What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Checklist•4 min read

DPDP Pre-Audit: Ready for India Data Privacy Assessment?

Assess your DPDP readiness with our pre-audit checklist for Indian businesses. Understand data flows and compliance gaps before your official assessment.

Sushant Pasumarty18 May 2026

DPDP Pre-Audit Checklist: Are You Ready for Your India Data Privacy Assessment?

The Digital Personal Data Protection Act, 2023 (DPDP Act) has introduced significant obligations for Indian businesses handling personal data. A proactive pre-audit helps identify gaps and prepares your organization for full compliance, minimizing risks and potential penalties. This checklist, designed by Sushant Pasumarty, founder of Meridian Bridge Strategy (MBS), provides a structured approach to self-assess your readiness.

Ignoring DPDP compliance can result in financial penalties up to ₹250 crores. A structured pre-audit can significantly reduce your exposure and ensure operational continuity.

Tip from Sushant Pasumarty:

“Don’t wait for a breach or a regulatory notice. Proactive assessment is not just about compliance; it's about building trust and demonstrating responsible data stewardship. Even a basic data mapping exercise can reveal critical vulnerabilities you didn't know existed.”

Your DPDP Pre-Audit Checklist:

This phased checklist guides you through essential steps to prepare for a formal DPDP assessment. Each item includes a suggested owner, estimated time, and a preliminary cost implication based on internal effort or MBS service tiers.

Identify All Personal Data Processed:
- Action: List every type of personal data collected, stored, and processed (e.g., employee details, customer demographics, website cookies).
- Owner: CTO/Data Protection Officer (DPO) (if appointed)
- Time: 2-3 days internal effort
- Cost: Internal staff time (covered in MBS Data Mapping: ₹1.5L – ₹3L)
Map Data Flows and Lifecycle:
- Action: Document where personal data originates, how it moves through systems, where it's stored, and when it's deleted.
- Owner: CTO/Relevant Department Heads
- Time: 1-2 weeks internal effort
- Cost: Internal staff time (covered in MBS Data Mapping: ₹1.5L – ₹3L)
Review Consent Mechanisms:
- Action: Verify if explicit, clear, and informed consent is obtained for each data processing activity, in a machine-readable format.
- Owner: Legal/Marketing/IT
- Time: 3-5 days internal effort
- Cost: Internal staff time; potential legal review (part of MBS DPDP Readiness Audit: ₹2L – ₹6L)
Assess Data Processor Contracts:
- Action: Examine agreements with third-party vendors (data processors) to ensure DPDP-compliant clauses are present (e.g., data security, breach notification).
- Owner: Legal/Procurement
- Time: 5-7 days internal effort
- Cost: Internal staff time; potential legal counsel (part of MBS DPDP Readiness Audit: ₹2L – ₹6L)
Evaluate Data Security Measures:
- Action: Review technical and organizational safeguards in place (encryption, access controls, incident response plans) to protect personal data.
- Owner: CISO/IT Security
- Time: 1-2 weeks internal effort
- Cost: Internal staff time; potential security assessment (part of MBS DPDP Readiness Audit: ₹2L – ₹6L)
Establish Data Principal Rights Processes:
- Action: Define procedures for handling requests from data principals (e.g., right to access, correction, erasure).
- Owner: HR/Customer Service/Legal
- Time: 3-5 days internal effort
- Cost: Internal staff time (part of MBS DPDP Workshop: ₹5L – ₹10L)
Verify Data Retention Policies:
- Action: Confirm that data is only retained for the necessary period and deleted thereafter, as per legal and business requirements.
- Owner: Legal/IT
- Time: 2-3 days internal effort
- Cost: Internal staff time (part of MBS DPDP Workshop: ₹5L – ₹10L)
Identify and Document Data Fiduciaries & Processors:
- Action: Clearly distinguish roles within your organization and with external parties.
- Owner: Legal/Compliance
- Time: 2-3 days internal effort
- Cost: Internal staff time (part of MBS DPDP Workshop: ₹5L – ₹10L)
Review Cross-Border Data Transfer Mechanisms:
- Action: If personal data is transferred outside India, verify compliance with specified transfer mechanisms under the DPDP Act.
- Owner: CTO/Legal
- Time: 3-5 days internal effort
- Cost: Internal staff time; potential legal counsel (part of MBS Full DPDP Consulting: ₹7L – ₹12L)
Conduct an Impact Assessment for High-Risk Processing:
Action: For activities likely to involve high risk to data principals, conduct a Data Protection Impact Assessment (DPIA).
Owner: DPO/Legal/Relevant Department Heads
Time: 1-3 weeks (per assessment)
Cost: Internal staff time (part of MBS Full DPDP Consulting: ₹7L – ₹12L)

