Evidence Pack Overview
This guide provides a comprehensive mapping of DPDP Act requirements to the evidence that auditors and regulators will expect to see. Use this as a checklist to ensure your organisation is audit-ready.
Evidence Principle
For each DPDP requirement, you should have: (1) Documentation showing the control exists, (2) Records demonstrating the control operates, and (3) Evidence of periodic review and improvement.
Governance Evidence
Accountability and Oversight
| Requirement |
Evidence Required |
| Management accountability |
Board resolution or executive memo assigning accountability; Privacy governance charter; Meeting minutes showing privacy oversight |
| Privacy roles defined |
Organisation chart showing privacy function; Job descriptions; RACI matrix for privacy activities |
| Published contact details |
Privacy notice showing contact; Website screenshot; Grievance officer details published |
Policies and Procedures
| Requirement |
Evidence Required |
| Privacy policy |
Approved privacy policy document; Version history; Distribution/communication records |
| Data retention policy |
Retention schedule by data type; Policy document; Evidence of retention enforcement |
| Procedures documented |
Procedure documents for consent, rights, breach; Evidence procedures are followed |
Notice and Consent Evidence
Privacy Notices
| Requirement |
Evidence Required |
| Notice content complete |
Privacy notices (all versions); Checklist showing required elements; Legal review records |
| Notice timing |
Screenshots showing notice before/at collection; User journey documentation |
| Multi-language support |
Notices in English and applicable scheduled languages; Translation records |
| Notice updates |
Change log; Notification records to principals; Version archive |
Consent Management
| Requirement |
Evidence Required |
| Valid consent obtained |
Consent collection UI screenshots; Consent database records; Sample consent records showing who, what, when |
| Consent characteristics |
Evidence consent is free (no bundling), specific (per purpose), informed (notice provided), unconditional, unambiguous |
| Consent withdrawal |
Withdrawal mechanism screenshots; Sample withdrawal records; Processing cessation evidence |
| Children's consent |
Age verification mechanism; Parental consent records; Evidence of no tracking/targeting children |
Data Principal Rights Evidence
| Right |
Evidence Required |
| Right to information |
Request intake form/portal; Identity verification process; Sample responses showing summary of data, processing, sharing |
| Right to correction |
Correction request records; Evidence of data updates made; Communication to principal |
| Right to erasure |
Erasure request records; Evidence of deletion from systems; Confirmation to principal |
| Request tracking |
Request log showing receipt date, response date, outcome; Response time metrics |
| Grievance redressal |
Grievance officer designation; Published contact; Grievance log; Resolution records; Escalation evidence |
Security Safeguards Evidence
| Requirement |
Evidence Required |
| Reasonable security safeguards |
Security policy; Technical controls documentation; Access control evidence; Encryption configuration; Penetration test reports |
| Security monitoring |
Security monitoring tools; Log retention; Alert handling records; Incident response capability |
| Breach prevention |
Vulnerability management records; Patch management evidence; Security awareness training records |
| Periodic review |
Security assessment reports; Audit findings; Remediation tracking |
Breach Response Evidence
| Requirement |
Evidence Required |
| Breach response capability |
Breach response plan; Response team roster; Contact list; Escalation procedures |
| Breach detection |
Detection mechanisms; Alert thresholds; Sample detection records |
| Board notification (72 hours) |
Notification template (Form DPB-1); Process for timely notification; Sample notifications (if breaches occurred) |
| Principal notification |
Notification criteria; Template communications; Sample notifications (if breaches occurred) |
| Breach register |
Breach log (even if no breaches); Lessons learned documentation |
Processor Management Evidence
| Requirement |
Evidence Required |
| Processor contracts |
Signed processor agreements; DPDP-compliant clauses; Contract register |
| Processor due diligence |
Security assessment records; Questionnaires completed; Risk assessment |
| Processor oversight |
Periodic review records; Performance monitoring; Issue tracking |
| Processor obligations flow-down |
Contractual terms requiring processor compliance; Evidence of processor compliance |
SDF-Specific Evidence
Additional evidence for Significant Data Fiduciaries:
| Requirement |
Evidence Required |
| DPO appointment |
Appointment letter; DPO qualifications; Reporting line to Board; Published contact details; DPO activity records |
| Data Protection Impact Assessment |
DPIA methodology; DPIA register; Completed DPIAs for high-risk processing; Residual risk acceptance; Review schedule |
| Independent audit |
Auditor engagement letter; Auditor qualifications; Audit report; Remediation plan for findings; Submission to Board |
Evidence Checklist
Use this checklist to verify evidence completeness:
Governance (All Fiduciaries)
- Privacy governance charter
- Roles and responsibilities documented
- Privacy policy approved and distributed
- Grievance officer designated and published
- Training records
Notice and Consent
- Privacy notices (all versions, all languages)
- Consent collection mechanism evidence
- Consent database/records
- Consent withdrawal mechanism
- Children's data controls (if applicable)
Data Principal Rights
- Request handling procedures
- Request log/register
- Sample request responses
- Response time metrics
- Grievance handling records
Security and Breach
- Security safeguards documentation
- Breach response plan
- Notification templates
- Breach register (even if empty)
Processors
- Processor register
- Signed agreements with DPDP clauses
- Due diligence records
- Oversight evidence
SDF Additional
- DPO appointment and activity records
- DPIA register and completed assessments
- Annual audit report
- Board submission records
Evidence Maintenance
Evidence should be maintained for the duration of processing plus any required retention period. Establish a regular evidence refresh cycle (quarterly recommended) to ensure evidence remains current and complete.