Industry reacts to DPDP rollout; experts warn of ambiguity, high costs and tight deadlines
Centre’s phased rollout activates core privacy rules immediately; industry leaders say companies must overhaul data governance, security, and consent systems to meet steep new obligations.
ADVERTISEMENT
The government has formally switched on India’s long-awaited Digital Personal Data Protection (DPDP) regime, notifying a phased enforcement schedule that gives businesses between 1, 12 and 18 months to comply with different layers of the law. While the staggered rollout provides some breathing room, experts across legal, consulting and technology sectors warn that companies must begin overhauling their data architecture, breach-readiness, consent flows and security posture now if they hope to meet the strict timelines.
Under the notification, the Data Protection Board has effectively been operationalised, and several provisions, such as breach reporting norms, parental consent requirements, and minimum security controls, come into force immediately. Registration timelines for consent managers are set at 12 months, while the heaviest obligations, including privacy notices, data transfer rules, significant data fiduciary (SDF) criteria, security safeguards and children’s data processing, take effect over the next 18 months.
‘A Critical Juncture’ for Organisations
Mayuran Palanisamy, Partner at Deloitte India, called the notification a defining moment for businesses, “The establishment of a definite enforcement timeline signals a critical juncture. The DPDP rules emphasise the creation of a Data Protection Board and outline obligations on breach reporting, parental consent, consent manager frameworks, SDF classification, and prescriptive security safeguards.”
He cautioned that compliance cannot be treated as a checklist exercise. “Achieving compliance will require a continuous and strategic effort,” he said, adding that organisations must integrate privacy, security and governance at the foundational level—across system design, culture, processes and training.
‘From Compliance to Leadership’
Ashok Hariharan, CEO and Co-Founder of IDfy, described the rollout as a watershed moment for India’s privacy ecosystem.
“It isn’t simply about meeting obligations—it’s about redefining how we honour the trust placed in us by every individual,” he said.
He stressed that companies need to move beyond the mindset of “Can we comply?” to “How will we lead?”, calling for systems where consent is embedded by design and breach-readiness is built into infrastructure. “With the launch of the DPDP Act, the government has redeemed its pledge to guarantee privacy as a constitutional right,” he added.
Businesses Get Breathing Room — But Not Much
Supratim Chakraborty, Partner at Khaitan & Co., noted that the government has given businesses 18 months to comply with many of the core provisions.
“This staggered approach gives vital breathing room, but companies must move quickly to identify and close compliance gaps before the obligations kick in,” he said.
He added that privacy notices, transfer obligations, security safeguards, and children’s data handling will require significant investment and internal restructuring.
Shardul Amarchand Mangaldas & Co. partner Shahana Chatterji echoed that view, saying: “MeitY has provided much-needed clarity and an adequate transition period. Industry must now focus on alignment, while MEITY must offer the regulatory clarity that will inevitably be needed.”
Sonam Chandwani at KS Legal said that with the final DPDP Rules now notified, the compliance framework under the DPDP Act has formally moved from intent to enforcement. The staggered rollout gives industry limited breathing room, but the direction is clear data fiduciaries must now operationalise consent mechanisms, overhaul privacy notices, implement verifiable grievance redressal, and adopt demonstrable security and retention protocols.
"Once the designated obligations become effective, non-compliance will no longer be a theoretical risk but an immediate exposure to statutory penalties. Practically, organisations should treat this notification as the trigger point to initiate audits, map data flows, and prepare for a regime where accountability is not a checkbox but an enforceable standard."
‘Lean Conservatively in Compliance’ — Legal Red Flags Emerge
Siddharth Chandrashekhar, advocate at the Bombay High Court, pointed out that while some rules kick in immediately, others—such as consent manager registration and major obligations—surface in 12–18 months. He warned that companies must urgently update privacy notices, map personal data flows and build breach response capabilities.
He also flagged structural concerns:
- Criteria for Significant Data Fiduciary (SDF) classification remain vague
- Cross-border transfer approvals hinge on open-ended government discretion
- Some definitions around “reasonable safeguards” and “legitimate use” lack clarity
- Overlaps with CERT-In rules on breach reporting remain unresolved
He highlighted that the mandatory 72-hour breach reporting deadline could be “extremely challenging,” noting that understanding the full scope of a breach often takes more time.
SMEs, he cautioned, may struggle the most.
“Requirements like encryption, tokenisation, access logs and log retention demand significant infrastructure. The lack of reference to global standards like ISO 27001 leaves ambiguity around what counts as ‘reasonable security’.”
Cross-Border Uncertainty Looms
The biggest open question concerns cross-border data transfers.
“Government retains wide discretion on transfers, expanding the scope beyond what was originally contemplated,” Chandrashekhar said.
“With vague language around ‘restrictions notified by the Central Government’, businesses are left guessing.”
Experts agree that while the DPDP rules are well-intentioned and a major step forward, they will be practically challenging, especially for smaller and fast-growing companies without mature legal or security teams.
With the countdown now started, industry stakeholders say the next 18 months will be decisive. Businesses will have to map data flows, build stronger security layers, modernise consent systems, train staff, set up breach protocols and prepare for an intrusive compliance regime.
As Chandrashekhar put it: “Companies have 18 months—and they’ll need every day.”
