The DPDP compliance checklist for small teams (2026)

DPDP compliance is not a research project. It is a finite list. The Act and the 2025 Rules ask for specific, checkable things, and for a typical small site there are twelve of them. Work top to bottom. Hard deadline: 13 May 2027, when consent, notice, and data rights obligations become enforceable.

Part 1: know what you collect

1. Map every point where personal data enters

Signup forms, checkout, newsletter boxes, contact forms, chat widgets, lead magnets, analytics scripts, ad pixels. Write each one down with the fields it collects. Most teams find collection points they forgot they had. An old webinar form is still a collection point.

2. Assign a purpose to every field

Why do you collect the phone number? Delivery updates is a purpose. "Might be useful" is not. Under the Act you can only process data for the purpose the person agreed to, so every field needs one, written in words a customer would understand.

3. List your processors

Your CRM, email tool, payment gateway, analytics, cloud host. Data you collect flows to them, and you stay responsible for it. Know where each field goes and check you can delete it there when someone withdraws consent.

Part 2: fix the front door

4. Put up a purpose-wise consent banner

Not a cookie banner. A consent banner that lists each purpose separately, with separate toggles, and equal-weight accept and reject buttons. Pre-ticked boxes and bundled consent fail Section 6. The details live in our guide to consent under the DPDP Act.

5. Publish an itemized privacy notice

The notice must itemize the personal data you collect, state each purpose, and explain how to complain to you and to the Data Protection Board. It must be available in English or any of the 22 Eighth Schedule languages the user prefers. If your notice was copied from a US template in 2019, replace it.

6. Block trackers until consent lands

Google Analytics, Meta Pixel, Hotjar and friends must not fire before the visitor agrees to that purpose. Loading them first and asking later is collection without consent. Autoblocking plus Google Consent Mode v2 handles this without breaking your reporting.

7. Make withdrawal one click

Section 6(4): withdrawing consent must be as easy as giving it. That means a preference center reachable from your site, not an email to support that gets answered on Thursdays.

Part 3: keep the receipts

8. Record every consent event

Who agreed, to which purposes, when, against which version of your notice. Store it where it cannot be quietly edited. When the Board asks, you export and hand it over. No records means no defence, whatever your banner looked like.

9. Version your notices

When you change what you collect or why, the notice changes, and consents taken against the old version need refreshing. Keep every version with dates. This is the item teams most often miss.

Part 4: handle people

10. Open a data rights channel

People can ask what you hold, correct it, erase it, and nominate someone to act for them. You need an address where these requests land and a process that actually executes them, including in your processors' systems.

11. Name a grievance contact

The notice must say who handles complaints and how. A monitored inbox with a response target is enough for a small team. An unmonitored one is a finding waiting to happen.

12. Write the breach playbook

Under the 2025 Rules you notify affected users without delay and file with the Board within 72 hours of becoming aware. Decide now who drafts the notice, who files, and where your consent and processing records live, because 72 hours disappears fast.

The checklist, in one table

Items 4 through 9 are the heavy ones, and they are exactly what tooling automates. Skope closes them in five steps, about 30 minutes for a typical site.