What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Checklist•5 min read

DPDP Board Readiness Checklist for Directors (India)

Essential DPDP compliance checklist for Indian company directors, covering data mapping, readiness audits, and implementation phases.

Sushant Pasumarty19 June 2026

DPDP Board Readiness Checklist for Directors

As a director in an Indian business, understanding your organization's readiness for the Digital Personal Data Protection Act (DPDP) is critical. This checklist provides a phased approach to assess and ensure your company's compliance posture, from initial data mapping to full implementation and DPO training.

💡 Key Insight: The board's oversight is paramount for DPDP. Non-compliance carries penalties up to ₹500 crore per instance, making strategic engagement a fiduciary responsibility.

Sushant Pasamarty, founder of Meridian Bridge Strategy, emphasizes that DPDP is not just a legal or IT issue, but a strategic imperative that requires board-level attention and resource allocation.

DPDP Board Readiness Checklist

This checklist is designed to provide directors with a clear overview of the tasks, ownership, time, and potential costs associated with achieving DPDP compliance. Each item is critical for a robust data governance framework.

Phase 1: Initial Assessment & Foundation (Weeks 1-4)

#	Action Item	Owner Role	Time Estimate	Cost (External Help)	MBS Tier Mapping
1	Approve DPDP Compliance Budget: Allocate necessary funds for internal resources, external consultants, and technology.	Board of Directors	1-2 days	N/A (Internal)	All Tiers (Prerequisite)
2	Appoint a DPDP Lead/Committee: Designate an internal owner or cross-functional committee responsible for overseeing the DPDP project.	Board of Directors / CXO	1 week	N/A (Internal)	All Tiers (Prerequisite)
3	Initiate Data Mapping Exercise: Identify all personal data collected, its flow, storage locations, and third-party vendors involved.	CTO / CISO / Legal	1-2 weeks	₹1.5L – ₹3L	Data Mapping
4	Review Existing Data Privacy Policies: Assess current policies against DPDP principles (consent, purpose limitation, data retention).	Legal / Compliance	1 week	N/A (Internal)	DPDP Readiness Audit

Phase 2: Gap Analysis & Roadmap Development (Weeks 2-8)

#	Action Item	Owner Role	Time Estimate	Cost (External Help)	MBS Tier Mapping
5	Conduct a Comprehensive DPDP Readiness Audit: Perform a detailed gap analysis based on data mapping, covering consent mechanisms, Data Processing Agreements (DPAs), grievance redressal, breach response, and data deletion protocols.	CTO / CISO / Legal	2-4 weeks	₹2L – ₹6L	DPDP Readiness Audit
6	Identify Key Compliance Gaps & Risks: Document specific areas where current practices fall short of DPDP requirements.	DPDP Lead / Legal	1 week	Included in Audit	DPDP Readiness Audit
7	Develop Prioritized Recommendations & Roadmap: Create a strategic plan with actionable steps and a 90-day timeline for addressing identified gaps.	DPDP Lead / CXO	1-2 weeks	₹5L – ₹10L	DPDP Workshop
8	Assess Vendor Compliance: Review DPAs and data handling practices of all third-party vendors processing personal data.	Procurement / Legal	2 weeks	N/A (Internal)	DPDP Workshop

Phase 3: Implementation, Training & Ongoing Oversight (Weeks 8 onwards)

#	Action Item	Owner Role	Time Estimate	Cost (External Help)	MBS Tier Mapping
9	Implement Remedial Actions: Execute the prioritized roadmap, including updating policies, consent forms, technical controls, and operational processes.	CTO / CISO / Legal / HR	Ongoing (3-6 months)	₹7L – ₹12L	Full DPDP Consulting
10	Establish Grievance Redressal Mechanism: Ensure a clear, accessible process for Data Principals to exercise their rights and lodge complaints.	Legal / Operations	2 weeks	N/A (Internal)	Full DPDP Consulting
11	Implement Breach Notification Protocol: Develop and test procedures for detecting, assessing, and reporting data breaches within 72 hours.	CISO / IT	2 weeks	N/A (Internal)	Full DPDP Consulting
12	Designate and Train a Data Protection Officer (DPO): Appoint a qualified individual and provide comprehensive training on DPDP requirements and responsibilities.	HR / Legal	2-4 weeks	Included in Full Consulting	Full DPDP Consulting
13	Obtain Final Readiness Opinion: Secure an expert assessment confirming the company's DPDP compliance status.	Board of Directors	1 week	Included in Full Consulting	Full DPDP Consulting
14	Regular Board Review & Oversight: Schedule periodic reviews of DPDP compliance status, risk assessments, and policy updates.	Board of Directors	Quarterly	N/A (Internal)	All Tiers (Ongoing)

