DPDP Act compliance checklists for SMEs: consent flows, notices, grievance redressal, and vendor DPAs with templates

  • Post category:Blog / Study Material
  • Reading time:9 mins read

A practical, SME-ready compliance playbook for India’s Digital Personal Data Protection Act, 2023 (DPDP Act), focused on consent flows, notices, grievance redressal, and vendor DPAs—with editable templates and checklists aligned to the statute and current guidance. This is written for founders, legal leads, and ops teams to implement within 4–8 weeks and survive audits or complaints without overbuilding enterprise-grade programs.

Written by Sudiksha Singh

Table of Contents

Executive takeaways

  • Consent must be free, specific, informed, unambiguous, and easy to withdraw; it must be accompanied by a clear, multilingual notice; consent managers must be supported; and children’s data needs verifiable parental consent.
  • Every SME needs a published grievance mechanism, a named contact, and a SLA to respond within the prescribed time before a data principal can approach the Data Protection Board.
  • Processors must be bound by a DPDP-compliant data processing agreement (DPA) covering purpose limits, security, sub-processor controls, cross-border restrictions, and breach notice; SMEs retain primary accountability as the data fiduciary.

Scope and baseline duties

The Act governs digital personal data processing in India and by entities offering goods/services to individuals in India; it mandates consent-based processing with limited legitimate uses, purpose limitation, accuracy, security safeguards, deletion on purpose completion or withdrawal, children’s protections, and breach notification; penalties can reach ₹250 crore per contravention.

DPDP requires valid consent before processing, except for permitted “legitimate uses,” and obligates a simple withdrawal channel, verifiable parental consent for children, and support for registered consent managers as the individual’s agent.

  • Attributes: free, specific, informed, unconditional, and unambiguous, signified by a clear affirmative action; bundled consent is disfavored.
  • Accompanying notice: purposes, categories of data, rights and grievance mechanism, and a withdrawal method must be shown at or before consent.
  • Recordkeeping: maintain consent logs per purpose and channel; ensure parity of ease between giving and withdrawing consent.

Special cases

  • Children and persons with disability: obtain verifiable parental or guardian consent; avoid tracking, profiling, and targeted ads to children.
  • Historic consents: if relying on pre-enforcement consent, send a notice of data details, purposes, rights, and grievances, and continue processing until withdrawn.
  • Consent managers: enable individuals to give/withdraw via registered consent managers through accessible, interoperable interfaces (per MeitY BRD guidance).
  • Map purposes and data elements; split into discrete consent items; no bundle with T&Cs; default opt-outs off.
  • Build a withdrawal toggle in every channel, mirroring the consent path; auto-cascade to vendors/processors.
  • Log: who, when, how, versioned notice, purposes; store revocations, tie to retention deletion.
  • Children’s flows: age gates and verifiable parental consent; block behavioral ads; document control design.
  • Consent manager support: expose APIs/webhooks for consent updates from registered managers following MeitY BRD.

“I consent to [Company] processing my name, email, mobile number for creating and managing my account and providing requested services; I understand I can withdraw consent anytime via My Account or consent@company.in. I have read the Privacy Notice and understand my rights to access, correction, erasure, grievance redressal, and nomination.”

Notices

DPDP requires a clear, itemized privacy notice at or before consent; it should be simple, layered, and in English and 8th Schedule languages to ensure accessibility.

What the notice must cover

  • The purposes of processing, categories of data, rights (access, correction, erasure, grievance, nomination), and contact/grievance channel.
  • Processor sharing, retention logic, cross-border transfers (including any negative-list countries), and breach notice policy.
  • Children’s processing restrictions and parental consent method if applicable; consent manager enablement.

Delivery and language

  • Present at or before consent; maintain an archive of versioned notices tied to consent logs; provide English and translations aligned to 8th Schedule languages for reach.

Template: layered notice (short form)

  • What data: “We collect your name, email, phone, and usage logs to provide and improve our services.”
  • Why: “To create your account, authenticate you, deliver features, support you, and comply with law.”
  • Who we share with: “Cloud hosting, analytics, payments—bound by contracts; no sale of personal data.”
  • Your rights: “Access, correction, erasure, withdrawal, grievance, nomination; submit requests at privacy.company.in or dpo@company.in.”
  • Children: “We do not knowingly process children’s data without verifiable parental consent.”
  • Learn more: “Full Privacy Notice vX.Y” (link) and “Vendor list vA.B” (link).

Grievance redressal

Every data fiduciary must provide a readily available grievance redressal mechanism; the fiduciary or consent manager must respond within the prescribed period, and the individual must exhaust this before approaching the DPB.

Structural requirements

  • Publish contact details and workflow; appoint a contact person (DPO required only for Significant Data Fiduciaries) and ensure one-month redress under existing SPDI norms until DPDP rules finalize timelines.
  • Accept grievances through email, web form, and postal address; log tickets and timestamps; provide acknowledgments and closure notices.
  • Escalation: provide a clear path to the DPB if unresolved; keep evidence of exhaustion.

Rights handling expectations

  • Access, correction, erasure, and nomination requests should be handled “within a reasonable time,” with formal timelines expected in rules; SMEs should adopt an internal SLA of 15–30 days.
  • Deletion on purpose completion or withdrawal; ensure suppression in analytics and backups per retention policy.

