Compliance Checklist for Data Fiduciaries
India has enacted the new Digital Personal Data Protection Act (DPDPA), 2023 which is intended to safeguard the collection, use and sharing of personal data about Indian citizens. Whether you are a startup or a corporation, or just a data processor, knowing what you need to do in a compliant manner is extremely important. Hence, the checklist below lists the important compliance obligations for Registered Data Fiduciaries and Significant Data Fiduciaries in a brief, simple checklist to help maintain legal compliance and build user trust:
Simple Checklist for DPDPA Compliance (2025)
TL;DR: DPDPA Compliance Checklist (India) – What Businesses Must Know
- DPIA (Data Protection Impact Assessment): Required for high-risk data activities to identify and reduce privacy risks. (Section 10(2)(c)(i))
- Data Protection Measures (Security): Implement technical and organizational safeguards to prevent data breaches and unauthorized access. (Sections 8(4), 8(5))
- Legacy Consent Notification: Inform existing users about data usage, rights, and how to withdraw consent. (Section 5(2))
- Notice and Consent Collection: Obtain clear, informed, specific, and revocable consent before collecting personal data. (Sections 5(1), 6(1), 6(3), 7)
- Consent Management System: Allow users to give, manage, and withdraw consent easily via a platform or Consent Manager. (Sections 6(7)–6(10))
- Parental Consent & Child Data Handling: If collecting children’s data then collect verifiable parental consent for minors under 18 and restrict tracking/ads. (Sections 9(1)–9(3))
- Cross-border Data Transfer Controls: Transfer of personal data outside India allowed unless restricted by the government; ensure jurisdictional safety. (Sections 3(b), 16)
- Data Processing/Sharing Agreements: Sign contracts when engaging third parties to process or access personal data. (Section 8(2))
- DPAR (Access, Correction, Erasure, Grievance Mechanism): Enable users to exercise their data rights and file complaints. (Sections 11, 12, 13)
- Preference Centre (Consent Dashboard) (Optional): A user-friendly interface to manage consents and preferences. (Implied: Sections 6(3), 6(4), 6(7))
- Breach Notification: Notify the Board and users promptly in case of a data breach. (Section 8(6))
- Data Retention & Erasure Policy: Delete personal data when purpose is fulfilled or consent is withdrawn. (Section 8(7))
- Data Protection Officer (DPO): Appoint a DPO in India for compliance if you are a Significant Data Fiduciary. (Section 10(2)(a))
- Grievance Redress Mechanism: Provide a clear process for handling user complaints and closing them in time. (Section 13)
- Nomination Facility: Allow users to nominate someone to manage their data after death or incapacity. (Section 14)
- Record of Processing Activities (ROPA): Maintain an internal log of all data processing activities. (Implied)
Checklist outlines the key obligations and activities for Data Fiduciaries to ensure compliance with the Digital Personal Data Protection Act, 2023.
