VeltrixairPrivacy Unit Schedule a call
Resource · Self-Assessment Tool · DPDP Act 2023

DPDP self-assessment — an honest baseline against the May 2027 deadline.

Fifty questions covering eight categories of the DPDP Act 2023 — the same eight categories DPDP audits will examine. Each item scores Yes / Partial / No against the obligations the Act imposes on Data Fiduciaries. Scoring runs live as you work through the items; results persist locally so you can return to them. The output is a current readiness percentage, category-level gap analysis, and a maturity band that tells you where you actually stand relative to the 13 May 2027 full-compliance deadline. Designed for honest self-assessment, not box-ticking — under-scoring is more useful than over-scoring.

Live score · DPDP readiness

Your readiness right now.

0 of 50 answered
0%
Compliance Not started
Saved locally
01

Governance & accountability

8 items · weight 15%
0 / 8 · 0%

Without clear ownership and accountable governance, every other DPDP control operates without direction. SDF designation is not a self-determination — but the Act requires every Data Fiduciary to demonstrate accountability proportionate to its data exposure.

01
A senior accountable owner has been formally designated for DPDP compliance. Required: written designation, board-level visibility, defined authority. SDF organisations must additionally appoint a DPO based in India who reports to the Board. DPDP s.10(2)(a) · Rules 12
3 points
02
A DPDP-specific privacy policy has been adopted at board / executive level. Distinct from a generic privacy policy. Sets organisational position on consent, retention, transfers, breach response, third-party processors. DPDP s.8 · accountability principle
3 points
03
DPDP roles & responsibilities have been documented for every business function that processes personal data. Function-level role mapping: HR, Sales, Marketing, Engineering, Finance, Customer Service. Not just "the privacy team." DPDP s.8(4) · proportionate measures
3 points
04
SDF designation status has been formally evaluated and documented. Volume thresholds, sensitivity, cross-border processing scale, and risk to electoral democracy / national security all factor in. SDF status carries materially additional obligations: India-based DPO, independent data auditor, annual DPIA. DPDP s.10 · SDF criteria
3 points
05
For SDF organisations: an India-based DPO has been appointed and reports to the Board. If not an SDF, mark Yes. SDF DPOs must be physically resident in India, independent enough to act in interests of data principals, and have direct board-level reporting line. DPDP s.10(2)(a) · Rules 12(1)
3 points
06
A DPDP risk register has been built and is reviewed at least quarterly. Should track regulatory exposure, control gaps, third-party risks, breach scenarios. Quarterly cadence is the practical minimum; monthly during the implementation window. DPDP s.8(5) · reasonable security safeguards
3 points
07
DPDP awareness training has been rolled out to all employees who handle personal data. Role-specific content. Annual refresh minimum. Evidence retained — completion records, content versioning, comprehension checks. DPDP s.8 · accountability operationalisation
3 points
08
Senior leadership reviews DPDP compliance posture at least quarterly. Standing agenda item. Documented decisions. Owner-level accountability for remediation. Distinguishes performative governance from real governance. DPDP s.8(8) · documentation evidence
3 points
02

Data inventory & mapping

6 items · weight 12%
0 / 6 · 0%

You cannot protect what you do not know exists. The DPDP Act assumes a Data Fiduciary knows what personal data it holds, where, why, and for how long. Visibility is the precondition for every other obligation.

09
A complete inventory of personal data systems exists and is maintained. All applications, databases, cloud services, file shares, SaaS tools, third-party integrations holding personal data. Updated at least quarterly; ideally driven by automated discovery. DPDP s.8(8)
2 points
10
Data flows have been mapped end-to-end across the personal data lifecycle. Collection → use → storage → sharing → retention → deletion. Per-process, not just at organisation level. Vendor and cross-border flows explicit. DPDP s.8 · purpose limitation principle
2 points
11
Personal data is classified by sensitivity and risk. DPDP does not introduce a sensitive-data category as such, but classification supports proportionate security measures and helps SDF designation analysis. DPDP s.8(5) · proportionate safeguards
2 points
12
Data minimisation is enforced at point of collection — only required fields are captured. Forms, applications, customer onboarding, employee onboarding. The DPDP Act's purpose limitation principle requires that only necessary data be collected for the specific declared purpose. DPDP s.4 · 7
2 points
13
A Records of Processing (RoPA) document exists and is current. Per-purpose records: lawful basis, categories of data, categories of recipients, retention periods, security measures. The auditor's first reference document. DPDP s.8(8)
2 points
14
Children's data is identified separately and handled under stricter controls. DPDP defines children as under 18. Verifiable parental consent required. Targeted advertising and behavioural monitoring of children explicitly prohibited. DPDP s.9
2 points
03

