India’s new Digital Personal Data Protection Act, 2023 (DPDP Act) was passed in August 2023 and notified (with its 2025 Rules) on November 13, 2025. Its implementation is phased: initial provisions (Data Protection Board, definitions, etc.) took effect immediately on notification (Nov 2025), consent-manager provisions in 12 months (Nov 2026), and all substantive obligations in 18 months (May 2027) (see timeline below).

Despite ample runway, surveys show most organizations lagging: e.g. ~70% struggle to interpret the law, 80% have not updated privacy policies or frameworks, and only 40–50% of even leading sectors (consumer/e‑commerce, tech, finance) have started their DPDP compliance journey.

Companies cite legal uncertainties (pending rules, undefined terms), technical hurdles (data inventories, consent infrastructure, legacy IT), and organizational constraints (costs, skills, governance) as key blockers. SMEs and low-regulation sectors (healthcare, industrial) are especially behind.

Related: Regulatory and Compliance Law Firms

Background: DPDP Act Overview

India’s journey to a comprehensive data protection law began with the Puttaswamy (2017) Supreme Court verdict and draft bills. The DPDP Act 2023 was enacted on August 11, 2023 and notified (along with the DPDP Rules, 2025) on Nov 13, 2025. Its stated design is “SARAL” (Simple, Accessible, Rational, Actionable) and guided by core principles: consent & transparency, purpose limitation, data minimization, accuracy, storage limitation, security safeguards, and accountability.

Key substantive requirements include: mandatory notice to individuals before any processing (Sec.3), consent that is free, specific, informed, and unambiguous, defined legitimate uses (limited grounds for processing without consent), data principal rights (access, correction, erasure within 90 days), breach notification to the Board/individuals, and special rules for children’s data and persons with disabilities (verifiable parental consent). Significant Data Fiduciaries (SDFs) will face extra obligations (mandatory DPIAs, audits, algorithmic transparency). Penalties are steep: up to ₹250 crore per violation for SDFs (₹200 cr for others).

Key definitions

The Act defines Data Fiduciary as any person (entity) that “determines the purpose and means of processing” personal data (akin to “data controller” in GDPR).

A Data Processor processes personal data on behalf of a fiduciary.

A Data Principal is the individual whom the data relates to (with parents/guardians standing in for children or persons with disabilities).

“Personal data” means any data about an identifiable individual, and only digital personal data is covered (non-digital data is out of scope).

Consent itself must be “free, specific, informed, unconditional, and unambiguous”, and may be withdrawn as easily as given.

Notably, the Act includes the novel concept of a Consent Manager – a registered third party (must be an Indian company) that provides a transparent, interoperable platform for individuals to give, manage, review or withdraw consent. (Fiduciaries must integrate with consent managers for all consent collection.)

Many specific obligations (notice content, security standards, breach protocol, cross-border transfer rules, etc.) are fleshed out in the DPDP Rules 2025.

Implementation Timeline and Deadlines

The DPDP Act took effect in phases. Phase I (Nov 13, 2025) brought key definitions, the Data Protection Board set-up, and foundation provisions into force. Phase II (Nov 13, 2026) will activate the consent-manager regime (registration of Consent Managers and related obligations). Finally, Phase III (May 13, 2027) will bring all remaining obligations into force – full notice/consent requirements, data fiduciary duties, breach reporting (72‑hr), cross-border transfer restrictions, data principal rights, DPO appointments (for SDFs), fines, and enforcement powers. This 18‑month implementation schedule was designed to give businesses time to prepare.

Until May 2027, the old IT Act/Privacy Rules continue to apply for data protection. The companies have ample time (18 months) and guides to follow before enforcement begins. The Act’s penalties are only effective once substantive provisions start (May 2027), but by then every fiduciary must have implemented core controls (see Roadmap below).

Why Companies Are Still Non‑Compliant

Despite the timelines, readiness is low across the board. The gaps are driven by multiple, interlocking factors:

  • Legal ambiguities and pending rules. Key aspects of DPDP are still unsettled. For example, although the Act provides for “sensitive personal data” categories (e.g. health, financial, biometrics) to be notified by the government, no such list has been published yet. This leaves firms guessing which data attract heightened safeguards. Similarly, the “Significant Data Fiduciary” designation (which triggers extra obligations) awaits a separate notification. Cross‑border transfer rules also depend on future whitelist/blacklist notifications. Even the role of Consent Managers is still in flux: the DPDP Rules require them to meet technical interoperability standards, but those have not been issued, making it hard for fiduciaries to integrate their systems. In short, firms face a number of incomplete rules and open questions. Moreover, some provisions differ from global norms – e.g. DPDP omits “legitimate interests” as a lawful basis, which caught 62% of surveyed firms unaware. This uncertainty breeds delay: companies want clarity on the rules before building compliance programs.
  • Technical challenges. DPDP places significant IT burdens on organizations. Companies must map all personal data flows, establish categories of data, and build or acquire new systems for consent management, rights fulfilment, breach detection, and secure data storage. Many firms report legacy infrastructure is a key obstacle: older systems lack modular tracking or consent frameworks. Developing real-time breach alerting (72-hour reporting) and encryption, automating data retention/deletion, and logging access for audit trails are also non-trivial. The absence of off-the-shelf solutions (especially in India) means many firms must custom-build or heavily modify software, a time- and cost-intensive process.
  • Organizational and resource barriers. Compliance requires not just tech but people and processes. Surveys highlight that cost and skills are major bottlenecks. Many companies – especially SMEs – have no dedicated data privacy staff, let alone a Data Protection Officer or privacy officer. Larger firms with compliance departments are somewhat better placed, but even they face “patchy” follow-through. For 30% of respondents, DPDP compliance expenses could exceed 10% of turnover, a daunting figure that spooks management.
  • Market incentives and enforcement timing. As of 2026, there have been no DPDP enforcement actions or fines. Substantive provisions (and penalties) only take effect in mid‑2027. This gives firms a comfortable buffer. In the absence of regulatory pressure or major breaches under DPDP yet, many organizations adopt a “wait-and-see” mindset. They may assume enforcement will be gradual or that industry associations will influence leniency. Meanwhile, customers and partners have not universally demanded DPDP-compliance as a must-have.
  • SME-specific issues. Small and medium enterprises face the steepest climb. They typically lack in-house legal or tech teams and often do not even prioritize data protection. Many Indian SMEs still rely on informal data practices and paper records. The relative burden of establishing formal privacy processes is higher. Although concrete data on SMEs is limited, it is reasonable to infer from industry commentary that cost and complexity deter most SMEs.

Compliance Roadmap and Recommendations

Given the gaps and the ticking clock, companies need a structured, prioritized approach to get DPDP-ready. Here is a phased action plan aligned with the law’s timeline. Key short-, medium-, and long-term steps include:

  • Months 0–6 (Immediate, through mid-2026): Conduct data mapping and gap assessments to understand what data you hold, where it is, and how it’s processed. Classify data into categories (especially any potentially sensitive data by analogous definitions). Review all vendor and data processor contracts and plan to update them to DPDP-compliant terms. Begin drafting or updating privacy notices and consents (clear, specific language about purposes) and internal data protection policies. Identify potential Significant Data Fiduciaries (if any – e.g. telecom, healthtech, large social media) and plan for DPIAs/audits. Establish a core compliance team or function: assign roles (data protection officer or officer-in-charge, grievance officer, privacy champions in each business unit).
  • Months 6–12 (mid-2026 to Nov 2026): Design and build required systems and processes. Implement or procure a consent management platform and integrate it with customer touchpoints (websites/apps) to capture granular, revocable consent. Develop or extend tools for rights fulfillment (data access/correction requests) and an incident response plan for breaches (with logging and 72-hour notification capability). Formalize data retention schedules and automated deletion processes to enforce storage limits. Finalize DPDP-aligned contracts with processors and cross-border clauses as per upcoming guidelines. Prepare multiple-language notices as required. Begin employee training on DPDP obligations across functions. Consider pilot compliance audits and tabletop drills.
  • Months 12–18 (Nov 2026 to May 2027): Complete and deploy solutions. Roll out the new privacy notices and consent flows in production. Activate the full consent manager integration. Formally appoint and notify Data Protection Officers (for SDFs) and Grievance Officers as per the Rules. Conduct final internal audits of all processes, identify gaps, and remediate (e.g. if a DPIA reveals a risk, fix it). Complete all required DPIAs and have them reviewed by management. Ensure governance: board-level oversight, budget allocation for ongoing compliance. Test breach response with mock exercises. Finally, document all efforts meticulously (keep records of audits, policies, training, consents captured) to demonstrate compliance readiness.

Conclusion

India’s DPDP Act represents a landmark shift in data governance, but its success hinges on industry readiness. As of 2026, most companies are not yet compliant, largely due to a mixture of regulatory uncertainty, technical inertia, and organizational inertia. This reality does not bode well once enforcement begins.

However, there is still time to close the gap. By following a clear roadmap – starting with mapping and governance today, and building systems by mid-2027 – organizations can transform DPDP from a looming threat into an opportunity to strengthen trust and competitiveness. Those who wait may face an abrupt scramble under penalty of heavy fines.