| Compliance Requirement | Who It Applies To | Section(s) | Purpose / Description |
| Data Protection Impact Assessment (DPIA) | Significant Data Fiduciaries | Sec 10(2)(c)(i) | Assess and mitigate risks from personal data processing |
| Data Protection Measures (Security) | All Data Fiduciaries | Sec 8(4), 8(5) | Ensure reasonable technical and organizational safeguards to prevent data breaches |
| Legacy Consent Notification | Data Fiduciaries with existing data | Sec 5(2) | Inform existing users about purpose, rights, and withdrawal mechanism |
| Notice and Consent Collection | All Data Fiduciaries | Sec 5(1), 6(1), 6(3), 7 | Obtain valid, specific, informed, and revocable consent before collecting personal data |
| Consent Management System | All processing personal data (esp. via processors) | Sec 6(7)–6(10) | Allow users to give, manage, and withdraw consent (via Consent Manager or platform) |
| Parental Consent & Child Data Handling | Entities processing data of children (<18 yrs) | Sec 9(1)–9(3) | Obtain verifiable consent from parent/guardian; restrict tracking and ads |
| Cross-border Data Transfer Controls | Entities transferring data internationally | Sec 3(b), 16 | Allowed unless restricted by government notification; ensure jurisdictional safety |
| Data Processing/Sharing Agreements | Data Fiduciaries using processors or third parties | Sec 8(2) | Formal contract required for lawful processing by third parties |
| DPAR Setup (Access, Correction, Erasure, Grievances) | All Data Fiduciaries | Sec 11, 12, 13 | Enable Data Principals to exercise their rights; establish grievance channels |
| Preference Centre (Consent Dashboard) (Optional) | Recommended for all | Implied: Sec 6(3), 6(4), 6(7) | Centralized view for users to manage consents (user-friendly best practice) |
| Breach Notification | All Data Fiduciaries | Sec 8(6) | Notify the Board and affected individuals promptly in case of a data breach |
| Data Retention & Erasure Policy | All Data Fiduciaries | Sec 8(7) | Erase data when purpose is fulfilled or consent is withdrawn |
| Data Protection Officer (DPO) | Significant Data Fiduciaries | Sec 10(2)(a) | Appoint DPO based in India as compliance point of contact |
| Grievance Redress Mechanism | All Data Fiduciaries and Consent Managers | Sec 13 | Mechanism to receive, respond to, and close grievances within a set time |
| Nomination Facility (Post-death or incapacity) | All Data Principals | Sec 14 | Allow users to nominate someone to manage their data in case of death or incapacity |
| Record of Processing Activities (ROPA) (Implied) | Recommended for all | Implied | Maintain internal log of data processing for governance and audit readiness |
DPDPA Compliance Checklist Explained
1. Data Protection Impact Assessment (DPIA)
- Expectation: If you are a Significant Data Fiduciary handling large volumes of personal or sensitive data, you must assess whether your data activities could harm people’s rights or safety.
- What You Should Do: Before starting any high-risk data projects (like using AI or tracking behavior), do a detailed assessment to find out what could go wrong.
- Why It Matters: This helps you avoid harm, plan ahead, and follow the law. It also shows regulators that you take privacy seriously.
2. Data Protection Measures (Security)
- Expectation: Every company that collects or uses personal data must protect it with proper security steps.
- What You Should Do: Use strong passwords, encryption, limited access, and regular checks to prevent data leaks or hacks.
- Why It Matters: It keeps people’s data safe and protects your organization from legal trouble or bad publicity.
3. Legacy Consent Notification
- Expectation: If you collected people’s data before the new law took effect, you must inform them of their rights and how you use their data.
- What You Should Do: Send users a message explaining the purpose of collecting their data, their rights, and how they can withdraw their consent.
- Why It Matters: It keeps your use of old data legal and builds user trust.
4. Notice and Consent Collection
- Expectation: Before you collect personal data, you must ask clearly and give people all the necessary information.
- What You Should Do: Create easy-to-read notices explaining why you need the data and get clear, specific permission (consent) from the user.
- Why It Matters: It ensures that users are aware and in control. Without consent, using data could be illegal.
5. Consent Management System
- Expectation: You must make it easy for users to give, manage, or take back their consent at any time.
- What You Should Do: Set up a system or work with a Consent Manager where users can see what they agreed to and make changes.
- Why It Matters: It helps users stay in control of their data and proves your compliance with the law.
6. Parental Consent & Child Data Handling
- Expectation: If you collect data from children under 18, you must first get permission from their parent or guardian.
- What You Should Do: Verify the age of users, confirm parental identity, and don’t show ads or track children’s behavior.
- Why It Matters: It protects children’s privacy and avoids serious legal risks for your business.
7. Cross-border Data Transfer Controls
- Expectation: You can send personal data to another country only if it’s safe and not restricted by the government.
- What You Should Do: Check if the other country has good privacy laws and follow any rules issued by the Indian government.
- Why It Matters: You avoid fines or bans on global operations by ensuring data is safe even outside India.
8. Data Processing/Sharing Agreements
- Expectation: If you share data with other companies or use external processors, you must have a legal contract.
