DPDP Act Compliance Checklist for IT Teams

What the DPDP Act Means for IT Teams

The Digital Personal Data Protection Act 2023 (DPDP Act) is India's first comprehensive data protection law. For IT teams in Indian SMEs, it creates specific obligations around how personal data is collected, stored, processed, and deleted. Non-compliance can result in penalties up to ₹250 crore. Here is what you need to do.

1. Data Mapping & Inventory

You cannot protect data you do not know about. Create a data map showing: what personal data you collect (name, email, phone, Aadhaar, PAN, address, etc.), where it is stored (which databases, file servers, cloud services, spreadsheets), who has access to it (internal roles and external vendors who process it), and how long you keep it (retention periods for each data category).

2. Consent Management

You must obtain explicit, informed consent before collecting any personal data. Consent must be: free (not a condition of service), specific (purpose mentioned), informed (what data, why, how long), and withdrawable (user can withdraw anytime). Your systems must record: what the user consented to, when they consented, and which version of your privacy policy was in effect at the time of consent (version stamping).

3. Data Principal Rights

Data Principals (the individuals whose data you hold) have the right to: access their data (what you have, in a readable format), correction (fix inaccurate data), erasure (delete their data when no longer needed for the stated purpose), grievance redressal (complaints handled within a defined timeline), and nomination (designate someone to manage their data after death). Your helpdesk should have a dedicated process for handling these requests within the mandated 30-day response time.

4. Technical Safeguards

Implement: encryption at rest (AES-256) and in transit (TLS 1.2+), role-based access controls with quarterly reviews, audit logging of all data access and modification events, multi-factor authentication for all systems containing personal data, data breach detection and notification procedures (notify board and affected principals within 72 hours), and secure data deletion mechanisms (certified wiping for storage devices, confirmed deletion for digital records).

5. Vendor Compliance

Every vendor that processes personal data on your behalf must have a Data Processing Agreement (DPA) in place. The DPA must specify: what data they process, for what purpose, how long they keep it, their security measures, data breach notification commitment, and their obligation to delete data when the contract ends. Audit high-risk vendors annually.

6. Documentation & Records

Maintain records of: all data processing activities (what, why, where, who), consent records with version-stamped policy references, data breach reports (even if no notification was required), data principal request logs (access, correction, erasure, grievance), data protection impact assessments for high-risk processing activities, and training records for employees who handle personal data.