SDF Designation Status and Cycle Anchor

Central Government notification designating the entity as an SDF received in writing; date of notification recorded as the cycle anchor date under Rule 13(1)
The 12-month audit cycle counted forward from the anchor date; current cycle's start and end dates documented
Board of Directors formally informed of SDF designation, the Rule 13 obligations, and the annual cycle; resolution recorded
Data Protection Officer appointed in writing, based in India, reporting to the board, accountable to the data principals, with contact details published — per Section 10(2)(a)
DPO appointment letter, escalation matrix, and authority scope documented
Grievance Officer designation distinct from the DPO if applicable; both contactable through published channels
DPO's allocated time, budget, and team capacity proportionate to the volume of processing activities under audit
DPO has direct authority to commission internal investigations, halt processing activities, and report independently to the board

Independent Auditor Selection and Engagement

Independent auditor identified per Section 10(2)(b); independence verified — auditor is not the same firm engaged for DPIA, ROPA, or DPDP implementation advisory in the same cycle
Auditor's qualifications, prior DPDP audit experience, and team composition documented
Written conflict-of-interest declaration obtained from the audit firm, partner-in-charge, and engagement team
Audit Statement of Work signed, defining scope as full compliance with the DPDP Act and Rules — not a subset
Sample-size methodology agreed in writing: how many processing activities sampled, how vendor DPAs sampled, how rights requests sampled, how breach incidents sampled
Audit fieldwork calendar agreed, with interview slots scheduled for DPO, CISO, business owners of each high-risk activity, vendor management lead, security operations lead
Auditor's access protocol agreed: read-only access provisioning, evidence vault scope, no PII exposure beyond audit need, NDA and confidentiality undertakings signed
Audit working papers retention agreed (auditor retains; data fiduciary receives final report and significant observations summary)
Audit fee structure not tied to favourable findings — fixed fee or time-and-materials; performance-linked structures explicitly excluded

DPIA Inventory Ready for Examination

Master list of all processing activities maintained, current within 30 days of audit fieldwork start
Each processing activity classified by risk level using a documented methodology applied consistently across the estate
DPIA completed within the current 12-month cycle for every processing activity classified as high-risk
Each DPIA documents the purpose of processing, categories of personal data, categories of data principals, retention period, and lawful basis under Section 4 of the Act
Each DPIA documents necessity and proportionality reasoning — not template language, but reasoning specific to the activity
Each DPIA documents identified risks to data principal rights, rated on a consistent scale, with mitigations mapped one-to-one
Residual risk after mitigation rated, with named accountable owner sign-off for each residual risk above the institution's defined tolerance
Algorithmic-fairness assessment completed per Rule 13(3) for every processing activity involving automated decisioning with significant individual impact — assessment documents the algorithm class, training data lineage, bias-testing methodology, fairness metrics applied, and findings
Cross-border transfer assessment completed for any activity falling within Rule 15 scope; transfer mechanism documented; receiving-jurisdiction adequacy or contractual safeguards evidenced
DPIA report for each activity is versioned, integrity-locked after DPO approval, and traceable to the underlying evidence

Evidence Package for the Audit Period

ROPA current, DPO-reviewed, and reconcilable to the master processing-activity list; every activity in ROPA traceable to a DPIA where high-risk, and to a lawful basis where processed
Consent records for the audit period retained per Rule 6, minimum 1 year; record contains timestamp, notice version, data principal identifier, granular purpose choices, and method of capture
Consent-withdrawal log for the audit period, with downstream-processor notification evidence
Rights-request log for the audit period, covering every right under Sections 11–14: request received, identifier provided, verification method, response time, outcome (fulfilled / refused with lawful basis / extended with reason), evidence of response delivery
Grievance log distinct from rights-request log; redressal time tracked; nothing open beyond 90 days
Breach incident log covering the full audit period: every awareness event logged with awareness timestamp, severity classification, parallel-clock triggers (DPB, CERT-In, sectoral), notifications issued, 72-hour comprehensive report submitted, post-incident review
Vendor DPA inventory complete and current; each processor DPA contains Section 8/9 mandatory clauses, sub-processor flow-down, audit rights, breach notification timeline, deletion-on-termination provisions
Sub-processor onward-flow logs maintained for the audit period
Retention and deletion logs per Rule 8: scheduled deletions executed, exceptions justified, override approvals recorded
Security safeguard documentation per Rule 6: access controls, encryption at rest and in transit, integrity protections, log retention (1-year minimum), incident detection capability, restoration capability

Specialist Obligations

Children's data processing — if applicable — evidenced under Rule 10: verifiable parental consent mechanism, age-gating technical measures, prohibition on tracking, profiling, and behavioural targeting of minors
Cross-border transfers — if applicable — documented per Rule 15 with the Central Government's notification status for each receiving jurisdiction
Data localisation posture — if applicable — documented for any class of personal data designated by the Central Government under Rule 13(4); inbound and outbound traffic data flows mapped
Algorithmic systems inventory maintained; each system's DPIA, fairness assessment, and oversight log linked
Human oversight logs maintained for automated decisioning systems; oversight level recorded per decision class (full human, human-in-the-loop, post-hoc review)
Shadow AI register maintained — unsanctioned AI tools in use across the organisation discovered, registered, and risk-classified
AI asset register reconciled with the algorithmic systems inventory

DPB Submission Preparation

Significant observations from the DPIA and audit consolidated per Rule 13(2)
Each significant observation includes: nature of observation, root cause, affected processing activities, regulatory provision implicated, severity rating, remediation plan, remediation owner, target closure date
Board-level review of significant observations completed; board resolution recording acceptance of findings and approval of remediation plan
Submission package prepared in the format specified by the DPB for Rule 13 reporting
Submission window confirmed; submission completed within the prescribed period from cycle close
Acknowledgement of submission from the DPB obtained and filed
Open findings tracked to closure on an independent log; closure verified by the auditor where required
Next 12-month cycle scheduled; cycle anchor preserved unless re-notification occurs

Pre-Fieldwork Readiness Review

Mock audit conducted internally 30–60 days before independent fieldwork; gaps identified and remediated
All evidence accessible from a single index — auditor should not be told “we have this somewhere”
DPO, CISO, and named business owners briefed on audit scope, methodology, and their interview windows
Communication protocol set for the audit window: who responds to auditor requests, escalation path, response-time commitment
Sensitive-finding protocol agreed: how a finding implicating senior leadership is handled; how a finding requiring immediate processing halt is handled
Post-audit communication plan agreed: how findings are communicated internally, to the board, to affected data principals if required, and to the DPB
DPDP Assurance Platform Operationalise this checklist on the DPDP Assurance platform — purpose-built for Indian DPOs managing the full DPDP Act lifecycle.

Operationalise this →