The DPDP Compliance Checklist: 12 Steps Before 13 May 2027
Full DPDP enforcement lands on 13 May 2027. This checklist turns the Act and the 2025 Rules into twelve concrete steps, ordered so that each builds on the previous. It is written for organisations without a dedicated compliance team — law firms, CA practices, clinics, schools, D2C brands, SaaS startups.
Step 1 — Map your personal data
List every place personal data enters, lives and leaves: CRM, billing, HR records, email attachments, WhatsApp threads, shared drives — and document folders. A directory of client PDFs (KYC, tax returns, agreements) is personal data at rest just as much as a database is.
Step 2 — Identify your role for each flow
For each data flow, are you the Data Fiduciary (you decide purpose and means) or a Data Processor (you act on someone else's instructions)? Most professional firms are fiduciaries for client personal data. Your obligations attach accordingly.
Step 3 — Establish a lawful basis for every purpose
Match every processing purpose to consent or a Section 7 legitimate use. Anything that matches neither — legacy marketing lists are the classic example — must get fresh consent or stop.
Step 4 — Rewrite your notices
- Itemise the personal data collected and the specific purpose.
- Explain how to exercise rights, withdraw consent and complain (to you and to the Data Protection Board).
- Offer the notice in English or a scheduled language of the user's choice.
Step 5 — Build consent capture and withdrawal
Affirmative action only — no pre-ticked boxes or bundled consent. Log what was consented to and when. Withdrawal must be as easy as granting; if consent takes one click, withdrawal cannot take an email and a phone call.
Step 6 — Audit every third-party tool
Every SaaS product, cloud converter, analytics script or AI assistant that personal data passes through is a Data Processor. For each one you need a contract, confidence in its security safeguards, and an answer to "where does this data go and when is it deleted?". If a free online tool cannot answer that, stop sending personal data to it.
The quickest audit win
Cloud PDF tools are the most common unvetted processor in professional firms. Swapping them for client-side tools — where the file is processed in the browser and never transmitted — removes the processor relationship entirely, and costs nothing.
Step 7 — Implement baseline security safeguards
- Encryption of personal data at rest and in transit.
- Access control: who can open what, with logs of access.
- Monitoring, logging and retention of logs to detect and investigate breaches.
- Backups sufficient to maintain processing in case of compromise.
Step 8 — Write and test a breach playbook
Under the DPDP regime every personal data breach must be reported — to affected individuals and to the Board, within prescribed timelines. Pre-draft the notification templates, name the decision-maker, and run one tabletop drill. Timeliness of response is an explicit mitigating factor when penalties are assessed.
Step 9 — Set retention and erasure schedules
Define how long each category of personal data is kept and delete it when the purpose is served, subject to statutory retention laws (tax, company law, court records). "We keep everything forever" is now a liability.
Step 10 — Stand up rights handling
Publish a grievance contact and be able to answer access, correction and erasure requests within a defined internal SLA. For most small firms a designated partner and a tracked mailbox is enough — but it must actually work.
Step 11 — Check the Significant Data Fiduciary triggers
If you process large volumes or high-risk data you may be notified as an SDF — bringing an India-based Data Protection Officer, annual Data Protection Impact Assessments and independent audits. Know in advance whether you are near the line.
Step 12 — Document everything
Keep a compliance register: your data map, notices, consent logs, processor list and contracts, safeguard measures, drills and erasure runs. When the Board asks what safeguards you had, the register is your answer.
Start with Step 6 today
Move your document workflows to zero-upload tools — compress, merge, redact, convert and sign PDFs entirely in your browser. One processor fewer to audit, and a documented safeguard for your register.
See all EverydayPDF toolsFrequently asked questions
How long does DPDP compliance take for a small firm?+
For a firm of 5–50 people with typical systems, a focused effort of one to three months covers the twelve steps — data mapping and third-party audit consume most of it. Starting in 2026 leaves comfortable room before the 13 May 2027 deadline; starting in 2027 does not.
Do I need a Data Protection Officer?+
Only Significant Data Fiduciaries — entities notified by the government based on data volume and risk — must appoint a DPO based in India. Everyone else needs a grievance-redressal contact, which can be an existing partner or manager.
Do I need consent from existing customers collected years ago?+
You must send them the new itemised notice as soon as practicable after commencement. Processing under previously given consent can continue until withdrawn, but purposes with no lawful basis (like old marketing lists built without consent) need fresh consent.
What is the single highest-risk gap for professional firms?+
Unvetted third-party tools. The ₹250 crore penalty slab targets failure of reasonable security safeguards, and routinely transferring client documents to free cloud services with no contract and unknown retention is the most common — and most easily fixed — safeguard failure.
Continue reading
Enforcement timeline
From the 2023 Act to the May 2027 hard deadline — every date, and what to do in each quarter.
Is your PDF tool compliant?
The five questions to ask any document tool before sending client files to it — and the architecture that makes them moot.
Penalties under DPDP
The full fine schedule — from ₹10,000 for individuals to ₹250 crore for security-safeguard failures.
Consent requirements
The anatomy of valid consent — notice contents, withdrawal, Section 7 legitimate uses, and consent managers.
This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.
