Every DPDPA Requirement, In One Actionable Checklist.

Understanding DPDP Act Penalties & Compliance Risks

A structured, itemised checklist covering every operational requirement under India's Digital Personal Data Protection Act — notice, consent, data mapping, vendor governance, retention, breach response, and audit evidence.

₹250 Cr
Maximum Penalty
72 Hrs
Breach Reporting
90 Days
Rights Response
2027
Full Enforcement

Get 3 Months Free Consentica Access

Zero integration. Unlimited consents. Live within 48 hours.

Launch your DPDP-ready consent flow fast, validate it with real users, and scale when you're ready.

What This Checklist Covers

This checklist walks through every operational area the DPDP Act 2023 touches — from the notice a Data Principal sees before data collection, through consent capture and withdrawal, to vendor governance, retention, deletion, breach response, and the audit evidence you'll need to produce if the Data Protection Board asks.

It is written for the people who actually have to implement DPDPA, not just read about it: compliance leads, DPOs, legal counsel, product owners, and engineering teams responsible for consent and data infrastructure.

Each checklist item includes the specific evidence artefact you need to produce — not just the obligation itself — because "we have a policy" and "we can prove it happened" are different things under DPDP Act enforcement.

Who Must Comply?

  • Any organisation processing digital personal data of individuals in India
  • Foreign organisations offering goods or services to individuals in India and processing their data

Important Checklist Point

A checklist item marked "done" on a spreadsheet is not the same as a checklist item you can prove during a Data Protection Board inquiry, a breach investigation, or an enterprise customer's vendor audit. Evidence, not intention, is what DPDPA enforcement actually tests.

Quick Answer

A complete DPDPA compliance checklist covers seven areas: notice and consent, Data Principal rights, security safeguards, breach notification, vendor and processor governance, retention and deletion, and audit evidence. Each area needs both a written policy and an operational system that produces provable evidence.

What Each Checklist Gap Actually Costs

Missing checklist items don't just create compliance debt — they map directly to specific DPDP Act penalty categories.

Violation CategoryMaximum Penalty
Missing or inadequate security safeguards
Up to ₹250 Crore
No breach notification process (72-hour requirement)
Up to ₹200 Crore
Children's data processed without verifiable parental consent
Up to ₹200 Crore
Significant Data Fiduciary obligations not met (DPO, DPIA, audit)
Up to ₹150 Crore
Consent, notice, or Data Principal rights gaps
Up to ₹50 Crore
Failure to act on a Data Protection Board direction
Up to ₹20 Crore

Important: This checklist is organised so each section maps to one of these penalty categories — completing the checklist is directly correlated with closing specific financial exposure, not just "being more compliant" in the abstract.

The 8 Checklist Areas

Every item in the full checklist falls into one of these eight operational areas.

Notice & Transparency

Clear, itemised notice before data collection, in a language the Data Principal understands, with version history retained.

Consent Capture & Withdrawal

Purpose-specific, independently revocable consent with the same ease of withdrawal as of granting.

Data Principal Rights

Working access, correction, erasure, and grievance workflows with defined response SLAs.

Data Mapping & RoPA

A current inventory of what personal data you hold, where, why, and who else has access to it.

Vendor & Processor Governance

Contracts, access controls, and audit rights over every third party that touches personal data on your behalf.

Retention & Deletion

Defined retention periods per data category, with verifiable deletion when the purpose or retention period ends.

Breach Response

A tested process to identify, contain, and notify the Board and affected individuals within 72 hours.

Audit Evidence

Exportable proof for every item above — not policy documents, but operational logs and records.

How the Data Protection Board Enforces Penalties

The DPBI is a fully digital quasi-judicial body established under Chapter V of the DPDP Act. It is not a policy regulator — its sole function is investigation, adjudication, and enforcement.