Notice & consent

7 items · weight 18%
0 / 7 · 0%

DPDP is consent-driven by design. Notice and consent quality is the most heavily weighted category — not because it is mechanically the largest area, but because failure here typically means the entire processing operation lacks lawful basis. Get this wrong and everything downstream is compromised.

15
Privacy notices are presented separately from terms & conditions. Standalone, clear, independent, self-contained. Cannot be bundled into terms of service or buried in EULA. Required from 13 May 2027 onwards in plain language. DPDP s.5 · Rules 4
3 points
16
Notices are provided in English plus 22 scheduled Indian languages where applicable. Required by DPDP Rules: Hindi, Bengali, Telugu, Marathi, Tamil, and the other Eighth Schedule languages where Data Principals operate. Regional consumer-facing organisations cannot avoid this. DPDP s.5(3) · Rules 4(2)
3 points
17
Consent is collected via affirmative action — no pre-ticked boxes, no bundled terms. Active opt-in. Granular per purpose where multiple purposes exist. Pre-checked checkboxes are a per se violation. Audit trail of consent events retained. DPDP s.6
3 points
18
Consent withdrawal is as easy as consent giving. Same channel, same friction level. A user who consents in one click should be able to withdraw in one click. Hidden withdrawal is treated as a violation of the principle. DPDP s.6(4)
3 points
19
Lawful basis other than consent is documented where claimed. DPDP recognises "legitimate uses" — employment, government services, medical emergency, public health, judicial functions. Documentation must show the specific provision relied on. DPDP s.7
3 points
20
Consent records are retained with full audit trail. Timestamp, version of notice consented to, channel, IP / device. Retained for the longer of: duration of consent, plus statute-of-limitations period for any related dispute. DPDP s.6(2)
3 points
21
Consent Manager integration is in scope or actively planned. DPDP Rules introduced the Consent Manager — a regulated intermediary providing unified consent management across multiple Data Fiduciaries. Increasingly expected for consumer-facing organisations. Rules 4 · Consent Manager regime
3 points
04

Data Principal rights

6 items · weight 13%
0 / 6 · 0%

Data Principal rights are operational obligations. Whether a Data Fiduciary handles them well determines whether complaints reach the Data Protection Board — and the Board's enforcement focus is anticipated to start with rights handling failures.

22
A clear, accessible channel exists for Data Principals to exercise their rights. Online form, dedicated email, in-app mechanism — at least one. Cannot be hidden behind login walls or buried in policy documents. DPDP s.13
2 points
23
Right of access — Data Principals can obtain a summary of personal data being processed. Categories of data, summary of processing activities, identities of recipients. Operational workflow exists; not just policy text. DPDP s.11
2 points
24
Right to correction & erasure — workflows exist and respond within reasonable time. Both rectification of inaccurate data and deletion when no longer required. Backup and downstream-system propagation included in workflow scope. DPDP s.12
2 points
25
Grievance redressal mechanism is published and operational. Distinct from rights handling. Channel for complaints about how data is being processed. Acknowledged escalation path to the Data Protection Board. DPDP s.13(2)
2 points
26
Right of nomination — Data Principals can nominate someone to act on their rights in case of death or incapacity. Distinctive feature of DPDP — not present in GDPR. Mechanism must allow nomination and withdrawal. Operational workflow for triggering events. DPDP s.14
2 points
27
Response timelines are defined and tracked — overdue requests are escalated. Internal SLAs typically 30 days. Tracking dashboard. Overdue threshold triggers escalation. Audit-ready evidence of timeliness. DPDP s.13 · Rules
2 points
05

Security safeguards

6 items · weight 14%
0 / 6 · 0%

DPDP s.8(5) requires "reasonable security safeguards." The standard does not prescribe specific controls, but in practice tracks closely with what ISO 27001, CIS Controls, and similar frameworks specify. Sectoral regulators (RBI, IRDAI, SEBI) layer on additional sector-specific security obligations.