Total Cost Estimation for DPDP Readiness:

Based on your current readiness and the depth of assessment required, MBS offers tailored DPDP services. Sushant Pasumarty and his team at Meridian Bridge Strategy can guide you through the entire process.

MBS DPDP Service Tiers & Pricing:TierIncludesPriceDuration
Data MappingMap every personal data flow₹1.5L – ₹3L1-2 weeks
DPDP Readiness AuditData Mapping + Gap Analysis₹2L – ₹6L2-4 weeks
DPDP WorkshopAudit + Recommendations + 90-day roadmap₹5L – ₹10L4-6 weeks
Full DPDP ConsultingWorkshop + Implementation + DPO + Readiness Opinion₹7L – ₹12L3-6 months

Tier	Includes	Price	Duration
Data Mapping	Map every personal data flow	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Gap Analysis	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Audit + Recommendations + 90-day roadmap	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation + DPO + Readiness Opinion	₹7L – ₹12L	3-6 months

Next Steps for DPDP Compliance:

Completing this checklist provides a foundational understanding of your organization's DPDP posture. The next logical step is to address identified gaps systematically. Whether you need an initial data mapping or comprehensive implementation support, MBS offers a clear path forward.

For a detailed discussion on your specific DPDP requirements and to determine the most suitable service tier for your business, contact Sushant Pasumarty. MBS helps Indian businesses achieve robust data privacy compliance efficiently and effectively.

Learn more about DPDP Readiness Audits or explore our DPDP Workshop offerings.

Frequently Asked Questions

What is the DPDP Act, 2023?

The Digital Personal Data Protection Act, 2023, is India's comprehensive law governing the processing of digital personal data. It establishes rights for data principals and obligations for data fiduciaries.

Why is a DPDP pre-audit important?

A pre-audit helps identify your current compliance gaps before a formal assessment or regulatory scrutiny. It allows you to proactively implement necessary changes, reduce risks, and demonstrate due diligence, potentially saving significant time and cost.

How long does a DPDP readiness audit typically take?

The duration depends on the size and complexity of your organization. MBS's DPDP Readiness Audit typically takes 2-4 weeks, including data mapping and gap analysis. Full consulting, including implementation, can extend to 3-6 months.

What kind of businesses need to comply with DPDP?

Any business or entity (data fiduciary) in India that collects, stores, or processes digital personal data, or processes personal data outside India related to offering goods or services to data principals in India, must comply with the DPDP Act.

What is the role of a DPO under DPDP?

While the DPDP Act doesn't mandate a DPO for all organizations, it is crucial for significant data fiduciaries or those handling high-risk data. A Data Protection Officer (DPO) oversees data protection strategy and implementation to ensure compliance.

Related Guides

DPDP Compliance Checklist for Indian Startups: 2026 Plan
Indian startups: Master DPDP compliance. Get a phased 2026 checklist, owner, cost, and MBS expert guidance for data protection.
DPDP Compliance Checklist for Indian Enterprises & CXOs
A comprehensive checklist for Indian business founders, CXOs, and CTOs to achieve DPDP Act compliance. Includes actions, owners, timelines, and costs.
DPDP Compliance in 90 Days: Roadmap for Indian Businesses
Achieve DPDP readiness in 90 days with this actionable checklist. Learn key steps, roles, and costs for Indian businesses, authored by Sushant Pasumarty.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →
Or book a call with Sushant →