Privacy guide

DPDP readiness checklist for Indian companies.

A simple DPDP readiness checklist for Indian companies covering notices, consent, vendors, grievance and evidence.

The simple answer

DPDP readiness is not just rewriting a privacy policy. It is knowing what personal data enters the business, where it sits, who uses it, who receives it, and how you prove the flow later.

If a company cannot map the journey, it cannot confidently answer consent, deletion, vendor or grievance questions.

What to check

1
Map one user journey end to end.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

2
List every vendor and processor.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

3
Separate service communication from marketing consent.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

4
Create deletion, correction and grievance workflows.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

5
Keep dated evidence of decisions.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

From our investigation

Readiness starts with a data map.

State of Privacy shows why policy-only readiness is weak. Trackers, vendors and response workflows must match what the policy promises.

What to do next

1
Start with one high-risk user journey.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

2
Do a gap analysis across legal, tech and operations.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

3
Fix the highest-risk gaps before buying tools.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

People also ask

Is DPDP readiness only legal work?

No. It needs legal, tech and operations work because data flows through systems and teams.

What is the first step?

Map where personal data is collected, stored, shared, used and deleted.

Do companies need a consent manager?

Maybe. It depends on data flows, consent needs and current systems.

If you are a company
Check your own website.

How many trackers run on your pages? Does your privacy policy name them? Can you answer a data-rights email? If you don't know, we can help you find out.

Talk to Meridian Bridge Strategy →
Your right under Indian law
Mera data mera hai.

Your personal data belongs to you. Under DPDP, every company must tell you what they have and delete it if you ask. One email is all it takes.

Get the template email →
Read the full investigation.

We investigated 107 Indian company websites. The public report shows what we found.

Read the reportTry the experience