India's Digital Personal Data Protection (DPDP) Act is set to usher in a new era of data governance, and with roughly a year left before the compliance deadline, businesses are being urged to shift from planning to execution. Full compliance with the law, including obligations related to consent, privacy notices, and data security, will be required by May 13, 2027.
While many organisations have started preparing, experts say the biggest challenge is fundamentally changing how companies collect, manage, and protect personal data.
The countdown comes at a time when businesses are increasingly relying on customer data to drive digital services,
artificial intelligence (AI), and personalised experiences.
The biggest hurdle: Knowing where your data is
"A major challenge will be gaining complete visibility into where personal data resides across the organisation," said Raghu Pareddy, CEO & Founder of Wissen Technology, an IT consulting and digital engineering services firm.
Over the years, organisations have accumulated data across legacy systems, cloud platforms, third-party vendors, and multiple business functions, often without a unified governance framework. As a result, experts believe many businesses still lack a clear picture of their data landscape.
Nikhil Narendran, Partner at Trilegal, echoed the concern, saying most companies will struggle with identifying the personal data they process before they can even begin working towards compliance.
Sachhin Gajjaer, Founder and CEO of Sattrix, a cybersecurity services provider, added that translating regulatory requirements into day-to-day operations will be particularly challenging for large organisations that manage personal data across multiple systems, vendors, and digital platforms.
The awareness gap also remains significant. According to EY's India's Data Privacy Shift: Steering the DPDP Compliance and Readiness report released earlier this year, nearly 70 per cent of surveyed professionals said they were not very familiar with the DPDP Act and Rules. This highlights that awareness itself remains a major hurdle before organisations can operationalise compliance.
Privacy can no longer be just an IT project
Experts agree that one of the biggest shifts over the next year needs to happen in the boardroom, rather than the server room.
Instead of leaving compliance to legal or IT teams, business leaders need to ask fundamental questions about why they are collecting customer data, whether they still need it, who owns it, and how long it should be retained.
Narendran told Business Standard, "Business leaders need to recognise that data protection will become a fundamental part of how business is conducted in India."
Similarly, Gajjaer said privacy should become part of everyday business decisions, with leadership ensuring that vendors and partners also follow the same standards.
The era of collecting 'just in case' data nears end
For years, many organisations adopted a "collect now, use later" approach to data. Experts say that the model is unlikely to survive.
"The starting point should no longer be, 'Can we collect this data?' It should be, 'Do we really need this data?'", Narendran said.
Companies are expected to become more disciplined about seeking informed consent, collecting only the data required for a clearly defined purpose, maintaining transparent privacy notices, and deleting information once it is no longer needed.
While these changes may initially require businesses to overhaul existing processes, Pareddy believes they will ultimately improve the quality of enterprise data and strengthen customer confidence.
What will a DPDP-ready organisation look like?
Experts say companies that are genuinely ready by the time the rules take effect will have privacy embedded across the organisation rather than bolted on at the last minute.
That means having:
- Complete visibility into what personal data is collected and where it resides
- Clear ownership and governance of personal data
- Robust consent management and grievance redressal mechanisms
- Well-defined retention and deletion policies
- Regular audits, employee training, and tested incident response plans
- Privacy integrated into product design and business decision-making
Privacy could become a competitive advantage
While avoiding regulatory penalties is a key objective, experts argue that businesses should see DPDP as an opportunity rather than a burden.
"In today's world, trust has become a key differentiator," Pareddy said, noting that customers, investors, and business partners increasingly favour organisations that demonstrate transparency and accountability in handling personal data.
Gajjaer said strong privacy practices also improve data governance, operational efficiency, and decision-making, while reducing business risks.
Narendran added that organisations which treat privacy as a trust-building exercise rather than simply a regulatory obligation will be better placed to strengthen customer relationships and differentiate themselves in an increasingly digital economy.
With the compliance deadline now in sight, experts agree that the coming months will be less about adopting new tools and more about transforming how organisations think about personal data.