- What You Should Do: Sign a contract with clear terms about what data can be used, how it must be protected, and who is responsible.
- Why It Matters: It prevents misuse of data and clarifies roles if something goes wrong.
9. DPAR Setup (Data Access, Correction, Erasure, Grievances)
- Expectation: Every organization must let users see their data, correct it, delete it, or file a complaint.
- What You Should Do: Build a portal or support system where users can request changes or raise issues about their data.
- Why It Matters: It gives users full rights over their data and shows that you care about their concerns.
10. Preference Centre (Consent Dashboard) (Optional)
- Expectation: It’s a best practice (not mandatory) to create a dashboard where users can manage their data preferences easily.
- What You Should Do: Make a user-friendly page showing what data is collected and let users change their consent at any time.
- Why It Matters: It builds trust and makes it easy to stay compliant with consent laws.
11. Breach Notification
- Expectation: If there’s a data breach, you must inform the government and affected users quickly.
- What You Should Do: Have a plan to detect breaches and send out notices with all important details as soon as possible.
- Why It Matters: It reduces harm to users and shows that your organization acts responsibly in a crisis.
12. Data Retention & Erasure Policy
- Expectation: You should not keep personal data longer than needed and must delete it when it’s no longer required.
- What You Should Do: Set rules for how long to keep each type of data and delete it when the purpose is complete or the user withdraws consent.
- Why It Matters: It keeps data storage clean and reduces risks of keeping unnecessary personal data.
13. Data Protection Officer (DPO)
- Expectation: If you are a Significant Data Fiduciary, you must appoint a Data Protection Officer in India.
- What You Should Do: Hire a trained person to handle privacy compliance, respond to the Board, and guide your team.
- Why It Matters: It shows commitment to privacy and provides a clear contact point for issues or audits.
14. Grievance Redress Mechanism
- Expectation: Every user must be able to file a complaint and get a response within a reasonable time.
- What You Should Do: Set up support systems like helpdesks, email channels, or chatbots to manage and solve grievances.
- Why It Matters: It ensures fairness for users and keeps you compliant with the law.
15. Nomination Facility (Post-death or incapacity)
- Expectation: Users should be allowed to nominate someone to manage their data if they pass away or become unfit.
- What You Should Do: Let users add a nominee through account settings, and make sure their rights are respected after death or incapacity.
- Why It Matters: It gives users peace of mind and avoids confusion or legal issues later.
16. Record of Processing Activities (ROPA) (Implied)
- Expectation: Even if not directly written in the law, it is smart to keep a record of what data you collect, why, and how you use it.
- What You Should Do: Create a detailed log or document listing all your data processes, purposes, and third-party interactions.
- Why It Matters: It prepares you for audits, helps with internal checks, and improves overall data governance.
How to Follow DPDPA the Smart Way
Adhering to the regulations outlined in the Digital Personal Data Protection Act (DPDPA), 2023, is an ongoing process. It is an ongoing process that takes the right mix of people, known processes, and clever tools. This Compliance checklist is a useful launching point, but how you do each step will depend on the size of your company, the nature of your industry, and the amount of personal data you process.
Provided they have adequate direction, your legal or IT staff can perform some of the tasks such as listing the types of data you collect, drafting basic rules, or drafting user notices. However, more complex tasks require specialist help and the right tools, such as conducting a Data Protection Impact Assessment (DPIA), creating a transparent consent flow, handling data shared outside India, or preparing for a data breach.
Tools are also required to create tools such as a Consent Management System for easy complaint filing by users, to retain the documentation of your data handling processes. Upskilling your team on how to use the right tools early will save you money, and allow you to always be prepared in case of a request by the government to review your system.
At Concur-Consent Manager, we have built our application to comply with all of the stipulations set forth by the latest regulations from the government of India, and we can provide you assistance at any level – it doesn’t matter if you are a startup, a small business, or a large organization that gathers a lot of personal information. We can help if you want to comply with the regulations with the respect of fiscal prudence, less effort, or just establish your level of readiness.
