

Every serious DPDP compliance journey starts the same way: with data inventory and mapping. Before you can fix consent, rewrite privacy notices, or set up breach reporting, you need one honest answer to a simple question: what personal data does your business actually hold, and where is it?
Most businesses are surprised by their own answer. Customer emails sit in a CRM, order data in an e-commerce platform, resumes in HR inboxes, payment details with a payment vendor, and old spreadsheets on someone's laptop. Under the DPDP Act, 2023, you are the Data Fiduciary for all of it, and with the DPDP Rules 2025 notified on 14 November 2025, the law is fully operational with penalties of up to ₹250 crore per violation.
DPDP data mapping turns that scattered picture into a single, documented inventory. It is the foundation every other obligation is built on, which is why it is always the first thing we check in our free DPDP audit.
No cost. No obligation. Get your compliance gap report.
A complete DPDP data map answers six questions about every piece of personal data your business processes.
What personal data do you collect? Names, emails, phone numbers, addresses, IDs, payment details, employee records, health or student data.
Where does the data come from? Website forms, apps, walk-in customers, job applications, purchased lists, or partner referrals.
Where does it live? Cloud platforms, on-premise servers, laptops, spreadsheets, email inboxes, and backups all count.
How does data move between your systems, teams, branches, and third parties, including any cross-border transfers?
Which vendors process data on your behalf? Cloud hosts, payroll providers, marketing agencies. You stay legally responsible for them.
How long do you keep each data type, and when is it deleted? The Act requires erasure once the purpose is served or consent is withdrawn.
The output of your mapping exercise should be a RoPA, a structured register of every processing activity in your business.
| RoPA Field | What It Records |
|---|---|
| Processing activity | e.g. customer onboarding, payroll, marketing emails |
| Personal data involved | Itemized list of the data types used in that activity |
| Purpose | Why the data is processed, linked to consent or a legitimate use |
| Storage location | System, platform, or physical location holding the data |
| Processors involved | Vendors handling the data, and whether contracts are in place |
| Retention period | How long the data is kept and when it gets erased |
This RoPA-style documentation becomes the single source of truth for your privacy notices, consent records, vendor contracts, retention schedule, and breach response. When a customer asks "what data do you hold about me and who is it shared with", or when the Data Protection Board asks questions after a breach, the RoPA is where the answers come from.
Handling employee records or HR data too? See our page on DPDP for HR and employee data. Transferring data outside India? Read about cross-border data transfers under DPDP.
Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup typically takes 2-6 months, and data mapping is where it starts.
Start With a Free AuditData mapping is step 1. See the full law, deadlines, penalties, and the complete compliance checklist on our main DPDP guide.
Learn Everything About DPDP ComplianceIt is a documented inventory of all the personal data your business handles: what you collect, where it comes from, where it is stored, how it flows between systems and vendors, which processors touch it, and how long you keep it. It is treated as step 1 of DPDP compliance everywhere.
RoPA stands for Records of Processing Activities: a structured register documenting each processing activity, the data involved, its purpose, storage location, the processors involved, and the retention period. It is the standard format for recording your data mapping results.
Because every other obligation depends on it. Accurate privacy notices, valid consent, on-time deletion, vendor contracts, and the 72-hour breach report all require knowing exactly what personal data you hold, where it lives, and who can access it.
It depends on how many systems and vendors you use. Mapping sits inside the overall DPDP setup, which typically takes 2-6 months end to end. Starting now keeps you comfortably ahead of the 13 November 2026 consent deadline.
Our free DPDP audit starts with exactly this: a review of the personal data you collect and where it is stored.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.