As compliance deadline looms, a DPDPA gap analysis will do a world of good for enterprises operating in India. A gap analysis usually contains a single step: compare current practice against the Act and note what is missing. But in practice, that may not give a compliance team much to work with. So, what will? is the obvious question.
This blog sets out a working framework you can apply directly, structured across five domains with a simple scoring method. This will help your gap analysis produce a ranked remediation roadmap instead of a general findings document.
Why a scoring framework beats a checklist
With enterprises subject to sweeping data requirements, a YES or NO checklist could not tell you whether the controls would survive a Data Protection Board enquiry, or which gaps carry the highest penalty exposure. But a three-tier scoring model can be of much help.
Score each requirement on a simple scale, moving from no control in place to a fully evidenced one an auditor could review on request.
This scoring approach surfaces the difference between having a privacy policy and having one that maps to actual data flows and is enforced.
Domain one: consent and notice
Consent is the foundation DPDPA is built on, and it is where most gap analyses find the widest spread of scores.
What to assess? Assess whether consent language covers purpose and is specific to each processing activity, rather than bundled into one broad clause. Check whether withdrawal mechanisms exist and stop downstream processing, not just the display of a preference toggle. Confirm whether children’s data has verifiable parental consent workflows where applicable.
Domain two: data mapping and records of processing
You cannot assess a gap in a process you cannot see. Data mapping underpins every other domain.
What to assess? Assess whether a current data inventory exists across on-premises and cloud environments. Check whether Records of Processing Activities capture purpose, legal basis, retention period and processor details per data flow. Confirm whether high-risk processing is flagged, including children’s data, large-scale processing and any category treated as sensitive by internal policy, since DPDPA itself does not carve out a separate sensitive personal data category in the Act.
Domain three: breach response readiness
Rule 7 of the DPDP Rules 2025 sets out a dual-track breach notification requirement with no materiality threshold, which makes this domain unforgiving of gaps.
What to assess? Assess whether detection capability can identify a breach and timestamp it, since that timestamp starts the regulatory clock. Check whether simultaneous notification workflows exist for both the Data Protection Board and affected Data Principals at the initial stage. Confirm whether the 72-hour detailed report process to the DPB is documented, tested and assigned to a named owner.
Domain four: Significant Data Fiduciary readiness
Not every organisation will be designated an SDF, but any organisation handling data at scale should assess its exposure now.
What to assess? Assess DPO appointment readiness, since SDFs require a Data Protection Officer based in India. Check whether independent audit processes are scoped and budgeted. Confirm whether algorithmic due diligence under Rule 13 is documented for any automated or AI-driven processing in scope.
Domain five: vendor and processor risk
DPDPA holds the data fiduciary responsible for a processor’s failures, which makes third-party risk a direct extension of your own gap analysis.
What to assess? Assess whether processor contracts include DPDPA-specific obligations for security, breach notification and rights support, not generic data protection boilerplate. Check whether a vendor risk register tracks which processors touch personal data. Confirm sub-processor visibility exists, since uncontrolled sub-processing carries some of the highest early enforcement risk.
Sample scoring worksheet
Use a simple table like the one below to track scores across domains before building your remediation roadmap.
Once each domain is scored, sequence remediation by penalty exposure first, not by ease of implementation. Breach response gaps and consent gaps typically carry the highest financial exposure under the DPDP Act Schedule, so they should sit above lower-risk items like documentation formatting.
Conclusion
A DPDPA gap analysis is only useful if it produces a prioritised list your organisation will act on. Scoring each domain against a defined maturity tier, rather than a binary checklist, gives compliance teams and leadership a shared, defensible view of where the real exposure sits.
If you are ready to run a structured gap analysis rather than another general review, talk to our DPDPA Consultancy team to get started.
DPDPA gap analysis FAQs
How often should a DPDPA gap analysis be repeated?
At minimum annually, and immediately after any material change such as a new AI system, a new vendor handling personal data or a new business line.
Who should own the gap analysis process internally?
A named privacy lead should own it, working with IT, legal and business unit heads, since data flows cut across all three functions.
Does a gap analysis need external validation?
It is not mandated for every organisation, but Significant Data Fiduciaries require independent audits, and even non-SDF organisations benefit from external review.





