DPDP compliance checklist for Indian digital businesses.
Use this as a readiness checklist before a customer, investor, partner, or internal stakeholder asks how your business handles personal data.
1. Personal data inventory
List the personal data collected through website forms, app signup, checkout, support, analytics, CRM, WhatsApp, email marketing, payments, logistics, and product usage processes.
2. Purpose and notice mapping
For each data category, document why it is collected, where the user is informed, and whether the privacy notice matches actual operations.
3. Consent and withdrawal flow
Record where consent is captured, how withdrawal is handled, and which systems need to reflect consent status.
4. Vendor and processor register
Maintain a register for hosting, CRM, analytics, payment gateways, email tools, support desks, agencies, logistics providers, and any other processor.
5. User rights and grievance process
Define how access, correction, deletion, grievance, and escalation requests are received, owned, logged, and resolved.
6. Breach readiness
Assign owners for incident triage, evidence preservation, internal escalation, customer communication, and external reporting decisions.
7. Evidence pack
Keep screenshots, policy links, vendor records, process notes, training records, incident playbooks, and remediation plans in a single evidence workspace.