28
Encryption is in place for personal data at rest and in transit. TLS for transit; AES-256 or equivalent for at-rest. Key management discipline — keys not stored alongside encrypted data. Cloud KMS or equivalent. DPDP s.8(5)
2.5 points
29
Access controls follow least-privilege principle with role-based access. Per-system access reviews. MFA on all administrative access. Privileged access management for high-risk systems. Quarterly access recertification. DPDP s.8(5) · CIS Control 6
2.5 points
30
Vulnerability management is operational with defined remediation SLAs. Continuous scanning. Critical vulnerabilities patched within 72 hours. High within 7 days. SLAs tracked; overdue patches escalated. DPDP s.8(5)
2.5 points
31
Logging & monitoring covers personal data systems with retention discipline. Audit logs of access, modifications, and exports. Retention sufficient for forensics (typically 1 year minimum). Monitoring with alerting on anomalous patterns. DPDP s.8(5)
2.5 points
32
Backup and recovery infrastructure is in place and tested. RPO defined per data category. Regular restore tests — not just backup verification. Ransomware-resistant patterns (offline / immutable copies). DPDP s.8(5) · breach prevention
2.5 points
33
Security testing — penetration testing and red-team exercises run on cadence. Annual minimum for substantive systems. Findings tracked through to remediation. Independent third-party testing for critical systems. DPDP s.8(5)
2.5 points
06

Breach response

5 items · weight 13%
0 / 5 · 0%

DPDP imposes strict breach notification obligations: prompt initial notification to the Data Protection Board, follow-up detailed report within 72 hours, notification to affected Data Principals. Failure to notify is itself a violation — over and above the underlying breach.

34
A documented breach response plan exists with defined activation triggers. Written plan. Activation criteria. Defined roles (IR commander, legal lead, communications lead, regulator liaison). Tested on cadence. DPDP s.8(6)
2.6 points
35
Breach detection capability is in place with defined alerting. SIEM, UEBA, EDR — capability proportionate to organisation size. Alert thresholds calibrated. 24/7 monitoring or on-call rotation for critical systems. DPDP s.8(5) · 8(6)
2.6 points
36
Notification workflow to the Data Protection Board is operational and tested. Initial notification template. 72-hour follow-up report template. Designated notifier. Channel established. Practice run conducted at least once. DPDP s.8(6) · Rules
2.6 points
37
Data Principal notification process exists for affected individuals. Channel established. Pre-prepared message templates. Mass-notification capability if breach affects many individuals. Cannot wait until breach to design this. DPDP s.8(6)
2.6 points
38
Tabletop exercises run at least annually testing the breach response. Realistic scenarios. Cross-functional participation including legal, comms, technical, executive. Lessons learned captured and actioned. Documented evidence retained. DPDP s.8(6) · operational discipline
2.6 points
07

Vendor & processor governance

6 items · weight 10%
0 / 6 · 0%

Under DPDP, the Data Fiduciary remains accountable for processor actions. Contractual controls, technical safeguards, and continuous oversight of processors are the operational discipline that makes that accountability real rather than nominal.

39
A complete inventory of Data Processors exists. All vendors processing personal data on behalf of the organisation — cloud providers, SaaS tools, analytics platforms, marketing vendors, payroll, recruitment, customer support tools. DPDP s.8(2)
1.7 points
40
Data Processing Agreements are in place with every processor. DPA terms specifying processor obligations, audit rights, sub-processor consent, breach notification, return / deletion at engagement end. Standard contractual control. DPDP s.8(2) · 8(7)
1.7 points
41
Vendor due diligence process exists with risk-based depth. Onboarding security questionnaire. Tier-based assessment depth. Refresh cadence. Documented evidence retained. See Vendor Risk Management. DPDP s.8(2) · proportionate oversight
1.7 points
42
Sub-processor consent and notification mechanism is operational. Authorisation regime — general or specific. Notification of changes. Right to object. Cascade flow-down to sub-processors documented. DPDP s.8(2)
1.7 points
43
Cross-border transfer governance — countries of processing tracked, restricted-country list monitored. DPDP softened earlier localisation language but retains government power to restrict transfers to "blacklisted" geographies. Inventory of where data goes. DPDP s.16
1.7 points
44
Vendor security incidents and breaches are reported within defined SLAs. Contractual SLA — typically 24-48 hours. Tracked. Triggers internal breach response if Data Fiduciary affected. Audit-ready evidence. DPDP s.8(6)
1.7 points
08

Retention & deletion

6 items · weight 5%
0 / 6 · 0%

Storage limitation is now a legal requirement, not an aspirational principle. The DPDP Act explicitly requires deletion when the original purpose has been served. Retention discipline is the most operationally underestimated obligation in early DPDP implementations.

