1. Do you collect or process personal data of individuals in India?
2. How mature is your consent & privacy-notice mechanism?
3. Can you fulfil data-principal rights (access, correction, erasure) within timelines?
4. Do you have a personal-data breach response & notification process?
5. Do you map your data (RoPA) and govern your processors/vendors?
What the DPDP Act expects
Consent is the foundation
The DPDP Act requires free, specific, informed and withdrawable consent — with a clear notice and proof of every consent event.
Rights on the clock
Data principals can demand access, correction and erasure. You need a real, auditable process to fulfil them within timelines.
Breaches must be reported
Personal-data breaches carry notification duties to the Board and affected individuals — and significant penalties for non-compliance.
