Total prerequisites
62
Across 9 categories
DPDP Tools · Free
DPDP Prerequisites Checklist — 62 items across 9 categories
The exact documentation, system inventory and policy artefacts your DPO or external auditor will ask for in the first week of a DPDP Act 2023 + Rules 2025 engagement. 40 Mandatory · 19 High · 3 Medium. Track owners, dates and status — exports to CSV, saves in your browser, no signup.
Mandatory
40
Must be provided before assessment begins
High priority
19
Required during assessment phase
Categories
9
Filter, track and export by category
Interactive tracker
Work through the 62 prerequisites
Filter by category or priority, set status and owner, and export the full list to CSV. Everything is stored locally in your browser — nothing is uploaded.
Done
0 / 62
In progress
0
N/A
0
Pending
62
Overall completion0%
Progress saves in your browser only — nothing is uploaded. Clear your site data to wipe it.
Filter by category
Filter by priority
Search
62 of 62 items shown
- 1
Governance
Organisation chart — full hierarchy showing all departments and reporting lines
MandatoryPDF / PPT - 2
Governance
List of all legal entities, branch locations and registered offices
MandatoryExcel / Word - 3
Governance
DPO appointment letter — mandatory only if SDF designation confirmed
MandatoryWord / Email - 4
Governance
Privacy contact designation published under Rule 9 — name and contact details
MandatoryWord / Email - 5
Governance
Board or senior management data governance mandate or resolution
MandatoryWord / PDF - 6
Governance
Existing Information Security Policy — current approved version
MandatoryWord / PDF - 7
Governance
Existing Privacy Policy — current version with effective date
MandatoryWord / PDF / URL - 8
Governance
Leadership confirmation of DPDP Act 2023 and Rules 2025 awareness
MandatoryWord / Email - 9
Governance
Existing privacy or data protection framework — ISO 27701, SOC2, HIPAA if any
MediumPDF / Word - 10
Data Inventory
Purpose register — all purposes for which personal data is collected with declared lawful basis per Section 4
MandatoryExcel - 11
Data Inventory
Categories of personal data collected — all types including patient, employee, vendor
MandatoryExcel - 12
Data Inventory
Special category data list — health, biometric and children data inventoried separately
MandatoryExcel - 13
Data Inventory
Data flow diagrams for all processes — patient registration, sample collection, report delivery, billing
MandatoryVisio / PDF / PPT - 14
Data Inventory
Inventory of all IT systems processing personal data — LIS, HIS, mobile app, billing, HR
MandatoryExcel - 15
Data Inventory
Estimated data subject volume per system — number of patients, employees, vendors per application
HighExcel - 16
Data Inventory
Cross-border data transfer details — destination countries, data categories, transfer mechanism
MandatoryExcel / Word - 17
Data Inventory
Data retention schedule per category — how long each personal data type is kept and why
MandatoryExcel / Word - 18
Data Inventory
Statutory retention obligations — MCI Regulations 2002, NDPS Act 1985, POCSO Act 2012
MandatoryWord / Excel - 19
IT Systems
LIS / HIS / EHR system documentation — vendor, version, hosting details, modules used
MandatoryPDF / Word - 20
IT Systems
Network architecture diagram — internal network, DMZ, cloud connectivity, remote access
HighVisio / PDF - 21
IT Systems
Database inventory — on-prem, cloud and hybrid — database type, location, data residency country
MandatoryExcel - 22
IT Systems
Cloud provider contracts and data residency confirmation — which region, which data
MandatoryPDF / Word - 23
IT Systems
API integration list — hospitals, diagnostic aggregators, insurance, government portals
HighExcel / Word - 24
IT Systems
Mobile application architecture documentation — iOS, Android, backend, third-party SDKs
HighPDF / Word - 25
IT Systems
Access control matrix — all roles, permissions and systems accessible per role
MandatoryExcel - 26
IT Systems
Encryption status per system — at rest and in transit — confirmed by IT team
MandatoryExcel - 27
IT Systems
Audit log configuration — what events are logged, where logs are stored, retention period
MandatoryWord / Excel - 28
IT Systems
Latest Vulnerability Assessment and Penetration Test reports — last 12 months
HighPDF - 29
IT Systems
Backup and disaster recovery documentation — backup frequency, retention, recovery testing
HighPDF / Word - 30
Consent Management
All patient registration forms — physical and digital versions including telemedicine and home collection
MandatoryPDF / Image / Word - 31
Consent Management
Website privacy policy and cookie consent mechanism — current live version
MandatoryURL / Screenshot - 32
Consent Management
Mobile app consent flows and permission screens — screenshots of all consent steps
MandatoryScreenshot / PDF - 33
Consent Management
Consent records management process — where consent records are stored, how long kept
