Security

DPDP Act Compliance Checklist: What Indian Businesses Need to Do Now

A practical compliance checklist for India's Digital Personal Data Protection Act. Steps your business must take, penalties to avoid, and how your hosting infrastructure plays a role.

DPDP Act Compliance Checklist: What Indian Businesses Need to Do Now

India’s Data Protection Law Is Here. Is Your Business Ready?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is no longer a distant regulatory concern. It is the law of the land. Passed by the Indian Parliament and receiving Presidential assent in August 2023, the DPDP Act establishes India’s first comprehensive framework for how businesses collect, store, process, and manage personal data belonging to Indian citizens.

If you run a business that handles personal data of individuals in India, whether you are a startup in Bengaluru, a mid-market SaaS company, or an enterprise with global operations, this law applies to you. The obligations are real, the penalties are severe (up to Rs. 250 Crore per violation), and the time to prepare is now.

Most DPDP compliance guides focus exclusively on the legal side: consent forms, privacy policies, and data processing agreements. That matters. But there is an entire layer of compliance that gets overlooked: your hosting and cloud infrastructure. Where your data physically lives, how it is encrypted, whether you have audit trails, and how quickly your infrastructure can support breach notification obligations are all questions the DPDP Act forces you to answer. This guide covers both.

DPDP Act Compliance Checklist: What Indian Businesses Need to Do Now — concept

What Is the DPDP Act?

The Digital Personal Data Protection Act, 2023 applies to the processing of digital personal data within India, as well as to the processing of personal data outside India if it relates to offering goods or services to individuals in India. The Act draws inspiration from the EU’s GDPR but is tailored to the Indian context, with a focus on digital data and a consent-driven framework.

At its core, the DPDP Act establishes rights for individuals (called Data Principals) and obligations for organizations that process their data (called Data Fiduciaries). It introduces the concept of a Consent Manager, sets up the Data Protection Board of India as the enforcement body, and creates a framework for cross-border data transfers with government-approved whitelisted nations.

The Act covers personal data, which it defines as any data about an individual who is identifiable by or in relation to such data. This includes names, email addresses, phone numbers, IP addresses, financial records, health information, biometric data, and any other information that can identify a person directly or indirectly.

Who Does the DPDP Act Apply To?

The short answer: almost every business operating in India or serving Indian customers.

Data Fiduciaries are any entity (person, company, or organization) that determines the purpose and means of processing personal data. If you run a website that collects user emails, an e-commerce store that processes orders, a SaaS platform where users create accounts, or an internal HR system that stores employee records, you are a Data Fiduciary.

Significant Data Fiduciaries are a subset designated by the government based on the volume and sensitivity of data processed. They face additional obligations including mandatory data protection impact assessments, appointing a Data Protection Officer based in India, and periodic independent audits.

Data Processors are entities that process personal data on behalf of a Data Fiduciary, such as cloud hosting providers, payment processors, and analytics platforms. If you use third-party services to process personal data, you remain responsible for ensuring those processors comply with the Act.

The Act also applies to data processing outside India when the processing is related to offering goods or services to Data Principals within India. A foreign SaaS company serving Indian customers cannot escape compliance simply because its servers are abroad.

Key Obligations Under the DPDP Act

Before diving into the checklist, it is important to understand the four pillars of obligation the Act establishes.

Every instance of personal data processing requires a valid legal basis. The primary basis is consent from the Data Principal, which must be free, specific, informed, unconditional, and unambiguous. Consent must be obtained for each specified purpose. Blanket consent or buried clauses in lengthy terms of service will not satisfy the requirements. The Data Principal must also have the ability to withdraw consent as easily as they gave it.

Purpose Limitation

Personal data can only be processed for the specific purpose for which consent was obtained. If a user provides their email address for order updates, you cannot use it for marketing campaigns without obtaining separate consent. This requires organizations to clearly define and document the purpose of each data collection activity.

Storage Limitation

Personal data must not be retained beyond the period necessary for the specified purpose. Once the purpose is fulfilled, or the Data Principal withdraws consent, the data must be erased. This applies to both the Data Fiduciary and any Data Processors handling the data. Organizations need clear data retention policies and the technical capability to delete data across all systems where it is stored.

