How DPDP Self-Check translates your answers into a compliance score, maturity rating, and gap analysis.
Each question has a weight (1–3) and a response multiplier:
100%
Yes
50%
Partial
0%
No
Excluded
N/A
Section score = Σ(response_multiplier × question_weight) / Σ(question_weight for non-N/A questions) × 100. N/A answers are excluded from both numerator and denominator.
Significant gaps. The organisation lacks fundamental controls for most obligations. Immediate action required. High regulatory risk.
Some controls are in place but coverage is inconsistent. Key obligations are partially met. A structured remediation plan is needed.
Most obligations are met with documented controls. Gaps are specific and addressable. Organisation can demonstrate compliance readiness to auditors.
Comprehensive compliance posture with proactive controls. Suitable for presenting to a DPO, external auditor, or the Data Protection Board.
The composite score is a penalty-exposure weighted average of section scores. Sections that carry higher penalties under the DPDP Schedule have greater weight in the composite, so fixing the most consequential gaps has the most impact on your score.
| Section | DPDP Citation | Max Penalty | Weight |
|---|---|---|---|
| Security Safeguards | Section 8(5) | Up to INR 250 crore | 10 |
| Breach Notification | Section 8(6) | Up to INR 200 crore | 9 |
| Children's Data | Section 9 | Up to INR 200 crore | 9 |
| Significant Data Fiduciary | Section 10 | Up to INR 150 crore | 8 |
| Notice & Consent | Sections 5-7 | Up to INR 50 crore | 7 |
| Data Fiduciary Obligations | Section 8 | Up to INR 50 crore | 7 |
| Cross-Border Transfer | Section 16 | Up to INR 50 crore | 6 |
| Data Protection Officer | Section 10(2)(b) | Part of SDF obligations | 5 |
| Data Principal Rights | Sections 11-14 | INR 10,000 per complaint | 4 |
| Grievance Redressal | Section 13 | INR 10,000 per complaint | 4 |
| Applicability & Scope | Sections 2-3 | Foundational — enables all other obligations | 3 |
Trade-off: Weighting by penalty exposure incentivises focus on high-risk areas but may understate breadth of compliance. An organisation could score well on Security Safeguards but poorly on Grievance Redressal and still get a high composite score. Review section-level scores independently.
The DPDP Act imposes obligations on all Data Fiduciaries processing personal data. It would be paradoxical for a DPDP compliance tool to itself violate those principles. DPDP Self-Check is designed to model DPDP compliance at the architectural level:
This design directly implements the data minimisation and purpose limitation principles of the DPDP Act — collecting no data beyond what is strictly necessary for the tool to function.
Disclaimer & Limitations
This tool is a self-assessment aid and does not constitute legal advice. It is not a substitute for a professional privacy audit or the advice of qualified privacy counsel.
The DPDP Rules 2025 are being notified in stages. This tool reflects the DPDP Act 2023 and Rules as available in June 2025. Some questions reference pending Rules provisions; compliance obligations in those areas will be confirmed once the Rules are fully notified.
This tool does not imply endorsement by MeitY, the Data Protection Board of India, or any government body. "DPDP Self-Check" is an independent third-party tool.
Always consult a qualified privacy lawyer before making binding compliance decisions.