When You'll Actually Need This Checklist Completed

A completed checklist gets tested in real situations, not just internal reviews:

  • A Data Principal complaint or rights request that requires you to locate and act on their data quickly
  • A personal data breach requiring you to notify the Board within 72 hours
  • An enterprise customer's vendor risk assessment or security questionnaire
  • A Data Protection Board inquiry or compliance review
  • Fundraising or M&A due diligence, where privacy posture is now a standard diligence item

This checklist should be revisited whenever you add a new data collection point, a new vendor, or a new processing purpose — not treated as a one-time exercise.

How to Work Through This Checklist

Stage 1 — Inventory

Map what personal data you collect, where it lives, and who has access — you can't check off items for data you don't know you have.

Stage 2 — Gap Assessment

Go through each of the 8 checklist areas and mark what's fully evidenced, partially in place, or missing entirely.

Stage 3 — Prioritise by Penalty Exposure

Fix gaps in security safeguards and breach response first — they carry the highest penalty ceilings.

Stage 4 — Build the Evidence Layer

For each item, implement the system that produces provable evidence automatically, not a manual process someone has to remember to run.

Stage 5 — Re-Check Quarterly

Re-run the checklist whenever a new system, vendor, or data flow is introduced, and at minimum once a quarter.

Key point: Most organisations complete Stage 1 (inventory) manually and get stuck — this is exactly the step Discovery Studio automates across structured and unstructured data sources.

6 Reasons Checklists Fail in Practice

These are the most common reasons a completed checklist still doesn't hold up under scrutiny.

No Data Discovery Behind It

The checklist was completed based on what the team remembered, not an actual scan of systems and files.

Policy Without Evidence

A written policy exists, but there's no system generating logs, timestamps, or records to prove it's followed.

Owned by One Person

Compliance sits with one person's knowledge instead of being embedded in systems — and breaks when they leave.

Never Revisited

Completed once during initial DPDPA readiness and never updated as the business added new tools, vendors, or data types.

Vendor Blind Spots

Internal systems are covered, but the checklist doesn't extend to what vendors and processors do with the data.

No Response Drill

A breach response process exists on paper but has never been tested against a realistic scenario.

Discovery Studio and Consentica exist specifically to close these six gaps — automated discovery instead of memory, and operational evidence instead of static policy documents.

Does an Incomplete Checklist Create Criminal Exposure?

No Imprisonment Under DPDPA

The DPDP Act does not create imprisonment-based criminal penalties for compliance gaps of any kind.

Financial Exposure Is Still Real

Checklist gaps translate directly into the penalty categories shown above — up to ₹250 crore per violation.

An incomplete checklist itself is not a criminal matter under DPDPA — the Act's enforcement model is financial penalties, Board directions, and remedial orders, not imprisonment.

The real risk of an incomplete checklist is what it exposes you to when something goes wrong: a breach, a rights request you can't fulfil in time, or a Board inquiry you can't produce evidence for.

A Realistic Timeline for Closing Checklist Gaps

How long it typically takes to move from an incomplete checklist to full, evidence-backed DPDPA readiness.

Week 1–2

Data discovery and inventory

Identify personal data across structured and unstructured sources, systems, and vendors.

Week 3–4

Gap assessment against all 8 areas

Score current state against the checklist and prioritise by penalty exposure.

Week 5–8

Close consent, notice, and rights gaps

Deploy or configure the systems needed to produce evidence for the highest-priority items.

Week 9–12

Vendor governance and breach response

Extend controls to third parties and test the breach response process end to end.

Conclusion

A DPDPA compliance checklist is only useful if it produces evidence, not just intentions. The organisations most exposed during an actual breach, rights request, or Board inquiry are the ones that treated the checklist as a one-time documentation exercise rather than an operational system.

Discovery Studio automates the discovery and mapping stage this checklist depends on. Consentica operationalises the consent, notice, and rights stages so each checklist item produces real evidence, not just a policy statement.

A checklist you can't produce evidence for is not a completed checklist — it's a to-do list.

Frequently Asked Questions

The DPDP Act and DPDP Rules 2025 set out obligations, but there is no single official checklist document. Organisations typically build one by mapping the Act's provisions to their specific operational context — data types, vendors, and processing purposes.