • Breach detection and response procedure
  • Notify Data Protection Board and affected individuals
  • Maintain breach register

DPDP Penalties

  • Failure to implement security safeguards: up to Rs.250 crore
  • Failure to notify data breaches: up to Rs.200 crore
  • Failure to fulfil data principal rights: up to Rs.50 crore

Need Help With This?

Threat ResQ offers free 30-minute consultations on all topics covered in this article. Our certified experts give you a tailored action plan.

Book Free Consultation →
💬 📞