Skip to content
checkDPDP

Guide

From scan to secure — what to do with each red flag the checkDPDP scanner shows

You ran the scanner. Some categories came back Fail or Warning. Now what? This is the playbook — Fail by Fail — for closing the gaps the scanner finds, with time estimates, the right free tool from the checkDPDP stack, and when to escalate to a paid consultant instead.

15 May 2026 · 8 min read

The scanner is the easy half. The hard half is what to do with the report. This is the per-category playbook — what 'Fail' means in plain English, the cheapest credible fix, and the time it actually takes to ship it.

**Cookie consent (Fail).** Your site fires trackers before the user agrees. Time to fix: 30–90 minutes. Tool: the checkDPDP banner builder — sign in, pick colors, define your cookies, verify ownership, paste the script. The banner is shadow-DOM isolated so it won't break your design. Re-scan when done.

**Privacy notice (Fail).** Either no notice exists, or it's a generic template missing DPDP items (purposes, categories of data, Grievance Officer contact, rights mechanism). Time to fix: 60–120 minutes. Tool: our consent-notice template plus a 30-minute review by anyone in your team who understands what data you actually collect.

**Withdraw consent (Fail).** No way for a user to change their mind after consenting. Time to fix: 30 minutes if you use the checkDPDP banner (re-opens automatically from a 'Manage cookies' footer link); 2 hours otherwise to add a preference centre route.

**Data collection notice (Warning).** Forms collect more than they say they do, or fields are not justified by stated purposes. Time to fix: 1 hour per form to either drop unused fields or update the notice. Tool: walk every form on your site and ask 'why are we asking for this?' — delete what you can't justify.

**Third-party trackers (Fail).** Analytics / pixels / chat widgets load before consent. Time to fix: 2–4 hours of dev work to gate each SDK behind the consent event. This is where most teams underestimate effort — every third-party tag has its own initialisation pattern.

**Section 8 security (Warning / Fail).** No HTTPS, weak headers, leaked server version. Time to fix: 30 minutes for HTTPS via Cloudflare; another hour for security headers (CSP, X-Frame-Options, Referrer-Policy). Use a free header scan like securityheaders.com to verify.

**Grievance officer (Fail).** No findable Grievance Officer contact. Time to fix: 15 minutes — add a name (it can be the founder for an SMB), an email, and the 30-day response SLA, both to the privacy notice and the site footer.

**When to escalate to a paid consultant.** If the scanner flags Significant Data Fiduciary indicators (10M+ Indian users, children's data at scale, sensitive industry), or if you're processing financial / health / biometric data, hire one of the India-resident DPO firms from our CMP comparison page (Tsaaro, Cygnet, CyberSRC). The DPIA, the breach-response programme and the periodic audit are not weekend projects.

Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.

← All posts