India's Digital Personal Data Protection Act 2023 (DPDP Act) received Presidential assent in August 2023. The Act itself has been notified, but the subordinate rules that will determine timelines, obligations, and penalties have not yet been finalised. That gap has created uncertainty - and, in some organisations, a false sense that preparation can wait.
It cannot. Here is why, and what a methodical readiness programme looks like.
What the DPDP Act Actually Requires
The Act is built around a straightforward principle: personal data about individuals (called "data principals" in the Act) may only be processed for a lawful purpose and with valid consent, or under one of the narrower legitimate uses defined in the legislation.
Unlike earlier draft iterations of Indian data protection law, the DPDP Act is relatively concise. It does not attempt to replicate the density of the GDPR. However, that conciseness does not make it simple. Several provisions carry significant operational weight.
Consent and notice. Before collecting personal data, organisations must provide a clear, plain-language notice explaining what data is being collected, why, and with whom it may be shared. Consent must be free, specific, informed, and unambiguous. Pre-ticked boxes and bundled consents are not valid.
Data fiduciary obligations. Entities that determine the purpose and means of processing (data fiduciaries) carry the primary compliance burden. This includes maintaining data accuracy, implementing security safeguards, and erasing data when the purpose is served or consent is withdrawn.
Significant Data Fiduciaries. The government will designate certain organisations as Significant Data Fiduciaries based on volume, sensitivity, or risk. These entities will face enhanced obligations, including data protection impact assessments and the appointment of a Data Protection Officer.
Data principal rights. Individuals have the right to obtain a summary of their data, correct inaccurate data, erase data, and nominate someone to exercise their rights if they are incapacitated. Organisations must establish grievance mechanisms to handle these requests.
Cross-border transfers. Personal data may be transferred outside India to countries notified by the central government. The negative list approach - restricting transfers to certain jurisdictions - is different from the GDPR's adequacy mechanism and its practical implications are still being worked through.
Breach notification. Data fiduciaries must notify the Data Protection Board and affected data principals in the event of a personal data breach. The rules will define what constitutes a notifiable breach and the timelines involved.
Why "Wait for the Rules" Is the Wrong Posture
The rules will define specific timelines, consent mechanisms, and the process for data principal rights requests. But the structural requirements are already clear from the Act itself. Organisations that wait for the rules before beginning work will face a compressed implementation window.
Experience from other jurisdictions is instructive. GDPR enforcement began on 25 May 2018. Organisations that had not started work by late 2017 scrambled and, in many cases, implemented surface-level measures that did not survive scrutiny. India's data protection regulator - the Data Protection Board - is expected to be active early in the enforcement cycle. The penalties available under the Act (up to INR 250 crore for certain categories of breach) are material.
There is also a supply chain dimension. Organisations that process data on behalf of others (data processors in GDPR terms; the DPDP Act calls them data processors too) will face contractual pressure from their enterprise customers. Clients - particularly multinational companies with existing GDPR compliance programmes - will require processors to demonstrate DPDP readiness before they are willing to share Indian personal data.
What a Readiness Programme Looks Like
A pragmatic DPDP readiness programme has six phases. They do not all need to run sequentially, and the total effort depends heavily on how mature the organisation's existing data governance is.
Phase 1: Data inventory and mapping. You cannot protect what you do not know you have. The starting point is a structured inventory of every data collection touchpoint - web forms, mobile apps, contact centre systems, HR platforms, CRM databases - and a mapping of the data flows from collection through processing, storage, sharing, and deletion.
This work is typically the most time-consuming and the most revealing. Organisations routinely discover data stores they were not aware of, retention periods far longer than business need, and third-party data flows with no contractual basis.
Phase 2: Lawful basis assessment. For each processing activity identified in Phase 1, determine the lawful basis under the DPDP Act. Most commercial processing will rest on consent. But there are legitimate uses - contractual necessity, legal obligation, public interest, and employment-related processing - that do not require consent and have different notice requirements.
Phase 3: Consent and notice remediation. Existing consent mechanisms almost certainly need to be reviewed and, in many cases, replaced. The DPDP Act's standard is higher than what most Indian organisations currently deploy. Cookie banners, registration forms, app permission dialogs, and customer contracts all need to be assessed against the Act's requirements.
Phase 4: Rights fulfilment infrastructure. Organisations must be capable of responding to data principal requests - summaries, corrections, erasures, and grievance escalations - within the timelines that the rules will set. For most organisations this requires a combination of process design, tooling, and training. For larger organisations, a dedicated rights request intake mechanism is necessary.
Phase 5: Security and breach response. The Act requires "reasonable security safeguards." While the Act does not specify technical standards, enforcement will likely reference ISO 27001, NIST CSF, or sector-specific standards from regulators such as SEBI, RBI, and IRDAI. Breach notification procedures need to be designed and tested before they are needed.
Phase 6: Governance and documentation. Data protection impact assessments, records of processing activities, DPO appointment (for Significant Data Fiduciaries), and vendor contracts with appropriate data processing terms all need to be in place before enforcement begins.
The Overlap with Other Regulations
Many organisations operating in India already have compliance obligations under GDPR (for EU data subjects), PDPL (for Saudi data subjects), or sector-specific rules from RBI or SEBI. DPDP readiness work can be structured to leverage existing documentation and controls where applicable, reducing duplication.
However, organisations should be careful about assuming that GDPR compliance delivers DPDP compliance. There are material differences - particularly around the lawful basis framework, the consent architecture, and the cross-border transfer regime - that require India-specific analysis.
Getting Started
For most organisations, the right starting point is a structured gap assessment: take current data protection practices against the DPDP Act's requirements and identify the remediation priorities. This assessment typically takes two to three weeks and produces a prioritised work plan.
From there, the pace of implementation depends on the organisation's risk tolerance and resource capacity. Organisations that process large volumes of consumer data, operate in regulated sectors, or have multinational clients should be aiming for substantial readiness before the rules are finalised.
The window for orderly preparation is still open. It will not stay open indefinitely.
A Note on Enforcement Posture
Early enforcement under new data protection legislation rarely begins with maximum-penalty action against large organisations. Regulators typically start with investigations into complaint-driven cases, use initial enforcement to establish interpretive precedent, and build toward more systematic supervision over time. This was the pattern with GDPR, and it is likely to be the pattern with DPDP.
However, this does not mean low-risk organisations can ignore readiness until enforcement picks up. Two things are true simultaneously: enforcement will start gradually, and the time required to implement a credible compliance programme is longer than most organisations expect. Starting late does not mean facing enforcement late - it means facing enforcement unprepared.
Organisations that complete a structured readiness programme before the rules are finalised will be in the best possible position when enforcement begins. Those that wait for the first enforcement action to provide clarification on scope or timelines will be playing catch-up in a compressed window with less guidance, not more.
The DPDP Act is a significant piece of legislation. It deserves a serious compliance programme, not a reactive one.