India's Digital Personal Data Protection Act (DPDPA) 2023 is no longer a future problem — with the DPDP Rules in force, enforcement readiness is a present obligation for nearly every business holding customer or employee data. Here's the checklist we use with clients, in plain language.

First: does DPDPA apply to you?

If you store customer phone numbers, employee Aadhaar or PAN copies, CCTV footage, CVs, or marketing lists in digital form — yes. The Act applies to businesses of every size, and penalties (up to ₹250 crore for failing reasonable security safeguards) scale with the violation, not your revenue.

The 10-point checklist

  • 1. Map your data. Inventory what personal data you collect, where it's stored (CRM, Tally, Excel, email, WhatsApp), who can access it, and why you need it.
  • 2. Fix your privacy notice. Plain-language notice at every collection point — what you collect, why, and how to complain or withdraw consent.
  • 3. Rebuild consent. Consent must be free, specific, informed and as easy to withdraw as to give. Pre-ticked boxes don't count.
  • 4. Minimize. Delete data you no longer need — old CVs, ex-customer KYC, years of CCTV. Data you don't hold can't breach.
  • 5. Implement security safeguards. Encryption, access control, MFA on email and critical apps, endpoint protection, logging and tested backups — this is the ₹250-crore clause.
  • 6. Handle data principal rights. A defined process for access, correction and erasure requests, with an owner and SLA.
  • 7. Prepare breach response. An incident playbook including notification to the Data Protection Board and affected users — drafted before you need it.
  • 8. Control your vendors. Payroll, CRM, hosting and marketing agencies process data on your behalf — your liability. Update contracts.
  • 9. Mind children's data. Under-18 data requires verifiable parental consent and no tracking/targeted ads.
  • 10. Train your people. Most breaches start with an employee mistake — short, regular awareness training is both a safeguard and evidence of diligence.

Where ISO 27001 fits

DPDPA's "reasonable security safeguards" are undefined in the Act — but ISO 27001 controls are the most defensible interpretation available. If you're considering certification anyway, a combined program covers both with one effort. See our ISO 27001 services →

Start with a gap assessment

Invitty runs DPDPA gap assessments for businesses across South India — a jargon-free report showing exactly where you stand and a prioritized 8–12 week remediation plan. Learn about our DPDPA services →