On November 13, 2025, the Ministry of Electronics and Information Technology (MeitY) officially notified the Digital Personal Data Protection (DPDP) Rules, 2025. The rules operationalised the DPDPA, 2023 – India’s landmark data privacy legislation, and established the Data Protection Board of India (DPBI) as the enforcement authority. Every Data Fiduciary processing personal data in India now has defined obligations, a regulatory body with real enforcement powers and a firm deadline: May 13, 2027.
This DPDPA compliance checklist breaks down the six core obligation areas, the penalty structure and the three milestones every organisation must plan against. Use it as a working reference to build or validate your data protection programme.
Who the DPDPA applies to
The Digital Personal Data Protection Act, 2023 applies to any firm processing digital personal data in India. Its reach is extraterritorial: foreign organisations offering goods or services to Indian residents fall under the same obligations.
If you collect, store or process personal data of individuals in India, you are a Data Fiduciary. Some entities will be designated Significant Data Fiduciaries (SDFs) by the Central Government – based on data volume, sensitivity and risk to individuals’ rights. SDFs face an elevated tier of obligations that includes annual audits and Data Protection Officer (DPO) appointments. Knowing where your organisation is, on this spectrum is the starting point for any data protection checklist India-based programme.
The 6-step DPDPA compliance checklist
This DPDPA compliance checklist consists of the six core obligation areas under the DPDP Rules, 2025. Each step covers a compliance domain that your organisation must address before the May 2027 deadline.
Consent and notice architecture
Redesign consent notices to be independently understandable and in plain language. Each notice must list the specific personal data collected and its purpose of processing. Bundled consent – one checkbox for multiple purposes – is not valid under the DPDPA.
Notices must also be available in the user’s preferred language, including those listed in the Eighth Schedule of the Constitution. Start building Consent Manager integration readiness ahead of the November 2026 activation deadline.
Data Principal rights management
Build workflows that allow people to access, correct and erase their personal data. Rule 14 of the DPDP Rules sets a 90-day window for answering to erasure requests. Big e-commerce, gaming and social media platforms must also notify users at least 48 hours before completing scheduled data deletion.
Reasonable security safeguards
Apply the minimum prescribed controls: access management, encryption or tokenisation, activity monitoring and logging and business continuity measures. Logs must be kept for a minimum of one year. These safeguards must also be contractually mandated in all Data Processor agreements.
Data breach notification
On finding a breach, notify the DPBI without delay with an initial description. A detailed follow-up must be submitted within 72 hours as per Rule 7 of the DPDP Rules, 2025. Affected Data Principals must be notified in plain language covering the nature of the breach, its impact and the steps they can take.
Children’s data obligations
Verifiable parental consent is required before processing personal data of anyone under 18. Rule 10 of the DPDP Rules, 2025 approves DigiLocker integration as an accepted verification method. Tracking, profiling or targeting children with behavioural advertising is prohibited.
Governance and accountability
Appoint a DPO if designated as an SDF. Establish a grievance redressal mechanism with a 90-day response commitment. SDFs must also conduct annual Data Protection Impact Assessments (DPIAs) and independent audits.
Penalty structure you need to know
Non-compliance with this DPDPA compliance checklist leads to major financial exposure. As per the official DPDP Rules notification published by the Press Information Bureau, penalties for Data Fiduciaries are structured as follows:
- ₹250 crore: failure to implement reasonable security safeguards
- ₹200 crore: failure to notify the DPBI or affected Data Principals of a breach
- ₹200 crore: violations of children’s data obligations
- ₹150 crore: failure to meet Significant Data Fiduciary obligations
- ₹50 crore: any other violation of the Act or Rules
The average cost of a data breach in India can reach approximately ₹220 million – before any regulatory penalty is applied. That combination makes this data protection checklist – a direct risk management priority.
Conclusion
The DPDPA compliance checklist is an ongoing process. Consent design, security controls, breach response and rights management all need to be embedded into how your organisation handles data day to day. The DPDP Rules, 2025 have made this a legal mandate – and the enforcement window is already open.
CyberNX’s DPDP Act consulting services are built for organisations going through this transition – from data mapping and consent architecture to governance setup and breach readiness. If you want to validate your current posture or build a DPDPA compliance checklist tailored to your organisation, connect with our experts today.
DPDPA compliance checklist FAQs
What is the final deadline for DPDPA compliance?
Full operational compliance under the DPDP Rules, 2025 is required by May 13, 2027 – 18 months after the rules were notified on November 13, 2025. The Consent Manager framework activates one year earlier, on November 13, 2026.
Who does this DPDP Act checklist apply to?
Any firm or entity that is collecting or processing digital personal data of individuals in India have to comply. This also includes foreign companies offering goods or services to Indian residents.
What happens if a data breach is not reported on time?
If you fail to notify the DPBI or affected Data Principals of a breach, it can lead to a penalty of up to ₹200 crore per incident under the DPDP Rules. The initial notification must go to the DPBI without delay and a detailed follow-up within 72 hours.
How does the DPDPA differ from GDPR?
The DPDPA requires consent for each specific purpose. GDPR allows broader legitimate interest processing without consent. The age threshold for children is 18 under DPDPA versus 13 to 16 under GDPR. The DPDPA also does not include a right to data portability. Penalties under DPDPA can reach ₹250 crore per violation.




