What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Checklist•4 min read

DPDP Consent Audit Checklist: Is Your Consent Valid?

Ensure your Indian business's consent practices meet DPDP requirements. Use this checklist to validate consent collection and management.

Sushant Pasumarty12 June 2026

DPDP Consent Audit Checklist: Is Your Consent Valid?

The Digital Personal Data Protection (DPDP) Act, 2023, places strict requirements on how Indian businesses collect and manage personal data consent. Invalid consent can lead to significant penalties, making a thorough audit essential.

This checklist provides actionable steps to evaluate if your current consent mechanisms comply with DPDP. Sushant Pasamarty, founder of Meridian Bridge Strategy, recommends reviewing these areas regularly.

Phase 1: Initial Consent Collection Audit

Verify the initial touchpoints where you collect personal data. Consent must be free, specific, informed, unconditional, and unambiguous.

Action: Identify all data collection points (forms, cookies, sign-ups).
Owner Role: CTO/Product Manager
Time Estimate: 1-2 days
External Cost (if needed): Part of Data Mapping (₹1.5L – ₹3L)
MBS Tier: Data Mapping
Action: Confirm consent is sought for each specific purpose of processing.
Owner Role: Legal/Compliance Officer
Time Estimate: 2-3 days
External Cost (if needed): Part of DPDP Readiness Audit (₹2L – ₹6L)
MBS Tier: DPDP Readiness Audit
Action: Check if consent language is clear, concise, and in plain language (not hidden in T&Cs).
Owner Role: Product/Legal
Time Estimate: 1-2 days
External Cost (if needed): Part of DPDP Workshop (₹5L – ₹10L)
Action: Verify if Data Principals can give consent through an affirmative action (e.g., ticking a box, clicking a clear button).
Owner Role: Product Manager
Time Estimate: 1 day
External Cost (if needed): Part of DPDP Workshop (₹5L – ₹10L)
Action: Ensure you inform Data Principals about their right to withdraw consent and the mechanism to do so.
Owner Role: Legal/Compliance Officer
Time Estimate: 1 day
External Cost (if needed): Part of Full DPDP Consulting (₹7L – ₹12L)

Phase 2: Consent Management & Record-Keeping Audit

DPDP requires you to maintain clear records of consent. This phase focuses on how you manage and document consent throughout its lifecycle.

💡 Key Insight: DPDP mandates demonstrable consent. If you can't prove when, how, and for what purpose consent was given, it's not valid.

Action: Document the exact date, time, and method of consent collection for each Data Principal.
Owner Role: CTO/IT Manager
Time Estimate: Ongoing setup, 3-5 days initial audit
External Cost (if needed): Part of Full DPDP Consulting (₹7L – ₹12L)
Action: Verify if you maintain records of consent withdrawal, including the date and time.
Owner Role: CTO/IT Manager
Time Estimate: Ongoing setup, 2-3 days initial audit
External Cost (if needed): Part of Full DPDP Consulting (₹7L – ₹12L)
Action: Confirm that withdrawing consent is as easy as giving it and is effective immediately.
Owner Role: Product Manager/CTO
Time Estimate: 2-3 days
External Cost (if needed): Part of DPDP Workshop (₹5L – ₹10L)
Action: Audit if data processing ceases promptly upon consent withdrawal, unless another lawful basis exists.
Owner Role: Compliance Officer/CTO
Time Estimate: 3-5 days
External Cost (if needed): Part of Full DPDP Consulting (₹7L – ₹12L)
Action: Review consent mechanisms for children's data, ensuring verifiable parental consent where applicable.
Owner Role: Legal/Compliance Officer
Time Estimate: 2-3 days
External Cost (if needed): Part of DPDP Readiness Audit (₹2L – ₹6L)

Phase 3: Ongoing Consent Compliance Audit

Consent is not a one-time event. This phase ensures your processes support continuous DPDP compliance for consent.

✅ Pro Tip: Integrate consent management into your regular product and policy review cycles. This prevents future non-compliance.

