DPDP Startup Readiness Checklist
- Assign one owner plus a backup before filling cells.
- Link each row to a system name—not a vague team name.
- Attach evidence (ticket IDs, screenshots policy) for audits later.
- Revisit quarterly or when vendors and flows change.
Use this checklist to run a serious first review of how your startup collects, explains, stores, shares, and governs digital personal data. Treat it as an action list: assign owners, note evidence, and connect each gap to a practical next step.
Who this is for
- Founders and startup operators
- Product and growth teams
- Customer support and ops leads
- Agencies and service providers reviewing client workflows
Best used in a 60–90 minute review with one decision-maker and one note owner.
How to use it well
- Mark each item as green, unclear, or needs work.
- Name one owner for follow-up and a target date.
- Link gaps to the relevant worksheet or guide on this site.
- Escalate high-risk or uncertain issues for legal review instead of guessing.
Section 1: Data collection visibility
- List all major points where personal data enters the business.
- Map signup, forms, onboarding, checkout, support, CRM, analytics, and marketing systems.
- Identify which data fields are actually collected in each workflow.
- Document which teams and vendors can access that data.
Primary owner: ops or founder. Useful companion: personal data inventory sheet.
Section 2: Notice and consent quality
- Check whether user-facing notices reflect what the business really does.
- Review whether consent requests are clear, specific, and understandable.
- Identify workflows where marketing capture and notice language have drifted apart.
- Check whether teams can explain what users were shown at the point of collection.
Primary owner: product, growth, or founder. Useful companions: privacy notice review sheet and consent flow review worksheet.
Section 3: Rights and grievance handling
- Identify who owns request intake.
- Check whether access, correction, deletion, and complaint workflows exist.
- Check whether support and ops know where to route requests.
- Review whether request handling can be tracked and documented.
Primary owner: ops, support, or founder. Useful companion: rights request tracking sheet.
Section 4: Retention, deletion, and vendors
- Review whether data categories have any retention logic at all.
- Check where deletion is assumed rather than verified.
- Identify key third-party vendors handling personal data.
- Review whether vendor access and responsibility are understood internally.
Primary owner: ops with engineering support. Useful reads: retention and deletion checklist and vendor and processor checklist.
Section 5: Governance and ownership
- Assign ownership for privacy-related follow-up.
- Review who updates notices and form logic after changes.
- Identify whether any internal SOPs or recurring reviews exist.
- Decide what gets fixed now, what gets tracked, and what needs legal review.
Primary owner: founder, ops lead, or compliance owner. Add a quarterly review date so this does not become a one-off exercise.
Section 6: Children, security, transfers, and scale risks
- Children or school-use products. Decide if verifiable guardian controls, separate notices, or sector rules apply—see children’s data rules.
- Security basics. Confirm engineering has an incident runbook touching personal data, not only uptime—pair with fiduciary duties.
- Cross-border reality. List every non-India processor or region; track notifications on permitted transfers and update contracts when rules change.
- High-g scaling triggers. If volume or sensitivity could push you toward significant-data-fiduciary expectations, document the thesis early—overview.
- Lawful use audit. For each automated decision or “nice to have” dataset, confirm you can cite consent or another permitted ground—lawful uses.
Primary owner: founder + tech lead jointly. Escalate uncertainties instead of treating these as future-you problems.