Has your organisation mapped all personal data it collects, processes, stores, and shares?

Do you have a documented lawful basis for each personal data processing activity?

Can your customers withdraw their consent easily and quickly — within the same number of steps as giving it?

Do you have a written contract with every vendor or partner who processes personal data on your behalf?

Can you fulfil a Data Principal's request to access their own data within 30 days?

Can you delete a customer's personal data on request while retaining what is legally required by RBI/SEBI/IRDAI?

Do you have a data breach notification process that can reach the Data Protection Board within 72 hours?

If you process children's data (minor account holders), do you obtain verifiable parental consent?

Do you have a DPDP-compliant privacy notice in plain language (not just legalese) accessible on your website?

Have you assessed whether your organisation is likely to be designated a Significant Data Fiduciary and prepared for the additional obligations?