Data Breach Notification

In the event of a personal data breach, the Data Fiduciary must notify both the Data Protection Board of India and affected Data Principals. The Act requires notification “without delay” (specific timelines are expected in the forthcoming rules). This obligation demands that organizations have breach detection systems, incident response procedures, and the infrastructure to identify exactly what data was compromised and who was affected.

The DPDP Compliance Checklist

This is the practical section. Use this checklist to assess your current state and build your compliance roadmap. Each item is grouped by compliance domain.

Data Discovery and Mapping

  • Conduct a personal data inventory. Identify every system, database, application, and third-party service that collects, stores, or processes personal data of Indian individuals. Include databases, CRMs, analytics platforms, email systems, backup storage, and logs.

  • Classify data by sensitivity. Categorize personal data into standard personal data (names, emails, phone numbers) and sensitive categories (financial data, health records, biometric data). The classification determines the level of controls required.

  • Map data flows end to end. Document how personal data enters your systems, where it moves internally, which third parties receive it, and where it is stored. Include data flows to analytics tools, marketing platforms, cloud storage, and backup systems.

  • Identify all data processors. List every third-party vendor, cloud provider, SaaS tool, and contractor that processes personal data on your behalf. This includes your hosting provider, payment gateway, email service, analytics platform, and any outsourced operations.

  • Document data retention periods. For each category of personal data, define how long you need to retain it based on the specified processing purpose. Flag any data being retained indefinitely without a documented purpose.

  • Implement granular consent mechanisms. Replace blanket consent forms with purpose-specific consent requests. Each distinct processing purpose (order fulfillment, marketing, analytics) requires separate, clearly stated consent.

  • Build a consent withdrawal mechanism. Data Principals must be able to withdraw consent as easily as they gave it. Implement a self-service option (account settings, preference center, or dedicated page) where users can revoke specific consents.

  • Maintain a consent audit trail. Record when consent was given, for what purpose, through what mechanism, and when it was withdrawn. This log is critical evidence during audits or disputes. Store consent records with timestamps and version history.

  • Review consent for existing data. If you have personal data collected before the DPDP Act, assess whether the original consent basis meets the Act’s requirements. You may need to re-obtain consent for previously collected data or establish an alternative legal basis.

Technical Controls

  • Encrypt personal data at rest. All databases, file systems, and backup storage containing personal data must use encryption at rest. AES-256 is the industry standard. This applies to primary databases, replicas, and backups.

  • Encrypt data in transit. All data transmission must use TLS 1.2 or higher. This includes connections between your application and users, between application servers and databases, between your infrastructure and third-party APIs, and data transfer to backup locations.

  • Implement access controls and least privilege. Restrict access to personal data to only those employees and systems that require it. Use role-based access control (RBAC), multi-factor authentication (MFA) for administrative access, and regular access reviews.

  • Deploy centralized logging and monitoring. Implement a Security Information and Event Management (SIEM) system or equivalent to log all access to personal data. Logs should capture who accessed what data, when, from where, and what actions were taken. These audit logs are essential for breach investigation and compliance audits.

  • Implement data erasure capabilities. Build the technical ability to delete a specific individual’s personal data across all systems, including primary databases, backups, caches, logs, analytics systems, and third-party processors. Test the erasure process regularly.

  • Secure your hosting infrastructure. Ensure your servers and cloud infrastructure meet security baselines: hardened operating systems, patched software, firewall rules, intrusion detection, vulnerability scanning, and secure configuration management.

Organizational Measures

  • Appoint a Data Protection Officer (if applicable). Significant Data Fiduciaries must appoint a DPO based in India. Even if not legally required, designating a privacy lead improves accountability.

  • Create a data protection policy. Draft an internal policy covering data handling procedures, acceptable use, incident escalation, employee responsibilities, and enforcement mechanisms. This is not the same as a public privacy policy.

  • Publish a clear privacy notice. Your privacy policy must describe what personal data you collect, the purpose of processing, how long you retain data, Data Principal rights, contact details for grievance redressal, and the right to file a complaint with the Data Protection Board.