HighWord / SOP - 34
Consent Management
Consent withdrawal mechanism documentation — how patients can withdraw consent per Section 6(4)
MandatoryWord / SOP - 35
Consent Management
Consent record storage details — system, format and retention period for stored consent records
MandatoryWord / Excel - 36
Consent Management
Minor patient consent process — age verification mechanism and parental consent workflow
MandatoryWord / Form - 37
Consent Management
Research or analytics consent forms — if patient data is used for any research or reporting purpose
HighWord / Form - 38
Consent Management
Marketing consent and opt-out mechanism — how patients opt in and out of communications
HighScreenshot / SOP - 39
Data Principal Rights
Patient rights request process documentation — access, correction, erasure requests handling
MandatoryWord / SOP - 40
Data Principal Rights
Sample rights request form provided to patients — access, correction, erasure request form
HighPDF / Word - 41
Data Principal Rights
Rights fulfilment SLA documentation — internal target response time per right type
MandatoryWord - 42
Data Principal Rights
Rights request log — records of all rights requests received and their resolution — last 12 months
HighExcel - 43
Vendor Management
Complete vendor list — all vendors with whom personal data is shared, with data categories shared per vendor
MandatoryExcel - 44
Vendor Management
Data Processing Agreement status list — which vendors have signed DPA, which are pending
MandatoryExcel - 45
Vendor Management
Key vendor contracts with privacy and DPA clauses — hospital partners, aggregators, cloud providers
MandatoryPDF - 46
Vendor Management
Sub-processor list for cloud and IT vendors — third parties used by your processors
HighExcel - 47
Vendor Management
Vendor security certifications — ISO 27001, SOC2 Type 2 certificates from key data processors
HighPDF - 48
Vendor Management
Cloud data residency confirmation per provider — region, data types stored
MandatoryExcel - 49
Vendor Management
Third Party Risk Management process documentation — if formal TPRM process exists
HighWord / SOP - 50
Retention and Erasure
Data retention and disposal schedules — all categories with retention period and disposal method
MandatoryWord / Excel - 51
Retention and Erasure
Erasure and destruction process documentation — how personal data is deleted when retention period ends
MandatoryWord / SOP - 52
Retention and Erasure
Backup erasure process — confirmation that backups are also erased and not only live systems
HighWord / SOP - 53
Retention and Erasure
Statutory retention conflict documentation — where MCI or NDPS retention overrides DPDP erasure obligation
MandatoryWord - 54
Incidents and Breach
Data breach response plan — Incident Response Plan covering Rule 7 DPB notification obligations
MandatoryWord / PDF - 55
Incidents and Breach
IRP testing records — date and method of last test or drill
HighWord / PDF - 56
Incidents and Breach
History of past data incidents or security events — last 3 years
MandatoryExcel / Word - 57
Incidents and Breach
Grievance redressal mechanism details — published contact, SLA, escalation process
MandatoryURL / SOP - 58
Incidents and Breach
Previous regulatory notifications sent — CERT-In, SEBI, IRDA or any other regulator
MediumWord / PDF - 59
HR and Training
Employee personal data processing activities — what employee data is collected and for what purpose
HighExcel / Word - 60
HR and Training
HR data inventory — categories of employee data held, systems, retention periods
HighExcel - 61
HR and Training
Data privacy training records — who was trained, when, on what content
MediumExcel / PDF - 62
HR and Training
Employee confidentiality agreements and NDAs — standard template and signed copies
HighWord / PDF
Why this list
What goes into the checklist — and what is intentionally left out
Built from real engagements
The 62 items are the practical artefacts external DPOs and assessors actually request in the first week of a Data Protection Act engagement — particularly for diagnostic chains, hospitals, fintechs and large enterprises with stacked sector regulators (MCI, NDPS, POCSO, ABDM, RBI, IRDAI). The list is deliberately documentation-led, not opinion-led.
Pairs with the Gap Analysis tool
Use this checklist first to gather inputs; then run the Gap Analysis tool to map each input to a specific DPDP section, penalty exposure band and recommended action. The two together replicate what a paid GRC consultant would do over a 6-week engagement.
Next steps
Use this with our other DPDP tools
Gap Analysis →
60+ specific DPDP Act + Rules requirements mapped to Section, penalty exposure, recommended action.
Penalty Calculator →
Estimate your aggregate Schedule 1 exposure across ₹50 / 150 / 200 / 250 cr bands.
Risk Calculator →
A 60-second profile-based score with predicted penalty, SDF likelihood and top gaps.