I have worked with over a dozen Indian startups on DPDP compliance in the last year. The pattern is always the same — founders know the Act exists, they know it is important, but they do not know where to start.
So here is my no-nonsense checklist. Twenty things, prioritised by what will actually get you in trouble if you ignore them. I have grouped them into "do this week," "do this month," and "do in 90 days."
Do This Week — The Non-Negotiables
1. Audit Your Data Collection Points
Open every form on your website and app. Sign-up forms, contact forms, checkout pages, newsletter subscriptions. Write down every field that collects personal data. Most startups are shocked to find 15-20 collection points they had forgotten about.
2. Update Your Privacy Policy
Your current privacy policy was probably copied from a template in 2022. Rewrite it to include: what data you collect, why, who you share it with, how long you keep it, and how users can exercise their rights. Write it in plain English (or Hindi — the Act allows any scheduled language).
3. Fix Your Consent Mechanism
No pre-ticked checkboxes. No bundled consent. Each purpose needs its own opt-in. If you collect emails for transactional updates AND marketing, those are two separate consents. Make the consent language clear and specific — "I agree to receive promotional emails from GRCDesk" is good. "I agree to the terms" with consent buried inside is not.
4. Add a Consent Withdrawal Option
Every marketing email needs an unsubscribe link. Your app needs a privacy settings page where users can revoke consent. The DPDP Act says withdrawal must be as easy as giving consent. One click to subscribe means one click to unsubscribe.
5. Designate a Privacy Point of Contact
Someone in your company needs to be responsible for data protection queries. Publish their email on your privacy policy page. This does not need to be a full-time DPO for most startups — but someone needs to own it.
Do This Month — Building the Foundation
6. Create a Data Map
Document what personal data you hold, where it is stored, who has access, and why you have it. Include your database, CRM, email marketing tool, analytics, cloud storage, HR system — everything. This map is the foundation for everything else.
7. Review Your Third-Party Vendors
List every SaaS tool that touches personal data. Your CRM, payment gateway, analytics tool, customer support platform, email service. Check where their servers are. Check if they have a Data Processing Agreement (DPA). If they do not, get one signed.
8. Set Up a Data Subject Rights Process
Create a simple process for handling requests from users — access, correction, deletion. At minimum, a dedicated email address like privacy@yourcompany.com with a commitment to respond within a set timeframe. Track every request in a spreadsheet until you outgrow it.
9. Implement Basic Access Controls
Not everyone in your company needs access to all customer data. Implement role-based access. Your marketing team does not need access to payment information. Your finance team does not need access to user behaviour data. Principle of least privilege — give people only what they need.
10. Enable Encryption
HTTPS on your website (if you do not have this already, there is a bigger problem). Encryption at rest for your database. Encrypted connections to all third-party services. Most cloud providers offer this by default, but verify it is actually turned on.
11. Check if You Process Children's Data
Do users under 18 use your product? If yes, you need age verification and verifiable parental consent. If your product is not meant for children, add an age gate and document that your service is for users 18 and above.
12. Define Data Retention Periods
For every type of personal data you hold, decide how long you need to keep it. Customer data after account deletion? Employee records after they leave? Transaction records? Document these periods and set up a process to actually delete data when the period expires.
Do in 90 Days — Maturing Your Compliance
13. Create a Data Breach Response Plan
Write down exactly what happens when a breach is discovered. Who gets called first? How do you contain it? Who notifies the Board? Who notifies affected users? What is the communication template? Practice this with a tabletop exercise at least once.
14. Train Your Team
Every employee who handles personal data needs basic training. What is personal data? What are their obligations? How to spot a potential breach? How to handle a data subject request? This does not need to be a full-day workshop — a 30-minute session with a quiz works fine for startups.
15. Review Cross-Border Data Transfers
If you use any service with servers outside India (AWS, Google Cloud, Salesforce, HubSpot — basically everyone), document the transfer. Ensure you have contractual safeguards with those providers. Watch for the government's restricted country list when it is published.
16. Implement Audit Logging
Log who accesses personal data, when, and what they do with it. If a breach happens, these logs are your evidence that you had controls in place. If an employee leaks data, these logs help you prove it was unauthorised.
17. Conduct a Formal Gap Assessment
Go through every requirement in the Act systematically and document your compliance status. Where are you compliant? Where are the gaps? What is your remediation plan? Date this assessment — it becomes evidence of your compliance journey.
18. Update Employment Contracts
Your employment agreements should include data protection obligations, confidentiality clauses around personal data, and consequences for violations. Update offer letters for new hires and get existing employees to acknowledge the updated terms.
19. Set Up Periodic Reviews
Compliance is not a one-time activity. Set a quarterly calendar reminder to review your data map, check for new processing activities, verify that retention schedules are being followed, and update your privacy notice if anything has changed.
20. Document Your Compliance Efforts
Keep a compliance file. Date every assessment, every policy update, every training session, every vendor review. If the Data Protection Board ever asks "what have you done to comply?" — this file is your answer.
A Final Note
Perfection is not the goal. The startups that will face the worst outcomes under the DPDP Act are the ones that did absolutely nothing. If you work through this checklist over the next 90 days, you will be ahead of 80% of Indian companies. That is not a guess — that is based on what I see in the field every day.
Start with items 1 through 5 this week. They take a few hours, not days. And they address the most visible compliance gaps — the ones most likely to trigger a complaint.