Action: Establish a process to periodically review and refresh consent if purposes change or after a significant time.
Owner Role: Compliance Officer
Time Estimate: Ongoing policy, 1 week setup
External Cost (if needed): Part of Full DPDP Consulting (₹7L – ₹12L)
Action: Verify that third-party vendors (data processors) you share data with are also operating on valid consent or a lawful basis.
Owner Role: Compliance Officer/Procurement
Time Estimate: Ongoing, 1-2 weeks for initial vendor audit
External Cost (if needed): Part of Vendor Audit Checklist / Full DPDP Consulting (₹7L – ₹12L)
Action: Ensure your privacy policy clearly articulates data processing purposes and consent requirements.
Owner Role: Legal/Compliance Officer
Time Estimate: 2-3 days
External Cost (if needed): Part of DPDP Workshop (₹5L – ₹10L)
Action: Test the user experience for giving and withdrawing consent to ensure it is intuitive and frictionless.
Owner Role: Product Manager/UX Designer
Time Estimate: 2-3 days
External Cost (if needed): Part of DPDP Workshop (₹5L – ₹10L)

What This Consent Audit Costs Your Business

Performing a comprehensive DPDP consent audit can be done in-house, but it requires dedicated time, legal expertise, and a deep understanding of DPDP nuances. Many Indian businesses find external expertise more efficient.

MBS Tier	What it includes (Consent Focus)	Price Range	Duration
Data Mapping	Identifies all data collection points relevant to consent.	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Gap Analysis on consent mechanisms, identifying non-compliance.	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Data Mapping + Gap Analysis + Prioritized Recommendations for valid consent, with a 90-day roadmap.	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation Support for new consent flows + DPO Training on consent management + Final Readiness Opinion.	₹7L – ₹12L	3-6 months

The cost reflects the depth of analysis and support. Simple identification of collection points (Data Mapping) is less intensive than implementing new consent flows and training your team (Full DPDP Consulting).

Next Step: Validate Your Consent Strategy

Valid consent is the cornerstone of DPDP compliance. An incomplete or incorrect consent framework leaves your business vulnerable. Use this checklist to begin your audit, then consider your next steps.

Sushant Pasamarty, founder of Meridian Bridge Strategy, offers tailored services to ensure your consent practices are robust and compliant. From identifying your data flows to implementing a full consent management system, MBS provides clear, actionable pathways.

Frequently Asked Questions

What is the primary difference between explicit and implied consent under DPDP?

DPDP primarily focuses on 'affirmative action' consent, moving away from implied consent. While 'explicit' isn't explicitly defined as a separate category, the Act requires consent to be free, specific, informed, and unambiguous, typically demanding a clear positive action from the Data Principal.

How long is DPDP consent valid for?

DPDP does not specify a universal expiry period for consent. Consent remains valid as long as the purpose for which it was collected remains relevant. However, if the purpose changes or a significant amount of time passes, it is prudent to refresh consent. Data Principals can withdraw consent at any time.

Does DPDP require new consent for all existing customer data?

Not necessarily. DPDP introduces the concept of 'legitimate uses' where consent might not be required for certain processing, such as for the performance of a contract or compliance with law. However, for any processing not covered by legitimate uses, or if your prior consent was not DPDP-compliant, new consent may be needed. A DPDP Readiness Audit can clarify this.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →

DPDP Consent Audit Checklist: Is Your Consent Valid?

DPDP Consent Audit Checklist: Is Your Consent Valid?

Phase 1: Initial Consent Collection Audit

Phase 2: Consent Management & Record-Keeping Audit

Phase 3: Ongoing Consent Compliance Audit

What This Consent Audit Costs Your Business

Next Step: Validate Your Consent Strategy

Frequently Asked Questions

Related Guides

Checklist for Startups: 2026 Plan: DPDP Checklist

Checklist for Enterprises & CXOs: DPDP Checklist

in 90 Days: Roadmap for Businesses: DPDP Checklist

Check Your DPDP Cost