DPDP Act: A Practical Compliance Checklist for Corporates

The Digital Personal Data Protection Act marks the most consequential shift in Indian information law in a generation. While the statute's headline obligations have been widely discussed, our advisory work with listed and unlisted clients has surfaced a recurring need: an internal, operational checklist that translates principles into department-level workstreams.

The starting point, in our view, is mapping. Most enterprises understand where customer data sits, but few have a current inventory of vendor sub-processing, cross-functional data flows, and historical retention practices. A defensible compliance posture begins with a data map that is owned, not merely documented, by an accountable internal function.

Notice and consent must then be re-architected around the Act's specificity standard. Generic privacy disclosures, layered consents bundled with terms of service, and pre-ticked checkboxes will not survive scrutiny. Boards should expect to revisit consumer-facing flows, employee onboarding, and B2B contractual notices in lockstep.

Grievance redressal is the discipline most often underestimated. The Act contemplates a named officer, defined turnaround windows, and an auditable trail. We advise clients to treat the grievance pipeline with the same rigour as a SEBI complaints register: version-controlled, time-stamped, and reviewed at the committee level.

Finally, vendor and cross-border transfer governance will demand a contractual refresh. Standard data-processing addenda drafted under the IT Rules regime will need to be retired in favour of DPDP-aligned templates, with sharper allocation of liability and clearer protocols for breach notification.

Compliance with the DPDP Act is not a single-quarter project. It is a programme, and the firms that begin building it now will be the ones that treat regulator engagement as a strength rather than an exposure.