How to Comply with the DPDP Act

A Practical, Step-by-Step Guide for Indian Organizations.

Complying with the Digital Personal Data Protection Act, 2023 requires Indian organizations to understand their data practices, obtain valid consent, apply reasonable safeguards, and maintain ongoing accountability.

The Roadmap

1

Understand If DPDP Applies to You

✔ DPDP applicability depends on processing, not company size.
✔ Assume it applies if you collect data digitally (App, CRM, Website) or digitize offline records.

2

Identify What Personal Data You Process

✔ You cannot protect what you don’t understand.

Create a simple list: What is collected? From whom? For what purpose? Focus on visibility, not perfection.

3

Define Purpose & Lawful Basis

✔ Data must be processed for clear, lawful purposes.
✔ Ask yourself: “Why do we need this data?” and “Have we communicated this?”

Note: Most processing requires Consent.

4

Design Clear Consent & Notices

✔ Consent must be Free, Informed, Specific, Unconditional, and Withdrawable.

Action: Review your forms and privacy notices. Ensure they aren’t hidden or bundled.

5

Implement Reasonable Security Safeguards

✔ The Act expects safeguards based on risk.
✔ Examples: Access controls, secure hosting, and role-based permissions.

Action: Identify where high-volume or sensitive data lives and lock it down.

6

Prepare for User Rights

✔ Users (Data Principals) have the right to Access, Correct, and Erase their data.

Action: Set up a simple internal process (and a contact email) to handle these requests when they come.

7

Be Data Breach Ready

✔ You must act responsibly if a breach occurs (Identifying -> Correcting -> Notifying).

Action: Create a basic response plan: Who do we call first?

8

Assign Accountability

✔ Compliance isn’t a one-time task.

Action: Decide who owns DPDP internally. For larger orgs, consider a DPO or external advisory.

9

Proportionate Compliance

Startups: Focus on basics.
Enterprises: Structured governance.

Remember: Over-compliance is as risky as under-compliance.

Compliance Is a Journey, Not a Checklist

With the right structure, compliance becomes manageable. Dataclyr supports you at every stage.

Explore DPDP Services