EverydayPDF Logo
DPDP Act 2023 · India

The DPDP Compliance Checklist: 12 Steps Before 13 May 2027

Updated July 5, 2026·10 min read·EverydayPDF Research

Full DPDP enforcement lands on 13 May 2027. This checklist turns the Act and the 2025 Rules into twelve concrete steps, ordered so that each builds on the previous. It is written for organisations without a dedicated compliance team — law firms, CA practices, clinics, schools, D2C brands, SaaS startups.

Step 1 — Map your personal data

List every place personal data enters, lives and leaves: CRM, billing, HR records, email attachments, WhatsApp threads, shared drives — and document folders. A directory of client PDFs (KYC, tax returns, agreements) is personal data at rest just as much as a database is.

Step 2 — Identify your role for each flow

For each data flow, are you the Data Fiduciary (you decide purpose and means) or a Data Processor (you act on someone else's instructions)? Most professional firms are fiduciaries for client personal data. Your obligations attach accordingly.

Step 3 — Establish a lawful basis for every purpose

Match every processing purpose to consent or a Section 7 legitimate use. Anything that matches neither — legacy marketing lists are the classic example — must get fresh consent or stop.

Step 4 — Rewrite your notices

  • Itemise the personal data collected and the specific purpose.
  • Explain how to exercise rights, withdraw consent and complain (to you and to the Data Protection Board).
  • Offer the notice in English or a scheduled language of the user's choice.

Step 5 — Build consent capture and withdrawal

Affirmative action only — no pre-ticked boxes or bundled consent. Log what was consented to and when. Withdrawal must be as easy as granting; if consent takes one click, withdrawal cannot take an email and a phone call.

Step 6 — Audit every third-party tool

Every SaaS product, cloud converter, analytics script or AI assistant that personal data passes through is a Data Processor. For each one you need a contract, confidence in its security safeguards, and an answer to "where does this data go and when is it deleted?". If a free online tool cannot answer that, stop sending personal data to it.

The quickest audit win

Cloud PDF tools are the most common unvetted processor in professional firms. Swapping them for client-side tools — where the file is processed in the browser and never transmitted — removes the processor relationship entirely, and costs nothing.

Step 7 — Implement baseline security safeguards

  • Encryption of personal data at rest and in transit.
  • Access control: who can open what, with logs of access.
  • Monitoring, logging and retention of logs to detect and investigate breaches.
  • Backups sufficient to maintain processing in case of compromise.

Step 8 — Write and test a breach playbook

Under the DPDP regime every personal data breach must be reported — to affected individuals and to the Board, within prescribed timelines. Pre-draft the notification templates, name the decision-maker, and run one tabletop drill. Timeliness of response is an explicit mitigating factor when penalties are assessed.

Step 9 — Set retention and erasure schedules

Define how long each category of personal data is kept and delete it when the purpose is served, subject to statutory retention laws (tax, company law, court records). "We keep everything forever" is now a liability.

Step 10 — Stand up rights handling

Publish a grievance contact and be able to answer access, correction and erasure requests within a defined internal SLA. For most small firms a designated partner and a tracked mailbox is enough — but it must actually work.

Step 11 — Check the Significant Data Fiduciary triggers

If you process large volumes or high-risk data you may be notified as an SDF — bringing an India-based Data Protection Officer, annual Data Protection Impact Assessments and independent audits. Know in advance whether you are near the line.

Step 12 — Document everything

Keep a compliance register: your data map, notices, consent logs, processor list and contracts, safeguard measures, drills and erasure runs. When the Board asks what safeguards you had, the register is your answer.

Start with Step 6 today

Move your document workflows to zero-upload tools — compress, merge, redact, convert and sign PDFs entirely in your browser. One processor fewer to audit, and a documented safeguard for your register.

See all EverydayPDF tools

Frequently asked questions

How long does DPDP compliance take for a small firm?+

For a firm of 5–50 people with typical systems, a focused effort of one to three months covers the twelve steps — data mapping and third-party audit consume most of it. Starting in 2026 leaves comfortable room before the 13 May 2027 deadline; starting in 2027 does not.

Do I need a Data Protection Officer?+

Only Significant Data Fiduciaries — entities notified by the government based on data volume and risk — must appoint a DPO based in India. Everyone else needs a grievance-redressal contact, which can be an existing partner or manager.

Do I need consent from existing customers collected years ago?+

You must send them the new itemised notice as soon as practicable after commencement. Processing under previously given consent can continue until withdrawn, but purposes with no lawful basis (like old marketing lists built without consent) need fresh consent.

What is the single highest-risk gap for professional firms?+

Unvetted third-party tools. The ₹250 crore penalty slab targets failure of reasonable security safeguards, and routinely transferring client documents to free cloud services with no contract and unknown retention is the most common — and most easily fixed — safeguard failure.

Continue reading

This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.