India's Digital Personal Data Protection (DPDP) Act, 2023 — together with the draft DPDP Rules, 2025 — is the country's first comprehensive privacy law. If your startup collects so much as an email address from a person in India, it applies to you. This checklist turns the law into concrete steps you can act on.
1. Map the personal data you hold
You can't protect what you can't see. Build a simple data inventory: what personal data you collect, where it lives, who can access it, which third parties you share it with, and how long you keep it. This single exercise underpins everything below.
2. Fix consent & notice
Consent must be free, specific, informed and unambiguous, given by a clear affirmative action. Your privacy notice must be itemised and in plain language, state the purpose, and explain how users exercise their rights and complain to the Data Protection Board. Pre-ticked boxes and bundled consent won't pass.
3. Honour data-principal rights
Build clear channels so people can access, correct and erase their data, raise grievances, and nominate someone to act for them. Decide your response timeline and publish it.
4. Put reasonable security safeguards in place
The Rules expect technical and organisational measures — encryption, access controls, logging and secure development. A vulnerability assessment or penetration test is the fastest way to find the gaps before an attacker (or the regulator) does.
5. Prepare for the 72-hour breach window
On a personal-data breach you must notify affected individuals and report to the Board, with a full report to the Board within 72 hours. Write the playbook now — who does what, in what order — so you're not improvising during an incident.
6. Handle children's data carefully
Processing the data of anyone under 18 needs verifiable parental consent, and behavioural tracking or targeted ads aimed at children are barred. If children can sign up, you need age-gating and a consent flow.
7. Tidy retention & processors
Define how long you keep each class of data and delete it when the purpose ends. When you outsource processing, sign agreements that spell out each processor's responsibilities and apply stronger due diligence to vendors.
The cost of getting it wrong
Penalties under the Act run into crores of rupees for serious failures — most heavily for inadequate security safeguards. For a startup, the reputational damage of a public breach is often worse than the fine.
We turn DPDP compliance into something you can ship — security audits, breach-readiness and privacy-by-design build. Read our full briefing or get a security review.
This article is general information, not legal advice. For your specific obligations, consult a qualified professional.