Resources

Practical reference tools built from primary texts. Use them, print them, share them.

Checklist

DPDPA 2023 Compliance Checklist

A structured checklist covering consent, data principal rights, data fiduciary obligations, breach response, and cross-border transfer requirements under the Digital Personal Data Protection Act 2023.

Comparison Table

GDPR vs DPDPA: Quick-Reference Guide

Side-by-side comparison of 16 key dimensions across GDPR and India's DPDPA 2023 — consent standards, data subject rights, breach timelines, cross-border rules, and penalty exposure.

DPDPA 2023 Compliance Checklist

Prepared by Adv. Sanket Shah · advsanketshah.github.io · Law stated as of April 2026 · For reference only, not legal advice

1. Consent and Notice

  • Notice provided before or at the time of collecting personal data, in plain language
  • Notice specifies the data being collected and the purpose of processing
  • Consent obtained through a clear affirmative action (no pre-ticked boxes)
  • Consent is specific, informed, and freely given
  • Mechanism in place for data principal to withdraw consent at any time
  • Legitimate use cases (without consent) identified and documented where applicable

2. Data Principal Rights

  • Right to access: process in place for data principals to request summary of data processed
  • Right to correction and erasure: mechanism to action correction/deletion requests
  • Right to grievance redressal: contact point or DPO identified and published
  • Right to nominate: mechanism available for data principals to nominate another person to exercise rights on death or incapacity

3. Data Fiduciary Obligations

  • Data collected is limited to what is necessary for the stated purpose (data minimisation)
  • Data is not retained beyond the period necessary for the stated purpose
  • Reasonable security safeguards implemented to prevent personal data breach
  • Data processing agreements in place with all data processors
  • Significant Data Fiduciary (SDF) status assessed; additional obligations mapped if applicable

4. Data Breach Response

  • Incident response plan documented and tested
  • Process in place to notify Data Protection Board and affected data principals of breaches
  • Notification timelines tracked and assigned to a responsible team

5. Cross-Border Transfers

  • All cross-border data transfers identified and mapped
  • Restricted countries/territories list monitored for Central Government notifications
  • Transfer mechanisms reviewed for each cross-border flow

GDPR vs DPDPA 2023: Quick-Reference Comparison

Prepared by Adv. Sanket Shah · Law stated as of April 2026 · For reference only, not legal advice

Dimension GDPR (EU) DPDPA 2023 (India)
Scope Personal data of EU residents; extraterritorial reach for data processed outside EU Digital personal data processed in India, or data processed outside India offering goods/services to Indian residents
Legal bases for processing 6 bases: consent, contract, legal obligation, vital interests, public task, legitimate interests 2 primary bases: consent; legitimate use (includes employment, state functions, emergencies, research)
Consent standard Freely given, specific, informed, unambiguous affirmative act Free, specific, informed consent with right to withdraw; notice required before or at collection
Children's data Parental consent required below 16 (member states can lower to 13) Parental consent required below 18; no processing for behavioural monitoring of children
Data subject rights Access, rectification, erasure, restriction, portability, objection, automated decision rights Access, correction, erasure, grievance redressal, nomination right; no portability right yet
Data portability Yes No (not yet)
DPO requirement Mandatory for certain controllers (public bodies, large-scale processing) Significant Data Fiduciaries must appoint a DPO based in India
Data breach notification 72 hours to supervisory authority; without undue delay to data subjects (if high risk) Promptly to Data Protection Board and affected data principals (timeline to be prescribed by rules)
Cross-border transfers Adequacy decision, SCCs, BCRs, or derogations Permitted except to countries/territories restricted by Central Government notification
Data localisation No general requirement Possible for SDFs (to be prescribed)
DPIA / risk assessment Mandatory for high-risk processing Required for SDFs; general obligation to implement reasonable safeguards
Supervisory authority National DPA in each member state; one-stop-shop for cross-border cases Data Protection Board of India (DPB)
Max penalty (financial) Higher of €20M or 4% of global annual turnover Up to INR 250 crore per instance; up to INR 200 crore for breach of child data obligations
Processor obligations Direct obligations under GDPR; mandatory written DPA with controller Data processors bound by contract with fiduciary; no direct statutory obligations on processors
Sensitive data category Special categories: health, race, religion, biometric, genetic, political, sexual orientation, etc. No separate sensitive data category in the Act; rules may prescribe additional obligations
Rules / implementing legislation Directly applicable; member state derogations where permitted DPDP Rules (draft published Nov 2024); final rules not yet notified as of Apr 2026