  • Train employees on data protection. Conduct regular training sessions for all employees who handle personal data. Cover consent requirements, data handling procedures, breach identification, and individual responsibilities under the DPDP Act.

  • Establish vendor assessment procedures. Before engaging any data processor, assess their security posture, data handling practices, and DPDP compliance readiness. Include data protection obligations in all vendor contracts with clear terms for breach notification, data deletion, and audit rights.

Breach Response

  • Build an incident response plan. Document a step-by-step procedure for responding to personal data breaches. Include roles and responsibilities, escalation paths, investigation procedures, notification templates, and communication protocols.

  • Implement breach detection capabilities. Deploy monitoring systems that can detect unauthorized access, data exfiltration, and anomalous activity in real time. Your SIEM system, intrusion detection system, and application-level monitoring should all feed into breach detection.

  • Prepare notification templates. Draft notification templates for both the Data Protection Board and affected Data Principals in advance. During a breach, speed matters. Having templates ready reduces response time.

  • Conduct tabletop exercises. Run simulated breach scenarios at least annually to test your incident response plan. Identify gaps in detection, investigation, notification, and communication. Improve the plan based on findings.

  • Document remediation procedures. After any breach, document the root cause analysis, remediation steps taken, and preventive measures implemented. This documentation demonstrates due diligence to the Data Protection Board.

DPDP Act Compliance Checklist: What Indian Businesses Need to Do Now — solution

The Infrastructure Angle: What Most Compliance Guides Miss

Here is where DPDP compliance discussions typically end. Legal obligations are outlined, policy templates are suggested, and infrastructure is treated as an afterthought. That is a mistake. Your hosting and cloud infrastructure is the foundation on which every technical control in the checklist above is built. If the foundation is weak, compliance is a fiction.

Where Is Your Data Physically Stored?

The DPDP Act permits cross-border data transfers to government-approved countries but restricts transfers to nations specifically blacklisted by the Central Government. Regardless of the legal position, data residency is a practical compliance advantage.

When your personal data resides in Indian data centers, you eliminate jurisdictional ambiguity. You avoid scenarios where a foreign government’s data access laws conflict with Indian data protection requirements. Auditors and the Data Protection Board are far more comfortable with Indian-resident data. For businesses serving primarily Indian customers, hosting data in India is the simplest path to compliance.

Is Your Hosting Provider Compliant?

Under the DPDP Act, you remain responsible for what your data processors do with personal data. Your hosting provider is a data processor. Ask these questions: Does your provider encrypt data at rest on their storage systems? Do they provide audit logs showing who accessed your infrastructure? What is their breach notification timeline to you? Can they support data deletion requests across all storage layers, including backups? Do they have physical security controls and access audits at their data centers?

If your hosting provider cannot answer these questions clearly, they are a compliance liability.

Do You Have Audit Logs?

The DPDP Act does not prescribe specific technical standards, but the requirement for breach notification and the Data Protection Board’s investigative powers mean you need comprehensive logging. When a breach occurs, you must be able to answer: What data was accessed? When was it accessed? Who or what system accessed it? How did the unauthorized access occur?

This requires centralized log aggregation, real-time monitoring, and tamper-proof log storage. If your infrastructure lacks a SIEM or equivalent logging system, building one should be near the top of your compliance priorities.

Encryption Across the Stack

Encryption is not a checkbox. It is a continuous practice across your entire data lifecycle. Your compliance posture requires encryption at rest for all databases and storage volumes, encryption in transit for all network communication including internal service-to-service calls, encryption for backups (a frequently overlooked gap), and key management practices that prevent unauthorized decryption. Many organizations encrypt their primary databases but leave backup storage unencrypted. In a compliance audit, that gap can be the difference between a clean report and a penalty.

Backup and Disaster Recovery

The DPDP Act requires that you can fulfil data erasure requests and that you can recover from incidents to maintain data processing operations. Your backup and disaster recovery strategy must support both obligations. Backups must be encrypted. Backup retention policies must align with your data retention policies (you cannot delete data from production but keep it indefinitely in backups). Backup restoration must be tested regularly, and you must have documented Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).

