← All posts

28 March 2026

DPDP Compliance Checklist for Indian Startups and SMEs

A step-by-step checklist for Indian startups to comply with the Digital Personal Data Protection Act 2023. Covers privacy notices, consent, retention, breach reporting, and more.

You've heard about the DPDP Act. You know the May 2027 deadline is coming. But where do you actually start?

Most compliance guides are written for enterprises with legal departments and compliance teams. If you're a startup founder or running a small business, that advice doesn't help much. You don't have a Data Protection Officer. You probably don't have a lawyer on retainer. You just need to know what to do, in what order, so you're not scrambling in 2027.

This checklist is built for that situation. It covers the practical steps, not the legal theory.

Before you start: understand what you're working with

Take an hour and answer these questions honestly:

  • What personal data does your product or service collect? (Names, emails, phone numbers, addresses, payment info, browsing data, device info, government IDs, health data)
  • Where is this data stored? (Your own servers, AWS, Google Cloud, Supabase, a CRM, spreadsheets)
  • Who has access to it? (Your team, third-party tools, payment processors, analytics providers)
  • How long do you keep it? (Forever? Until the user deletes their account? You're not sure?)
  • Do you share it with anyone? (Payment gateways, marketing tools, analytics, delivery partners)

Write this down. It doesn't need to be a formal document yet. You just need a clear picture of your data practices before you can make them compliant.

The checklist

Privacy notice

  • You have a standalone privacy notice on your website (not bundled inside your terms of service)
  • The notice lists every category of personal data you collect
  • For each data category, you state the specific purpose of collection
  • You name your third-party data processors (Razorpay, AWS, Google Analytics, etc.)
  • You state how long you retain each type of data
  • You explain how users can access, correct, or delete their data
  • You provide a clear mechanism for withdrawing consent
  • You mention the right to file a complaint with the Data Protection Board of India
  • You include contact details of a designated privacy contact person (name, email, address)
  • The notice is written in plain language that a regular person can understand

Consent

  • You collect explicit, informed consent before processing personal data
  • Consent is collected separately for each purpose (no bundled consent)
  • No pre-checked boxes are used for consent
  • Users can withdraw consent through a process that is as simple as giving consent
  • You have a record of when and how consent was obtained from each user
  • If you process children's data (under 18), you obtain verifiable parental consent

Data retention and deletion

  • You have defined retention periods for each category of personal data
  • Data is deleted once the specified purpose has been fulfilled
  • You have a process (manual or automated) for deleting data when retention periods expire
  • Users are notified at least 48 hours before their data is erased
  • You retain processing logs for at least one year for security and audit purposes

Data security

  • Personal data is encrypted in transit (HTTPS) and at rest
  • Access to personal data is restricted based on role and need
  • You maintain access logs showing who accessed personal data and when
  • You have a documented process for responding to data breaches
  • You can notify the Data Protection Board and affected users promptly in case of a breach

Third-party processors

  • You have a list of all third-party services that process personal data on your behalf
  • You have data processing agreements or equivalent contractual protections with each processor
  • You've verified that your processors implement reasonable security safeguards
  • If data is transferred outside India, it goes only to countries not restricted by the government

User rights

  • Users can request access to their personal data
  • Users can request correction of inaccurate data
  • Users can request deletion of their data
  • Users can nominate someone to exercise these rights on their behalf
  • You respond to these requests within a defined timeframe (we recommend 30 days or less)
  • Your privacy notice explains how to exercise these rights

Operational readiness

  • You have a designated person responsible for handling privacy queries
  • This person's contact information is published on your website
  • Your team knows what to do if a user submits a data access or deletion request
  • Your team knows what to do if you discover a data breach

What most startups get wrong

A few patterns come up repeatedly when we look at Indian business privacy policies:

Vague purpose statements. "We collect data to improve our services" is not specific enough under the DPDP Act. You need to say exactly what the data is used for. "We collect your email address to send you order confirmation emails and shipping updates" is specific. "To improve our services" is not.

No mention of the Data Protection Board. Almost every Indian company privacy policy we've reviewed omits the complaint mechanism to the Data Protection Board. This is a mandatory disclosure under Section 5(1)(e) of the Act.

No retention periods. Saying "we retain data as long as necessary" is not a retention policy. You need defined timeframes. Account data for 3 years after account closure. Transaction records for 8 years (as required under Income Tax Act). Marketing consent records until withdrawal.

Missing third-party disclosures. If you use Razorpay for payments, Google Analytics for tracking, AWS for hosting, and Mailchimp for emails, all of these need to be disclosed in your privacy notice. Your users should know who else has access to their data.

Consent bundling. A single checkbox that says "I agree to the terms of service, privacy policy, and marketing communications" bundles multiple consents together. Under the DPDP Act, each purpose needs separate consent.

Priority order

If you can't do everything at once, focus on these first:

  1. Privacy notice with all mandatory disclosures
  2. Consent collection that meets the "free, specific, informed, unambiguous" standard
  3. A named contact person with published contact details
  4. A documented data breach response process
  5. Defined retention periods for your main data categories

Everything else can follow over the next few months. But these five items form the foundation. Without them, you're clearly non-compliant on day one of enforcement.

How long does this take?

For a typical startup or small business, getting the basics in place takes about 2 to 4 weeks of focused effort. That includes drafting or updating your privacy notice, setting up consent flows, defining retention periods, and documenting your breach response process.

The operational pieces (like automated deletion, consent logging, and user rights request handling) take longer to implement properly. Plan for 2 to 3 months for a complete setup.

The DPDP Act gives you until May 2027. That sounds like a lot of time, but if you're also running a business, building product, and managing customers, it goes fast.

Need help getting started? Privly generates a complete set of DPDP-compliant documents for your business in about 15 minutes. Check your current policy or generate your compliance pack.

Need help getting DPDP compliant?

Check your existing policy against DPDP requirements, or generate a complete compliance pack tailored to your business in 15 minutes.

Check your policy — freeGenerate compliance pack — ₹4,999