45
Retention schedules exist per data category and per purpose. Documented retention period per data type. Justification linked to original purpose or statutory obligation. Reviewed annually for currency. DPDP s.8(7)
0.83 points
46
Automated deletion workflows enforce retention schedules. Time-based deletion automation. Manual deletion as exception, not norm. Evidence retained that deletion actually occurred. DPDP s.8(7)
0.83 points
47
Backup retention follows the same retention schedule as primary data. Most common DPDP gap. Backups frequently outlive their primary data — and those backups remain in scope. Backup retention windows must align. DPDP s.8(7) · operational discipline
0.83 points
48
Secure deletion mechanisms ensure data is irrecoverable post-deletion. Cryptographic shredding for encrypted data. Secure-erase tooling for storage media. Evidence of deletion retained for audit. DPDP s.8(7)
0.83 points
49
Retention exceptions (legal hold, statutory) are tracked and reviewed. Litigation hold mechanism. Statutory retention requirements (KYC, tax, employment) tracked separately. Hold release process documented. DPDP s.8(7) · legitimate uses
0.83 points
50
Erasure rights from Data Principals propagate to backups, archives, and processors. Most challenging integration in practice. End-to-end deletion workflow. Vendor processor cooperation contractually required. Evidence of full propagation retained. DPDP s.12 · 8(7)
0.83 points
Your verdict

Where you actually stand.

The composite score below weights each category by its regulatory significance — not all 50 items count equally. Notice and consent failures threaten the lawful basis of the entire processing operation; retention failures are typically remediable with focused effort. The maturity band tells you where you stand relative to the 13 May 2027 full-compliance deadline.

Composite readiness 0% Awaiting input

Start working through the items above.

Your composite score will appear here as you answer items. The tool weights categories by regulatory significance — under-scoring is more useful than over-scoring; the goal is an honest baseline, not a flattering one.

Governance
Inventory
Notice & consent
Rights
Security
Breach
Vendors
Retention
Scoring methodology

How the score works.

Each item scores Yes (full credit) / Partial (half credit) / No (zero). Items within a category sum to the category's weighted contribution. The maturity bands below provide rough interpretation — but the band is less useful than the category breakdown. A composite score of 70% with 30% on consent and 90% on security is materially different from 70% with 70% across all categories. Read the categories.

Band Score Interpretation
Pre-compliance Below 30% Substantial DPDP gaps across most categories. Treat as a fresh build rather than a remediation. Even with 13 May 2027 still 18 months away, this state requires immediate, sustained programme work.
Building 30 — 55% Foundation visible, core gaps remain. Typical state for organisations that have started DPDP work but treated it as document drafting rather than operational change. Realistic 12-month remediation horizon.
Substantive 55 — 75% Most obligations operational; specific gaps remain. Typical state for mature organisations approaching full compliance. The gap-closing work is targeted; the core programme exists.
Substantially compliant 75 — 90% Programme operating at near-full coverage. Remaining gaps are usually high-effort items: consent manager integration, full backup-retention alignment, end-to-end erasure propagation. Audit-credible.
DPDP-ready Above 90% Comprehensive operational compliance. Maintenance discipline rather than build effort. Honest 90%+ self-assessments are uncommon — under-scoring is more useful than over-scoring.

This tool is a working baseline, not a regulatory determination. The Data Protection Board of India determines compliance through formal investigation and audit; nothing here substitutes for that. The tool's value is in honest internal assessment — identifying where remediation effort should concentrate before regulatory exposure crystallises. For substantive review of your DPDP posture against the 13 May 2027 deadline, a Readiness Review engagement is the natural next step.

Honest baseline. Real work.

A self-assessment is the start of the work, not the end. If your score reveals gaps you cannot close internally on the 13 May 2027 timeline, a 30-minute scoping call costs nothing — we will tell you honestly whether the gap is closeable with focused effort or requires a substantial programme, and what realistic remediation looks like for your specific situation.

Schedule a call