Penalties for Non-Compliance

The DPDP Act establishes significant financial penalties, structured in a schedule to the Act.

Failure to take reasonable security safeguards to prevent a personal data breach can attract a penalty of up to Rs. 250 Crore (approximately $30 million USD). Failure to notify the Board and affected individuals of a data breach carries a penalty of up to Rs. 200 Crore. Non-fulfilment of obligations relating to children’s data can result in a penalty of up to Rs. 200 Crore. Failure to comply with duties of a Data Fiduciary, including purpose limitation and storage limitation, carries penalties of up to Rs. 150 Crore. Breach of any other provision of the Act or rules carries a penalty of up to Rs. 50 Crore.

These are not theoretical risks. The Data Protection Board of India has the authority to investigate complaints, conduct inquiries, and impose penalties. For startups and mid-market businesses, even the lower end of these penalties can be existential.

The Act also allows for penalties to be imposed on the individuals responsible within an organization, not just the corporate entity. This means that negligence is not just an organizational risk but a personal one for founders, CTOs, and data handling teams.

How ZenoCloud Helps You Meet DPDP Requirements

Most businesses do not need to build compliance infrastructure from scratch. Choosing the right hosting partner gets you halfway there. ZenoCloud’s managed hosting infrastructure is designed with the security and compliance controls that DPDP demands.

India-Based Data Centers

ZenoCloud operates data center infrastructure in India, eliminating data residency concerns entirely. Your personal data stays within Indian borders, on servers managed by a team that understands both the technical and regulatory landscape.

Wazuh SIEM Across 1,000+ Servers

ZenoCloud deploys Wazuh, an enterprise-grade open-source SIEM platform, across its entire fleet of 1,000+ managed servers. This provides real-time threat detection and intrusion monitoring, file integrity monitoring to detect unauthorized changes, comprehensive audit logging of system and application events, compliance dashboards that map directly to regulatory requirements, and centralized log aggregation with tamper-proof storage.

When the Data Protection Board asks for evidence of your security monitoring, your Wazuh deployment is the answer. Every server access, configuration change, and security event is logged, timestamped, and stored.

Encryption at Rest and in Transit

Every ZenoCloud managed server is configured with encryption at rest for storage volumes and TLS enforcement for all data in transit. This includes database storage, application data, backup transfers, and inter-service communication. Encryption is not an add-on or an upgrade tier. It is the default configuration.

Encrypted, Tested Backups

ZenoCloud’s backup infrastructure provides automated daily backups with encryption, off-site backup storage for disaster recovery, documented and tested restore procedures, configurable retention policies that align with your DPDP data retention requirements, and the ability to perform granular data deletion from backup sets when processing erasure requests.

24/7 Monitoring and Incident Response

DPDP breach notification requirements depend on your ability to detect breaches quickly. ZenoCloud’s operations team monitors infrastructure around the clock. Anomalous activity triggers immediate investigation. If a security incident affects your infrastructure, the ZenoCloud team is part of your breach response chain, providing forensic data, timeline reconstruction, and remediation support.

Compliance-Ready Infrastructure

Rather than retrofitting compliance onto existing infrastructure, ZenoCloud builds compliance into the foundation. Server hardening follows CIS benchmarks. Access controls enforce least privilege. Patch management is automated. Vulnerability scanning runs continuously. Every layer of the stack is configured with the assumption that it will be audited.

Your Next Step

DPDP compliance is not a one-time project. It is an ongoing practice that spans legal, organizational, and technical domains. The checklist in this guide gives you a structured starting point. But the infrastructure layer, the servers, databases, encryption, monitoring, and backup systems that hold and protect personal data, is where compliance lives or dies.

If you are unsure whether your current hosting infrastructure meets DPDP requirements, ZenoCloud offers a free DPDP readiness assessment for your infrastructure. Our team will evaluate your current setup against the Act’s requirements, identify gaps in encryption, logging, access controls, and data residency, and provide a prioritized remediation plan.

Request your free DPDP infrastructure assessment and start building compliance on a foundation that holds up under scrutiny.

Need help with this?

Protect your infrastructure with 24/7 security monitoring.

Learn more