Countdown to Compliance: How India Inc. is preparing for the DPDP Act

With less than two weeks to go before the Digital Personal Data Protection (DPDP) Act rules are notified, organisations across India are scrambling to move from policy intent to compliance reality.

While many have started building the foundations- appointing Data Protection Officers (DPOs), running data-mapping exercises, and embedding consent into daily processes- experts believe most efforts remain “in their infancy.”

Read more: DPOs in demand: DPDP draft rules push Meta, Kotak, GMR to seek Data Protection Officers

“Companies may have prepared to the extent possible, for instance carrying out data mapping exercises to understand how data is treated and shared across the organisation and externally. But since they still don’t know the final form of the rules, compliance is at an early stage,” said Meghna Bal, Director, Esya Centre.

While the Act does not explicitly mandate all data fiduciaries to appoint a DPO, companies processing large amounts of personal data (significant data fiduciary, or 'SDF') must appoint a DPO, the draft suggests.

Storyboard18 earlier reported how firms including Meta, Kotak Mahindra Bank, GMR Group and Cars24 are on the lookout to onboard DPO to ensure compliance across all departments, particularly in data collection, processing, and storage. Consulting firms, including Tsaaro Consulting and EY, are also looking to hire DPOs for their various clients.

Read more: DPDPA rules to be notified in 10 days but journalists warn of threat to press freedom

Meanwhile, some firms are using the waiting period strategically.

The absence of final rules has slowed down industry-wide implementation, which does reduce the immediate effectiveness of the Act. That said, the Act has already created a strong directional push, compelling organisations to rethink data practices, even if not yet enforceable in full, shares Tarun Wig, Co-Founder & CEO, Innefu Labs.

Innefu Labs has adopted a “compliance-first, innovation-aligned” approach, building flexible systems that can adapt once rules are finalised, while ensuring no compromise on data privacy in the interim. This balance helps maintain business continuity without delaying innovation.

Amit Jaju, Senior Managing Director, Ankura Consulting, explained that his firm followed a “two-track plan”- implementing no-regret controls like security safeguards and breach readiness, while leaving configurable levers open for elements likely to shift, such as breach timelines or consent manager accreditation.

“We’ve rolled out layered notices, appointed a board-reporting DPO, and set up breach playbooks ready for activation once rules are final,” Jaju said.

Early movers in AI-led content are also embedding compliance into their core design.

Dipankar Mukherjee, Co-Founder & CEO, Studio Blo, said his startup has made consent non-negotiable from the beginning, even developing what he calls “the world’s first ethical Celebrity Cloning OS.”

While he currently plays the role of DPO himself, reporting to a Board of AI Ethics chaired by filmmaker Shekhar Kapur, Mukherjee expects to appoint a dedicated officer as operations expand.

For many, compliance is being reframed as opportunity.

Aryan Anurag, Co-Founder, Binge Labs, said his company treats the DPDP Act not as a tick-box exercise but as a way to strengthen transparency and trust. “We’ve tightened consent practices, reduced data retention, and ensured vendors follow the same standards. This way, the transition feels like a continuation rather than a disruption.”

Compliance service providers, too, are gearing up.

Pratik Vaidya, MD, Karma Management Global Consulting Solutions, said his firm has designed phased roadmaps for clients, emphasising data mapping, gap assessments, and embedding privacy-by-design.

“Most organisations are appointing DPOs, building stronger consent systems, and updating retention and breach protocols. We help them bridge regulation with practical application,” Vaidya said.

Even SMEs with limited resources are preparing in piecemeal ways.

Nikhil Jhanji, Senior Product Manager at IDfy, pointed to tools like Privy, which operationalise privacy by design in daily workflows. “We see the Act as an opportunity for enterprises to build trust, not just as a burden,” he said.

Read more: DPDP Act: Landmark data protection law expected by September 28

The common thread? While preparedness levels vary, from multinationals to scrappy startups, most agree the next 4–8 weeks will be a sprint window.

As Jaju put it, “This is the moment to freeze risky changes, complete data inventories, and pre-stage consent-compliance templates- so companies can hit the ground running the day rules are notified.”