DPDP Act phased rollout exposing compliance gaps: Privacy experts
Even as the Ministry of Electronics and Information Technology (MeitY) evaluates the feedback it has received on compressing the compliance timelines of the Digital Personal Data Protection (DPDP) Act, privacy technology firms, consultants, and identity platforms have warned that companies, especially startups and mid-sized enterprises, are misreading key compliance milestones and risking non-compliance.
Executives across the privacy ecosystem told ET that organisations are over-focusing on surface-level compliance such as consent banners and legal documentation, while underestimating the operational overhaul required to meet the law’s substantive obligations.
Redacto, a full-stack privacy and data governance platform, said one of the most common mistakes it observed was the assumption that existing privacy policies and consent flows are adequate.
“Rule 3 of the DPDP Rules is explicit: privacy notices must stand alone, be clearly understandable, and provide an itemised description of the personal data collected and the specific purposes for processing,” said Amit Kumar, co-founder and chief executive of Redacto. “Most startups assume their current privacy policy ticks this box. It doesn’t.”
Firms are also struggling with a more fundamental challenge: knowing where personal data actually resides.
FRS Labs, which specialises in digital identity verification and privacy solutions, said organisations are treating gap analysis as a finish line rather than a starting point.
“Most fiduciaries believe that gap analysis and inputs from application heads are enough to identify where Personally Identifiable Information (PII) sits,” said Shankar P, chief executive of FRS Labs. “In reality, many systems pre-date current teams, mergers, or acquisitions. Very few people truly know what is in every system.”
He compared the process to customs inspections. “Manual checks are like opening a suitcase and guessing what’s inside. Only a full scan reveals hidden risks,” he said.
IDfy, an integrated identity and fraud prevention platform, warned that many organisations are misreading the 12–18-month period before enforcement as a grace period.
“The notification of the DPDP Rules is being mistaken for the compliance milestone,” said Malcolm Gomes, chief operating officer at IDfy. “This window is not a buffer after which compliance begins. It is the time required to build compliance.”
According to Gomes, DPDP readiness demands months of groundwork: mapping data flows across the organisation and vendors, assigning ownership, embedding controls into live systems, and defining escalation paths.
“By the time enforcement begins, regulators will assume these capabilities already exist,” he said. “If you’re still preparing then, you’re already non-compliant.”
He added that consent has been over-indexed, while data governance obligations such as retention, minimisation, deletion, and downstream sharing remain under-examined.
Grievance redressal, too, is often treated as a backend form rather than a time-bound, outcome-driven regulatory obligation, with strict timelines of up to 90 days.
Vendor risk is another weak spot. “Updating contracts is not the same as operational oversight,” Gomes said. “Data fiduciaries remain accountable for processor negligence. Most organisations cannot clearly explain how their vendors share data, enforce deletion, or enable data principal rights downstream.”
Consultants say awareness itself remains patchy. Rahul Garg, managing partner at Asire Consulting, said many companies are still unaware that the DPDP Rules, notified in November last year, made the law operational, even though it was enacted in August 2023.
“Stakeholders have limited understanding of the complex provisions, and there is a belief that 12 to 18 months is enough time to assess and implement compliance,” Garg said. “In reality, this is a mammoth exercise involving legal, finance, IT, HR, systems, policies, and training.”
He added that parallel regulatory initiatives, including the rollout of new labour codes, are diluting management attention. “The gap is at the planning stage itself,” Garg said. “That will translate into pressure, rushed implementation, and compliance gaps at the fag end.”
As enforcement nears, industry experts agree on one point: DPDP compliance is not a documentation exercise but a multi-year operational transformation. Companies that treat it otherwise may discover, too late, that the milestone they thought they had crossed was only the starting line.
Executives across the privacy ecosystem told ET that organisations are over-focusing on surface-level compliance such as consent banners and legal documentation, while underestimating the operational overhaul required to meet the law’s substantive obligations.
Redacto, a full-stack privacy and data governance platform, said one of the most common mistakes it observed was the assumption that existing privacy policies and consent flows are adequate.
“Rule 3 of the DPDP Rules is explicit: privacy notices must stand alone, be clearly understandable, and provide an itemised description of the personal data collected and the specific purposes for processing,” said Amit Kumar, co-founder and chief executive of Redacto. “Most startups assume their current privacy policy ticks this box. It doesn’t.”
Firms are also struggling with a more fundamental challenge: knowing where personal data actually resides.
FRS Labs, which specialises in digital identity verification and privacy solutions, said organisations are treating gap analysis as a finish line rather than a starting point.
“Most fiduciaries believe that gap analysis and inputs from application heads are enough to identify where Personally Identifiable Information (PII) sits,” said Shankar P, chief executive of FRS Labs. “In reality, many systems pre-date current teams, mergers, or acquisitions. Very few people truly know what is in every system.”
He compared the process to customs inspections. “Manual checks are like opening a suitcase and guessing what’s inside. Only a full scan reveals hidden risks,” he said.
IDfy, an integrated identity and fraud prevention platform, warned that many organisations are misreading the 12–18-month period before enforcement as a grace period.
“The notification of the DPDP Rules is being mistaken for the compliance milestone,” said Malcolm Gomes, chief operating officer at IDfy. “This window is not a buffer after which compliance begins. It is the time required to build compliance.”
According to Gomes, DPDP readiness demands months of groundwork: mapping data flows across the organisation and vendors, assigning ownership, embedding controls into live systems, and defining escalation paths.
“By the time enforcement begins, regulators will assume these capabilities already exist,” he said. “If you’re still preparing then, you’re already non-compliant.”
He added that consent has been over-indexed, while data governance obligations such as retention, minimisation, deletion, and downstream sharing remain under-examined.
Grievance redressal, too, is often treated as a backend form rather than a time-bound, outcome-driven regulatory obligation, with strict timelines of up to 90 days.
Vendor risk is another weak spot. “Updating contracts is not the same as operational oversight,” Gomes said. “Data fiduciaries remain accountable for processor negligence. Most organisations cannot clearly explain how their vendors share data, enforce deletion, or enable data principal rights downstream.”
Consultants say awareness itself remains patchy. Rahul Garg, managing partner at Asire Consulting, said many companies are still unaware that the DPDP Rules, notified in November last year, made the law operational, even though it was enacted in August 2023.
“Stakeholders have limited understanding of the complex provisions, and there is a belief that 12 to 18 months is enough time to assess and implement compliance,” Garg said. “In reality, this is a mammoth exercise involving legal, finance, IT, HR, systems, policies, and training.”
He added that parallel regulatory initiatives, including the rollout of new labour codes, are diluting management attention. “The gap is at the planning stage itself,” Garg said. “That will translate into pressure, rushed implementation, and compliance gaps at the fag end.”
As enforcement nears, industry experts agree on one point: DPDP compliance is not a documentation exercise but a multi-year operational transformation. Companies that treat it otherwise may discover, too late, that the milestone they thought they had crossed was only the starting line.
Next Story