✅ Pro Tip: Refer to our DPDP 72-Hour Breach Notification Checklist for detailed steps on handling data breaches effectively.

What DPDP Board Readiness Costs

Achieving DPDP board readiness involves a combination of internal efforts and, often, external expert assistance. The cost varies significantly based on your company's existing data infrastructure, complexity, and internal resources.

DIY Approach: While possible for very simple data landscapes, the internal time investment from legal, IT, and operations teams can be substantial. This approach requires deep internal expertise to avoid misinterpretations and potential non-compliance penalties.
Meridian Bridge Strategy (MBS) Productized Services: Sushant Pasamarty and MBS offer structured services that build on each other, providing clarity on scope and cost.

MBS Tier	What it includes	Price Range	Typical Duration	Value for Directors
Data Mapping	Map every personal data flow: who collects it, where it goes, which vendors touch it.	₹1.5L – ₹3L	1-2 weeks	Provides foundational visibility into data assets, essential for board understanding.
DPDP Readiness Audit	Data Mapping + Gap Analysis (consent, DPAs, grievance, breach, deletion).	₹2L – ₹6L	2-4 weeks	Identifies specific compliance gaps and risks, informing the board of critical areas.
DPDP Workshop	Data Mapping + Gap Analysis + Prioritized Recommendations with a 90-day roadmap.	₹5L – ₹10L	4-6 weeks	Delivers a strategic action plan and roadmap for board approval and resource allocation.
Full DPDP Consulting	Workshop + Implementation Support + DPO Training + Final Readiness Opinion.	₹7L – ₹12L	3-6 months	Comprehensive support for full compliance, including expert opinion for board assurance.

The choice of tier depends on your current readiness and the level of external support required. For directors, the Full DPDP Consulting tier offers the most comprehensive path to a robust compliance posture and a final readiness opinion from experts like Sushant Pasamarty, providing assurance to the board.

✅ Pro Tip: Consider the long-term cost of non-compliance. Investing in a structured DPDP program with experts like Meridian Bridge Strategy can prevent significant penalties and reputational damage.

Next Step: Assess Your Compliance Cost

Understanding your company's specific DPDP compliance cost is the next logical step for any director. Our free online calculator on dpdpworkshop.com helps you determine which MBS service tier aligns best with your organization's needs and provides a clear cost estimate.

Sushant Pasamarty, founder of Meridian Bridge Strategy, has built products in identity verification, cybersecurity, and e-commerce at companies like IDfy, CyberArk, and Cyware. His expertise, backed by a Master's from IE Business School and CS from BITS Pilani, ensures practical and effective DPDP solutions. Let MBS help your board achieve DPDP readiness efficiently.

Frequently Asked Questions

What is the primary responsibility of a director under DPDP?

Directors are primarily responsible for ensuring adequate resources (financial and human) are allocated for DPDP compliance, approving the compliance strategy, overseeing its implementation, and ensuring regular reporting on the company's data protection posture.

How often should the board review DPDP compliance status?

Sushant Pasamarty recommends that boards review DPDP compliance status at least quarterly, or whenever there are significant changes in data processing activities, new data types, or regulatory updates.

What are the immediate DPDP actions a board should take?

Immediately, the board should approve a budget for compliance, appoint a DPDP lead or committee, and initiate a comprehensive data mapping exercise to understand the personal data flows within the organization. This aligns with the 'Data Mapping' tier offered by MBS.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →