With the Digital Personal Data Protection (DPDP) Act, 2023 expected to become a law in the coming months, Indian companies are under pressure to overhaul their data handling practices to meet new legal obligations.
“Readiness is uneven,” said Mini Gupta, cybersecurity partner at EY India. “The larger, tech-savvy firms—especially in IT/ITeS, BFSI, and telecom—are relatively more prepared, thanks to prior exposure to GDPR, HIPAA, or other compliance regimes. However, when it comes to mid-market firms and traditional sectors (manufacturing, retail, logistics), there’s still a significant gap in awareness and implementation.”
According to Gupta, Healthcare companies, especially hospitals, have a big uphill task ahead due to exposure to large volumes of sensitive personal data with limited preparedness around data classification and data protection.
Despite the Act being in the works for several years, many companies continue to struggle with fully understanding its provisions.
One of the weakest links is data classifications, where many firms still lack a clear data inventory of personal data and mapping to processes. Without knowing what personal data they hold or where it resides, compliance is almost impossible.
“The majority of the organizations struggle to meet the DPDPA requirements due to limited resources and privacy not being the mainline agenda,” said Mayuran Palanisamy, partner at Deloitte India. He said, the next set of organizations needs to move away from legacy systems and fragmented data processes to build effective consent management and data principal rights management processes.
Most enterprises continue to struggle to implement consent-management frameworks that ensure consent is freely given, specific, informed, unconditional, and unambiguous, as mandated by the Act. The ability to allow consent management, including withdrawal and changes in consent, may also require significant technology changes. “Consent management is big hurdle. Sectors like e-commerce are adopting granular consent tools, but traditional industries still use broad, non-compliant policies,” said Amit Jaju, senior managing director at Ankura Consulting Group (India).
While the new rules are rooted in protecting citizens’ digital rights, the responsibility for enforcement lies heavily with enterprises. Organizations will have to overhaul their data handling practices.
Another critical obligation under the draft rules will be mandatory reporting of personal data breaches within 72 hours to the Data Protection Board, along with immediate notification to affected individuals. Breach response readiness is low: only 4% of firms have proactive notification systems, said Jaju.
Companies failing to comply risk facing penalties of up to Rs 250 crore ($292,000) per instance.
The rules also require firms to have a dedicated Data Protection Officer (DPO) to ensure transparency and accountability in data processing practices and act as a point of contact for grievances. Additionally, companies dealing with children’s data must secure verifiable parental consent, adding operational complexity.
The DPDP Rules are set to be implemented by mid-2025. In an interview with The Hindu, Union Minister for Electronics and IT, Ashwini Vaishnaw, acknowledged that while the large firms are ready to comply with most of the rules, not all companies are equally prepared.
He added that some companies want some time to get the consent manager framework in place, while some want to understand the age verification process in greater detail. Therefore, the government will allow a phased rollout or transition period of up to two years for different types of organizations to become fully compliant.
Companies across diverse sectors are now increasingly seeking guidance to assess their readiness for DPDP compliance, to evaluate their current capabilities, and identify gaps.
No time to wait
Experts believe that Indian Companies can learn from European companies and their trajectory of GDPR compliance.
“They should prioritize early readiness for DPDPA by mapping personal data flows for each of their processes and digital platforms. The companies should involve cross-functional teams, including legal, IT, and HR, to ensure comprehensive compliance,” added Palanisamy of Deloitte.
The companies should also invest in scalable technologies to streamline compliance processes. But the real compliance flows down from a privacy culture within a company; hence, Indian companies can benefit from regular training programs to build a culture of data protection.
Most importantly, companies should start communicating with users clearly by ensuring the consent forms and privacy notices are human-readable, not legalese-heavy. EY’s Gupta suggested that building privacy into systems is time-intensive, and companies should start early.
They should understand that operationalizing compliance is not a checkbox but should be embedded in training, product design, procurement, etc. Also, third-party privacy risk management will become more crucial, enforcing stringent contractual controls and due diligence on third parties.
No Responses