0 of 45 answered0% complete
๐
Consent & Notice
Sec. 5 & 6 ยท 0 of 6 answered
| # | Compliance Requirement | DPDP Rule | Max Penalty | Response | Note |
|---|---|---|---|---|---|
| 1 | Do you obtain free, specific, informed, and unambiguous consent from employees, customers, and other data principals before collecting their personal data? | Sec. 6 | โน250 Cr | ||
| 2 | Is consent obtained in clear, plain language (not buried in terms & conditions)? | Sec. 5(1) | โน250 Cr | ||
| 3 | Do you provide a privacy notice explaining what data is collected and why, before collection? | Sec. 5 | โน200 Cr | ||
| 4 | Can individuals withdraw consent as easily as they gave it? | Sec. 6(4) | โน250 Cr | ||
| 5 | Do you stop processing data promptly after consent is withdrawn? | Sec. 6(4) | โน250 Cr | ||
| 6 | For data principals under 18, do you obtain verifiable parental/guardian consent before processing their data? | Sec. 9 | โน200 Cr |
๐ค
Data Principal Rights
Sec. 11โ14 ยท 0 of 6 answered
| # | Compliance Requirement | DPDP Rule | Max Penalty | Response | Note |
|---|---|---|---|---|---|
| 1 | Can data subjects request a summary of personal data held about them? | Sec. 11 | โน250 Cr | ||
| 2 | Do you have a process to correct inaccurate or incomplete personal data upon request? | Sec. 12 | โน250 Cr | ||
| 3 | Can individuals request erasure of their personal data once the purpose is fulfilled? | Sec. 12 | โน150 Cr | ||
| 4 | Is there a designated Grievance Officer accessible to data principals for complaints? | Sec. 13 | โน50 Cr | ||
| 5 | Are grievances acknowledged and resolved within a reasonable prescribed timeframe? | Sec. 13 | โน50 Cr | ||
| 6 | Do you allow individuals to nominate someone to exercise their data rights on their behalf? | Sec. 14 | โน250 Cr |
๐
Data Security & Safeguards
Sec. 8(5) & Rule 6 ยท 0 of 9 answered
| # | Compliance Requirement | DPDP Rule | Max Penalty | Response | Note |
|---|---|---|---|---|---|
| 1 | Are all databases holding personal data encrypted at rest (AES-256 or equivalent)? | Rule 6 | โน250 Cr | ||
| 2 | Is all personal data encrypted in transit using TLS 1.2 or higher? | Rule 6 | โน250 Cr | ||
| 3 | Is access to personal data restricted on a need-to-know basis (least privilege / RBAC)? | Sec. 8(5) | โน250 Cr | ||
| 4 | Is multi-factor authentication enforced for all staff accessing personal data systems? | Sec. 8(5) | โน250 Cr | ||
| 5 | Are access logs retained in tamper-proof storage for a minimum of 1 year? | Rule 6 | โน250 Cr | ||
| 6 | Is there a regular vulnerability scanning and patch management programme in place? | Rule 6 | โน250 Cr | ||
| 7 | Are penetration tests conducted on all public-facing portals and applications at least annually? | Rule 6 | โน250 Cr | ||
| 8 | Is Database Activity Monitoring (DAM) in place to track, log, and alert on all access, queries, and changes to databases holding personal data? | Rule 6 | โน250 Cr | ||
| 9 | Do DAM logs capture who accessed personal data, what queries were run, when, and from which system โ retained for at least 1 year? | Rule 6 ยท Sec. 8(5) | โน250 Cr |
๐จ
Breach Detection & Notification
Sec. 8(6) ยท 0 of 5 answered
| # | Compliance Requirement | DPDP Rule | Max Penalty | Response | Note |
|---|---|---|---|---|---|
| 1 | Is a SIEM or equivalent system in place to detect personal data breaches? | Sec. 8(6) | โน200 Cr | ||
| 2 | Do you have a documented incident response plan with defined roles and responsibilities? | Sec. 8(6) | โน200 Cr | ||
