A Project by Meridian Bridge Strategy
Compliance Guide

90-Day DPDP Compliance Roadmap

A practical, actionable 90-day plan to take your organization from zero to DPDP-compliant. Book a DPDP clarity call.

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

DPDP Action Sheet

Use this before your next workflow goes live. It keeps the useful parts visible and turns DPDP into checks your team can actually answer.

For 90-Day DPDP Compliance Roadmap, the DPDP question is how personal data enters the workflow, where it is stored, which tools touch it, what purpose was explained, and how deletion or withdrawal will work.

Check my data flow

1. Lead Forms

Check:

  • What data are you collecting?
  • Is the purpose clear at the point of collection?
  • Is marketing consent separate from service communication?
  • Can the user withdraw consent later?

Common mistake: one checkbox that silently covers newsletters, sales calls, partner sharing and remarketing.

2. Email and WhatsApp

Check:

  • Who is on the list?
  • Where did consent come from?
  • Is the list imported from a vendor, event, webinar, scrape or old CRM?
  • Can you prove the source of consent?

Common mistake: treating every lead as permanently marketable.

3. Ads and Retargeting

Check:

  • Are pixels or ad platforms receiving identifiable user behavior?
  • Are audiences built from customer lists?
  • Are lookalike or remarketing audiences using personal data?

Common mistake: assuming "the ad platform handles it" means your company has no DPDP responsibility.

4. Website Analytics

Check:

  • Which tools run on the site?
  • Are IP address, device identifiers, session IDs or form fields being captured?
  • Is analytics used only for measurement, or also for profiling and targeting?

Common mistake: installing tools first and asking privacy questions later.

5. Vendor List

Make a quick list:

  • CRM
  • Email platform
  • WhatsApp provider
  • Analytics
  • Ad pixels
  • Form tool
  • Landing page builder
  • Webinar tool

For each vendor, answer: what data goes there, why, who can access it and how deletion works.

6. This Week's Action

Map one campaign from first click to final follow-up. Mark every place personal data is collected, enriched, shared, uploaded or used for targeting.

If your team cannot answer where the data came from and where it goes next, start with a data flow map before rewriting policy copy.

Book a DPDP clarity call

Now think about your work. Where does personal data enter your workflows? Where does it sit? Who else touches it?

Frequently asked questions

Can we use the 90-day window to send a mass email asking for new consent?

Yes, but the notice must be available in English and any of the 22 languages listed in the Constitution if the user prefers. You must record the exact timestamp and version of the notice the user accepted.

What happens to our physical paper records during this 90-day sprint?

Physical documents like visitor logbooks or printed CVs fall under the Act. You must move these to locked cabinets and create a simple logbook to track which employees access those files.

Do we need to appoint a Data Protection Officer (DPO) immediately?

Only if the government classifies you as a Significant Data Fiduciary based on data volume. For most firms, the 90-day goal is designating one staff member to respond to users who want to see or delete their data.

Real-World Examples Companies struggling with this issue

EV

Ather Energy

42

Ather Energy's privacy policy demonstrates a foundational commitment to data security and transparency in collection. However, it lacks specific alignment with the stringent requirements of India's Digital Personal Data Protection Act 2023. Key areas needing significant enhancement include explicit DPDP Act reference, granular and explicit consent mechanisms, defined data retention periods, robust Data Principal rights frameworks, and clear grievance redressal processes that include the Data Protection Board. The current policy's reliance on general 'applicable laws' rather than DPDP-specific provisions creates potential regulatory exposure, especially concerning consent and data principal rights.

⚠️ No explicit DPDP Act 2023 reference; relies on generic 'applicable laws' language
⚠️ Consent mechanism appears implied ('voluntarily provide') and not 'free, specific, informed, and unambiguous' as required by Section 6
+5 more gaps detected
Mar 2026 View Report
Automotive E-commerce

CarDekho

48

CarDekho's privacy policy, while detailing data collection and usage, has not yet explicitly aligned with the Digital Personal Data Protection Act 2023. Key areas such as granular consent, specific data retention periods, a clear mechanism for Data Principal rights (including nomination), and escalation to the Data Protection Board are missing. The policy's reliance on general consent for cross-border transfers and lack of explicit DPDP references pose significant compliance challenges given the new Indian data protection landscape.

⚠️ No explicit DPDP Act 2023 reference — still implicitly operates under IT Act 2000 framework in earlier versions, and the most recent policy makes no explicit reference to DPDP Act.
⚠️ Consent mechanism appears bundled with service terms, not 'freely given' per Section 6; acceptance of policy implies consent.
+5 more gaps detected
Mar 2026 View Report
SaaS & IT

Freshworks

35

Freshworks' privacy policy, with a future effective date of July 2025, is primarily tailored for international laws like GDPR and CCPA. Despite having an Indian entity, the policy completely omits the DPDP Act 2023, broadly claims 'legitimate interests' for many processing activities, and lacks critical details on data retention and security measures (in the provided text), exposing its Indian operations to significant DPDP non-compliance risks.

⚠️ No explicit DPDP Act 2023 reference or compliance framework
⚠️ Broad use of 'legitimate interest' where DPDP requires consent
+6 more gaps detected
Feb 2026 View Report
Book clarity call