DPDP Act 2023 Audit Workbook for WhatsApp Business · India 2026

The 47-point checklist at /lead-magnets/dpdp-readiness-checklist is a flat yes/no list — a fast first scan. This workbook is the deeper fillable audit instrument that maps your specific WhatsApp stack to DPDP Sections 5, 6, 7, 8, 11 and 16, computes a 0–100 risk score and produces section-level remediation. The two are designed to be used together: scan first, then audit.

Section 2(t) and 8(4) for the data inventory; Section 4 grounds for processing with Section 6 (consent) and Section 7 (certain legitimate uses); Section 6(1) and 6(4) for the consent audit; Section 5 with Rule 3 of the DPDP Rules 2025 for the notice audit; Sections 11, 12, 13 and 14 for Data Principal rights; Section 16 for cross-border transfer; Section 10 for the Significant Data Fiduciary test; and Section 8(6) with Rule 6 of the DPDP Rules 2025 for the 72-hour breach response.

No. The workbook is an educational audit instrument that helps you and your team understand DPDP obligations against your real WhatsApp Business stack. It is not legal advice and is not a substitute for review by qualified Indian counsel or an independent data auditor (Section 10(2)(c) of the DPDP Act). Use it to surface gaps and brief your lawyer or DPO.

Yes — the interactive web version saves answers to your browser localStorage so you can resume the audit across sessions. Nothing is sent to RichAutomate servers from the workbook itself (only the lead form on this page submits to our backend). Print to PDF or "Save as PDF" any time to keep an offline copy.

Section 8(6) of the DPDP Act 2023 requires the Data Fiduciary to notify the Data Protection Board and affected Data Principals in case of a personal-data breach. Rule 6 of the DPDP Rules 2025 specifies "without delay, in any case within 72 hours of becoming aware" unless the Board grants an extension. The workbook tests whether your incident-response plan, detection capability, notification templates and forensic capability are ready to hit that clock.

The Central Government may notify a Data Fiduciary as Significant under Section 10 based on six criteria: volume and sensitivity of personal data processed, risk to Data Principal rights, potential impact on India's sovereignty and integrity, risk to electoral democracy, security of the State, and public order. The workbook flags your likely SDF exposure based on volume (50 lakh+), sensitivity (KYC / health / financial / children), and automated decisioning.

Section 16 of the DPDP Act 2023 permits cross-border transfer to any country EXCEPT those specifically restricted by Central Government notification (negative-list regime). Sectoral regulators (RBI for payment data, IRDAI for insurance, SEBI for securities, MeitY for health) may impose stricter India-only residency. Section 6 of the workbook walks you through this layered analysis, including AI / LLM vendors.

The workbook is published by RichAutomate Editorial · India DPDP Compliance Desk. RichAutomate is an Indian WhatsApp Business SaaS focused on DPDP-compliant messaging for Indian SMBs. For commercial enquiries write to [email protected].