India’s Digital Personal Data Protection Act has been notified. The rules are being finalised. And yet, when I speak to compliance officers and business leaders across sectors, a surprisingly large number are still treating DPDP as a future problem — something to address once the rules are fully published, once the Data Protection Board is constituted, once there is more regulatory clarity.
That approach carries real risk. Here is why — and what the law actually requires right now.
The law is already in force
The DPDP Act received presidential assent in August 2023. While subordinate rules are still being finalised, the Act itself is in force. Organisations that wait for complete regulatory clarity before beginning their compliance work will find themselves under significant time pressure when enforcement begins. The compliance infrastructure — consent frameworks, data mapping, privacy notices, grievance mechanisms — takes time to build. Starting late is not a neutral choice.
What the law actually requires
At its core, DPDP establishes obligations for any entity (a Data Fiduciary) that collects and processes the personal data of individuals in India. The key requirements include:
Consent and notice. Personal data can generally only be processed with the consent of the data principal. That consent must be accompanied by a clear, plain-language notice explaining what data is being collected, why, and how it will be used. Bundled consent hidden inside terms and conditions will not be sufficient.
Data principal rights. Individuals have the right to access their data, correct inaccuracies, and erase data in certain circumstances. Organisations must have mechanisms in place to receive and respond to these requests within defined timelines.
Data fiduciary obligations. Organisations must implement reasonable security safeguards, ensure data is used only for the stated purpose, and delete data once that purpose is fulfilled. There is no longer a default right to retain personal data indefinitely.
Breach notification. In the event of a data breach, both the Data Protection Board and affected data principals must be notified. The obligation is triggered by any breach that is likely to cause harm — the threshold is not limited to catastrophic incidents.
Significant Data Fiduciaries. Certain organisations may be designated as Significant Data Fiduciaries based on volume, sensitivity, or risk profile. These entities will face additional obligations including the appointment of a Data Protection Officer, periodic audits, and Data Protection Impact Assessments.
Where organisations are going wrong
The most common gaps I see are not in intent — most organisations want to be compliant. The gaps are in execution.
Consent mechanisms that do not meet the standard. Many organisations have consent checkboxes that are pre-ticked, buried in lengthy documents, or that bundle multiple purposes together. DPDP requires specific, informed, and unambiguous consent for each processing purpose.
No data inventory. You cannot protect data you have not mapped. A significant number of organisations — including listed entities — do not have a current, accurate record of what personal data they hold, where it sits, who has access, and how long it is retained. Without this foundation, everything else is guesswork.
Grievance mechanisms that are not functional. The Act requires a functioning grievance redressal mechanism. In practice, many organisations have a generic contact email that routes into an inbox nobody monitors. That will not meet the standard.
Training that is treated as a checkbox. Privacy compliance is not just a legal function. It affects every team that touches customer data — which in most organisations means HR, IT, marketing, sales, and operations at a minimum. Role-based training, delivered to the people who actually handle data, is a legal requirement and a practical necessity.
Where to start
If your organisation has not yet begun its DPDP compliance work, the most valuable first step is a gap assessment. Map what personal data you collect, how you collect it, what consents you have, and what mechanisms exist for data principal rights. That baseline will tell you exactly where the work is and how long it will realistically take.
If you have started but are unsure whether your current program meets the standard, a structured audit of your consent framework, data inventory, and incident response capability will surface the gaps quickly.
DPDP compliance is not a one-time project. It is a governance function that needs to be embedded into how your organisation operates. The organisations that understand this early will be in a fundamentally different position when enforcement begins.