| 3 | Can you notify the Data Protection Board of India (DPBI) within 72 hours of a breach? | Sec. 8(6) | โน200 Cr | ||
| 4 | Do you notify affected data principals in the event of a breach? | Sec. 8(6) | โน200 Cr | ||
| 5 | Are breach notification templates and procedures tested at least once a year? | Sec. 8(6) | โน200 Cr |
๐๏ธ
Data Minimisation & Retention
Sec. 8(3) & 8(7) ยท 0 of 5 answered
| # | Compliance Requirement | DPDP Rule | Max Penalty | Response | Note |
|---|---|---|---|---|---|
| 1 | Do you collect only the personal data necessary for the stated purpose (data minimisation)? | Sec. 8(3) | โน250 Cr | ||
| 2 | Is personal data deleted or anonymised once its purpose is fulfilled? | Sec. 8(7) | โน150 Cr | ||
| 3 | Is there a formal data retention schedule defining how long each category of data is kept? | Sec. 8(7) | โน150 Cr | ||
| 4 | Are automated processes in place to purge data at the end of its retention period? | Sec. 8(7) | โน150 Cr | ||
| 5 | Is data used only for the specific purpose for which consent was obtained? | Sec. 8(3) | โน250 Cr |
๐ค
Data Processors & Third Parties
Sec. 8(2) ยท 0 of 4 answered
| # | Compliance Requirement | DPDP Rule | Max Penalty | Response | Note |
|---|---|---|---|---|---|
| 1 | Do you have written Data Processing Agreements (DPAs) with all third-party vendors and processors handling personal data? | Sec. 8(2) | โน250 Cr | ||
| 2 | Have all third-party processors (ERP, LMS, EdTech vendors) been assessed for DPDP compliance? | Sec. 8(2) | โน250 Cr | ||
| 3 | Do contracts with data processors require them to notify you of any breach within a defined timeframe? | Sec. 8(2) | โน200 Cr | ||
| 4 | Are all data processors prohibited from sub-processing data without your prior written approval? | Sec. 8(2) | โน250 Cr |
๐ง
Children's Data Protection
Sec. 9 ยท 0 of 4 answered
| # | Compliance Requirement | DPDP Rule | Max Penalty | Response | Note |
|---|---|---|---|---|---|
| 1 | Is verifiable parental consent obtained before processing data of anyone under 18? | Sec. 9(1) | โน200 Cr | ||
| 2 | Is there a mechanism to verify the age of users and the identity of parents/guardians? | Sec. 9(1) | โน200 Cr | ||
| 3 | Are data principals under 18 exempted from behavioural tracking or targeted advertising? | Sec. 9(3) | โน200 Cr | ||
| 4 | Are applications used by minors assessed for profiling or data misuse risks? | Sec. 9 | โน200 Cr |
๐๏ธ
Governance & Accountability
Sec. 8 & SDF ยท 0 of 6 answered
| # | Compliance Requirement | DPDP Rule | Max Penalty | Response | Note |
|---|---|---|---|---|---|
| 1 | Has a Data Protection Officer (DPO) or equivalent been appointed? | SDF Obligation | As notified | ||
| 2 | Is there a documented Privacy Policy accessible to all employees, customers, and stakeholders? | Sec. 5 | โน200 Cr | ||
| 3 | Have all staff with access to personal data received DPDP awareness training in the last 12 months? | Sec. 8 | โน250 Cr | ||
| 4 | Is there a Data Protection Impact Assessment (DPIA) process for new high-risk processing activities? | SDF Obligation | As notified | ||
| 5 | Are internal DPDP compliance audits conducted at least annually? | Sec. 8 | โน250 Cr | ||
| 6 | Is there a register of all personal data processing activities maintained and updated regularly? | Sec. 8 | โน250 Cr |
DPDP Act 2023 ยท DPDP Rules 2025 ยท Digital Personal Data Protection ยท Enforcement: 13 May 2027
