DPDP Act 2023 Readiness Checklist — 47-Point Audit for Indian WhatsApp Business
Map every Section 6 to 16 obligation against the Meta WhatsApp Business policy in one pass. Built for Indian operators — consent, breach response, children carve-out, vendor contracts and WhatsApp-specific rules across six categories.
Sample audit items
- 1Consent
Published a plain-language privacy notice in English plus at least one of the 22 Eighth Schedule languages relevant to your audience.
- 2Consent
Consent capture is granular — separate checkboxes (not pre-ticked) for marketing, utility, analytics and third-party sharing.
- 3Consent
Consent log stored with timestamp, IP / channel, exact notice text version and consent string for at least the retention period.
- 4Consent
Withdraw-consent flow is one-click and as easy as opt-in (Section 6(4)) — e.g. STOP keyword or in-app toggle, no friction or sales call.
- 5Consent
Purpose limitation documented — every personal-data field has a stated, lawful purpose and is not reused for unrelated activities.
- 6Consent
Legitimate use cases mapped (Section 7) where consent is not required — employment, emergency, legal obligation — and never abused as a shortcut.
- 7Consent
Consent Manager integration plan documented for when the DPBI publishes the registered Consent Manager list (Section 6(7)).
- 8Data Handling
Data inventory complete — every personal-data attribute (name, phone, address, KYC, location, device ID) mapped to system, owner and lawful basis.
Unlock all 47 audit points
Tell us where to send it. Full checklist appears on-page after submit.
What is the DPDP Act 2023?
The Digital Personal Data Protection Act 2023 (DPDP) is India's first cross-sectoral law for the protection of personal data of natural persons inside India. It replaces a patchwork of IT Act rules and sectoral norms with a single framework operated by the Data Protection Board of India (DPBI). The Rules were issued in early 2025 and the DPBI is operational from 2026, with notifications now moving from consultation to enforcement.
Every business that processes personal data — name, phone number, email, address, KYC, location, device identifier — is a Data Fiduciary. The Act is consent-led: consent must be free, specific, informed, unconditional, unambiguous and capable of being withdrawn as easily as it was given. Children (under 18) receive heightened protection with verifiable parental consent and a ban on behavioural tracking and targeted advertising.
For Indian operators running WhatsApp Cloud API, DPDP layers directly on top of the Meta WhatsApp Business Messaging Policy — opt-in evidence, 24-hour customer service window, template categorisation, marketing-vs-utility separation and phone-number quality. The 47-point audit in this checklist maps those two regimes together in one actionable list.
Who needs this checklist?
Built for four roles in the Indian WhatsApp Business ecosystem.
D2C founder
You run a Shopify or WooCommerce store, send WhatsApp campaigns to 5k+ contacts and have never had a privacy notice reviewed by counsel.
Marketing head
Your team imports lead lists from forms, ads, IVRs and offline events and you are not sure which uploads have verifiable opt-in evidence.
Compliance / Ops lead
You have been asked to map DPDP to your existing ISO 27001 / SOC 2 controls and need an opinionated India-specific gap list.
Agency / BSP partner
You operate WhatsApp for multiple clients and need a repeatable readiness checklist to onboard each tenant before scaling sends.
Frequently asked questions
Is the DPDP Act 2023 actually applicable to my small WhatsApp Business?+
Yes. The Digital Personal Data Protection Act 2023 applies to every Data Fiduciary processing personal data in India regardless of revenue — there is no SMB carve-out. If you collect a name, phone number, email or address for your WhatsApp audience you are a Data Fiduciary. The penalty regime caps at Rs 250 crore per breach class but the Data Protection Board can also order proportionate remedies for smaller operators.
How is this 47-point checklist different from generic GDPR templates?+
It is purpose-built for Indian operators running WhatsApp Cloud API. Sections map to specific DPDP clauses (6, 7, 8, 9, 10, 11, 13, 16) and overlay Meta WhatsApp Business policy realities — the 24-hour customer service window, template categorisation, opt-in evidence, phone-number quality and NCPCR / AIGF / IRDAI / NHCX overlays for sensitive verticals. GDPR templates miss all of these.
Do I need to appoint a Data Protection Officer?+
A DPO is mandatory only if you are classified as a Significant Data Fiduciary under Section 10. The Government will notify thresholds based on volume, sensitivity and risk. Until then, every Data Fiduciary must still publish a contact person for Data Principal requests under Section 5(1)(b) — name, email and Indian address — even if the role is held by a founder or operations lead.
What is the breach reporting timeline I should hit?+
The draft DPDP Rules align with the CERT-In 2022 directions on a 72-hour notification window from awareness for the DPBI plus prompt notification to affected Data Principals. Until the final Rules are notified, hit 72 hours as a working target and over-disclose rather than under-disclose. Keep forensic logs frozen so you can reconstruct the timeline.
How does the 24-hour session window matter for compliance?+
Meta WhatsApp Business policy requires that free-form replies are sent only inside the 24-hour customer service window opened by an inbound user message. Outside that window every send must be a pre-approved template billed under the correct category. Mis-categorising marketing as utility is both a Meta policy violation (quality downgrade, suspension) and a DPDP purpose-limitation issue if the recipient never consented to marketing.
Where do I go after I complete this checklist?+
Run the interactive Compliance Self-Audit at /tools/compliance-self-audit to map which other Indian regulations apply to your sector — DPDP, RBI, IRDAI, AIGF, Section 194BA, NHCX FHIR, SEBI BRSR, GST e-invoice, Consumer Protection (E-commerce) Rules. The two tools are designed to be used together.
Run the personalised audit next
The 47-point checklist is the universal baseline. To find out which sector-specific regulations apply on top — RBI, IRDAI, AIGF, Section 194BA, NHCX FHIR, SEBI BRSR, GST e-invoice, Consumer Protection (E-commerce) Rules — run the 60-second self-audit.