Template: grievance policy (public page)

“Individuals can submit grievances about our processing at privacy.company.in or grievance@company.in, or write to Grievance Lead, [Address]. We acknowledge within 72 hours and aim to resolve within 30 days. If unsatisfied, individuals may approach the Data Protection Board of India after this period. For consent given via a consent manager, grievances may be filed with the consent manager or with us directly.”

Vendor DPAs (processors)

DPDP expects data fiduciaries to have contractual controls over processors, ensuring purpose limitation, security safeguards, sub-processing controls, breach notice, and cooperation on rights; SMEs should use a short DPDP addendum across SaaS and service vendors.

Must-have clauses

  • Purpose and instructions: process only on documented instructions, for listed purposes, and delete/return on termination.
  • Security: implement appropriate technical and organizational measures; notify breaches promptly; cooperate with investigations and DPB notices.
  • Sub-processors: require prior authorization or notice with objection rights; flow down obligations; maintain a current sub-processor list.
  • Assistance: support access/correction/erasure; assist with DPIAs if applicable; provide logs for consent withdrawals.
  • Cross-border: restrict transfers to any government-notified negative-list countries; disclose locations and bring-forward changes.
  • Audit and evidence: summary audit rights or independent certifications; provide security reports and breach drill attestations.
  • Term and termination: deletion/return timelines and certification; survival of confidentiality and security clauses.

Template: DPDP processor addendum (extract)

“Processor shall process personal data only on documented instructions from Company for the purposes set out in Annex 1; implement appropriate security measures; notify Company of any personal data breach without undue delay; not appoint sub-processors without prior authorization and flow down equivalent obligations; assist Company in responding to data principal requests and in deleting or returning personal data at termination; refrain from transferring personal data to any country notified as restricted; make available all information necessary to demonstrate compliance and allow audits under reasonable conditions.”

Operational checklists (SME-friendly)

Phase 1: discovery and design (0–6 weeks)

  • Data inventory and purpose mapping; classify children’s segments; identify processors; gap analysis versus DPDP; build a remediation plan and register of processing.
  • Rewrite notices (layered, multilingual); design granular consent screens; create withdrawal toggles; build a rights portal MVP; align retention with sectoral laws.

Phase 2: implement and train (6–12 weeks)

  • Deploy consent and notice flows on web/app/IVR; enable consent manager hooks/APIs guided by MeitY’s BRD; implement consent logging.
  • Publish grievance policy; assign a grievance owner; set a 30-day SLA and ticketing; prepare standard responses.
  • Execute DPDP addendum with vendors; collect sub-processor lists and breach contacts; update procurement checklists.
  • Security safeguards: access controls, encryption, incident response with an internal 72-hour SLA for escalation to legal; rehearse breach drill and evidence capture.

Ongoing governance

  • Respond to rights and grievances within SLA; log and close; document escalations; maintain consent and notice versioning.
  • Review vendor posture and sub-processor changes; monitor cross-border transfer locations for negative-list compliance.
  • Quarterly review of notices, consent UX, children’s protections, and deletion automation; annual internal audit.

Templates library

Use and adapt these copy blocks for quick deployment.

“We use your name, email, and usage data to create your account and provide requested services. By selecting ‘Agree,’ you consent to this processing. You can withdraw consent at any time in Settings or by emailing consent@company.in. See our Privacy Notice to learn about your rights and grievance redressal.”

Options: Agree | Manage choices | Learn more (links layered notice)

“If you are under 18, your parent or guardian must provide verifiable consent. We do not track, profile, or show targeted ads to children. Parents can review and withdraw consent at any time.”

C. Withdrawal confirmation

“Your consent for [Purpose] has been withdrawn. We will stop processing for this purpose and will delete related personal data unless retention is required by law. This may affect some features. You can reinstate consent anytime in Settings.”

D. Rights request acknowledgment

“Thanks for your request regarding [access/correction/erasure]. We will complete this within 30 days and may request identity verification to protect your data. For updates, reply to this email or visit privacy.company.in.”

“If you remain unsatisfied after we respond, you may approach the Data Protection Board of India as provided under the DPDP Act.”

F. Vendor DPA schedule (Annex 1)

  • Data types: identification, contact, auth, transaction metadata.
  • Purposes: hosting, delivery, analytics strictly to support service delivery; advertising only if listed and consent-based.
  • Locations: India, [list countries]; no transfers to negative-list countries.
  • Security: ISO 27001/SOC2; encryption at rest/in transit; role-based access; logging; breach notice.

Frequently asked SME questions

  • Is consent always required? DPDP allows certain “legitimate uses,” but default to consent-first design; if relying on legitimate uses, document the basis and scope.
  • Do we need a DPO? Only Significant Data Fiduciaries must appoint a DPO; SMEs must still publish a grievance contact and handle rights.
  • How fast to report breaches? Report all personal data breaches to the DPB, irrespective of severity; implement an internal 72-hour SLA to assess and notify.
  • Do cookie banners suffice? Cookie banners can support consent for analytics/ads but must tie to purposes, notices, and withdrawal; avoid pre-checked boxes.

Implementation notes for Indian startups and SMEs

Start with a short discovery sprint to map purposes and data flows, then ship a minimal but compliant stack: layered notices, granular consents with withdrawals, a basic rights portal, published grievance workflow, and a one-page vendor addendum; iterate quarterly as rules crystallize, especially around consent managers and grievance timelines.

This approach aligns with statutory text, industry checklists, and MeitY’s consent-manager direction, ensuring practical compliance without overengineering for non-significant fiduciaries.

Tags: , , , ,