DPDPA Readiness Checklist

1.Have you identified all personal data your organisation collects?

2.Do you maintain a Record of Processing Activities (RoPA) mapping data types, purposes, and retention periods?

3.Have you identified all third-party vendors (Data Processors) who handle personal data on your behalf?

4.Do you have Data Processing Agreements (DPAs) in place with all your Data Processors?

5.Have you classified the personal data you process by category (e.g. identifiers, contact, financial, health, biometric, children's data) and mapped where each category is stored?

6.Do you collect explicit, specific, informed, and unambiguous consent before processing personal data?

7.Is your consent mechanism free of dark patterns (no pre-ticked boxes, no misleading language)?

8.Do you provide a consent notice in plain language before or at the time of collection?

9.Does your consent notice clearly state the purpose of processing?

10.Can users withdraw consent as easily as they gave it?

11.Do you maintain a timestamped audit log of all consents given and withdrawn?

12.Do you have a mechanism for Data Principals to access a summary of their personal data?

13.Can Data Principals request correction or completion of inaccurate/incomplete data?

14.Can Data Principals request erasure of their data?

15.Do you have a grievance redressal mechanism that acknowledges and resolves complaints within prescribed timelines?

16.Have you implemented a nomination mechanism for Data Principals to nominate representatives?

17.Do you have age-verification mechanisms to identify users under 18?

18.Do you obtain verifiable parental consent before processing data of children?

19.Have you disabled behavioural tracking and targeted advertising for users identified as children?

20.Have you implemented technical and organisational security safeguards to prevent data breaches?

21.Do you have a documented incident response plan for personal data breaches?

22.Do you have a process to notify the Data Protection Board of a breach promptly?

23.Do you have a process to notify affected Data Principals of a breach?

24.Do you conduct periodic security audits and vulnerability assessments?

25.Has your organisation designated a point of contact / Data Protection Officer for privacy matters?

26.Have employees who handle personal data received DPDPA awareness training?

27.Do you have a documented data retention and deletion policy?

28.Have you reviewed and updated your Privacy Policy to reflect DPDPA requirements?

29.If you are (or may be notified as) a Significant Data Fiduciary — have you prepared for DPIAs and independent audits?

30.Have you assessed cross-border data transfer obligations and identified restricted countries?