90 days to DPDP compliance: practical checklist

The Digital Personal Data Protection (DPDP) Act is no longer a distant regulation on the horizon — it’s real, it’s operational, and organisations are expected to demonstrate tangible progress toward compliance. While full readiness can take months, the first 90 days are critical. They set the foundation for long-term compliance, reduce early risks, and help organisations quickly understand their obligations.

This guide gives you a practical, actionable 90-day checklist to get your organisation moving with confidence. 

Why the First 90 Days Matter

Most organisations underestimate DPDP compliance because they equate it with "updating the privacy policy." In reality, the Act introduces fundamental changes in how personal data must be collected, processed, shared, and secured. 

The first 90 days are about: 

• Understanding the data landscape 
• Identifying compliance gaps 
• Establishing governance 
• Reducing immediate risks 
• Preparing for deeper technical and operational work 

Get these first steps right, and the rest becomes manageable. 

The 90-Day DPDP Compliance Checklist: 

Day 1–30: Discovery, Awareness & Gap Assessment

1. Build an Internal DPDP Task Force

Form a cross-functional team including Infosec, Legal, IT, HR, Marketing, Operations, Procurement, and Product teams. 

Deliverables: 

• Defined responsibilities 
• Steering committee charter 

2. Conduct a Data Discovery & Mapping Exercise

This is the foundation of compliance. Identify: 

• What personal data you collect 
• Where it resides 
• Who uses it 
• Why you collect it (purpose) 
• How long you keep it 
• Who you share it with (processors, vendors, partners) 

Deliverables: 

• Data inventory 
• Data flow diagrams 

3. Perform a DPDP Gap Assessment 

Evaluate current practices against DPDP obligations such as: 

• Notice and consent requirements 
• Rights of individuals 
• Security expectations 
• Retention & erasure obligations 
• Vendor compliance 
• Cross-border data handling 

Deliverables: 

• Gap assessment report 

• High-level risk register 

4. Identify High-Risk Processing Activities

Flag areas that may require: 

• Heightened controls 
• Data Protection Impact Assessments (DPIAs) 
• Additional governance (children’s data, sensitive processing, large-scale profiling) 

Day 31–60: Governance, Policies & Quick Wins

5. Draft or Update Key DPDP Policies 

Ensure updated versions of: 

• Privacy Policy  
• Internal Data Protection Policy 
• Consent Management Policy 
• Data Retention & Erasure Policy 
• Breach Response & Notification Plan 
• Vendor and Third-Party Management Policy 

Deliverables: 

• Complete policy suite ready for review 

6. Update Privacy Notices & Consent Mechanisms

Make sure notice and consent are: 

• Clear and specific 
• Unbundled 
• Easy to withdraw 

• Available in multiple languages where needed 

7. Implement Quick Security Improvements 

You don’t need a full revamp in 90 days — but you must reduce obvious risks. 
Focus on: 

• Access controls 
• MFA for critical systems 
• Encryption (at least for sensitive data) 
• Logging & monitoring 
• Secure backup processes 

8. Begin Vendor & Processor Assessments 

Start reviewing: 

• Contracts 
• Data sharing terms 
• Security controls 
• Sub-processing activities

Identify which vendors need DPDP-aligned Data Processing Agreements (DPAs). 

Day 61–90: Operationalisation & Readiness 

9. Establish a Rights Request Handling Process

Under DPDP, individuals have rights such as: 

• Access 
• Correction 
• Grievance redressal 
• Erasure 

Set up workflows and response timelines. If possible, start planning a self-service data rights portal. 

10. Create Your Incident Response & Breach-Notification Workflow

DPDP requires prompt notification to: 

• Affected individuals 
• The Data Protection Board 

Ensure your team knows: 

• Classification rules 
• Reporting templates 
• Escalation paths 
• Evidence preservation guidelines

Run tabletop simulations. 

11. Train Employees 

DPDP compliance fails without awareness. Conduct training for: 

• Frontline staff 
• Customer service teams 
• HR & operations 
• Marketing teams 
• Developers and product teams 

Focus on practical, scenario-based learning. 

12. Build a 12-Month DPDP Compliance Roadmap 

Once the 90-day foundation is in place, develop a long-term roadmap that covers: 

• Advanced security & privacy-by-design controls 
• Implementation of consent management systems 
• DPIAs for high-risk processing 
• Automation of retention & deletion 
• Continuous vendor monitoring 

• Internal audits and maturity assessments 

Final Thoughts: Compliance Starts with Momentum

The DPDP Act represents one of the most significant regulatory shifts in India’s digital ecosystem. The organisations that respond proactively within the first 90 days will be best positioned to avoid penalties, reduce risks, and build strong digital trust with customers. 

DPDP compliance is not a one-time project — it is an ongoing organisational capability. 
But with the right start, the journey becomes infinitely smoother. 

To know more about how TÜV SÜD can support you towards your India Digital Personal Data Protection (DPDP) compliance journey, please click here.