DPDP Act and Rules: A ticking compliance timeline

The Digital Personal Data Protection Act, 2023 (‘DPDPA’) and the Digital Personal Data Protection Rules, 2025 (‘Rules’) have been published in the Gazette in November 2025. The final implementation of the rules is slated to commence in November 2026 (in respect of the Consent Manager provisions) and May 2027 (in respect of all other provisions of the law) with certain media reports[1] anticipating a reduction of the said timeline to November 2026. 

As a law with cross-sectoral implications, organizations across different industries have begun to take proactive measures to commence scoping and other compliance activities. Such exercises aim to not only better understand legal requirements but also architect policies and governance frameworks on the basis of such scoping. That said, a large number of organizations and enterprises have yet to commence this crucial activity. 

As we move past the 12 (twelve) month timeline to compliance, it is relevant to identify critical compliance requirements, dispel common misconceptions on the DPDPA and outline a compliance approach that organizations may adopt. 

Dispelling some common misconceptions

As more and more organizations chart their compliance activity, various misconceptions have come to the fore. We outline below some of the common misconceptions and clarify the legal requirements around the same.

Misconception #1: DPDPA applies to organizations that are B2C facing

The law does not distinguish between B2B and B2C enterprises and applies to all organizations regardless of such distinction. Considering that organizations (even those that do not operate in a retail setting) may still handle large volumes of personal data (such as that of employees, customers, vendors and their representatives), the law applies with equal force to all such processing. B2B organizations, therefore, must also commence compliance activity and focus on scoping, policy framing and other compliance activity.

Misconception #2: Compliance is an IT-department exercise

Compliance activity is not specific to the Information Technology / Information Security functions. It is important to recognize that various departments (such as HR, Procurement, Sales and Marketing) collect or process different datasets (such as employee data or vendor data). Therefore, DPDP compliance must remain participative across different functions and departments, who may all have to provide responses, participate in interviews and aim to refine their processing practices in alignment with the law.

Misconception #3: Consent is always required before processing of data

Consent is an important ground to process personal data under the DPDPA, however, the law enables the processing of personal data for certain ‘legitimate uses’ without consent. Such grounds may include instances where data is provided voluntarily (and proposed to be processed for such purpose), processing for employment purposes, in health or emergent situations or for other State purposes.

Consequently, organizations must evaluate datasets processed, purposes of processing, processing activities and assess if consent is required for a specific processing activity. This exercise is critical to the compliance objectives of an organisation.

Misconception #4: Consent alone is sufficient to demonstrate compliance

The DPDPA has a host of legal requirements which relate to collection and processing of personal data including notice, engagement of processors, reporting of data breaches, implementing reasonable security safeguards, technical and organisational measures, storage limitation, grievance redressal, cross-border transfer restrictions to name a few.

While seeking valid consent (where relied upon) is one of the requirements, such requirement by no means is the sole compliance obligation. Various other obligations (as highlighted above) would have to be met through a combination of policy measures, SOP implementations, technical tools and measures, governance mechanisms and other means to fully implement the DPDPA and Rules.

Misconception #5: DPDPA is a one-time assessment and implementation project

Compliance with the DPDPA is not a one-time assessment and implementation project but requires ongoing support and advisory through various phases of compliance. While a compliance exercise may be conducted ahead of the implementation timeline of the law, it must be recognized that compliance is ongoing.

Such ongoing nature of compliance can best be understood through periodic audits, assessments and compliance with policy at various stages and in different ways ranging from vendor onboarding, periodic internal audits, impact assessments when undertaking new processing activities and implementing new systems or projects.

Misconception #6: We may undertake DPDP compliance after enforcement

It is pertinent that the 18-month timeline (i.e., around May 2027) is intended for smooth transition to ensure alignment of policies, processes and systems to the DPDPA. This necessitates organizations to undertake data mapping, inventory preparation, policy drafting, implementation exercises, training and sensitization and preparedness measures, all of which contribute not only to legal compliance, but also help in building stakeholder trust and in instilling a privacy culture in the organization.

Approaching compliance

As deadlines approach, organisations must endeavour to swiftly architect a compliance approach, identify milestones and undertake necessary measures, considering the time-intensive nature of the process. Given that a ‘one-size-fits-all’ approach may not befit every organization, compliance must focus on the following:

1. Data Mapping and Inventory: The first and most critical step for every organisation is to conduct thorough data mapping and inventory exercises. This involves liaising with relevant departments and functions to map collected datasets, purposes of processing, third parties (or other departments) with whom data may be shared, and the processing activities conducted in respect of such datasets.

In this regard, the preparation of appropriate data maps, inventory sheets, and record of processing activities (RoPA) will enable the Company in gaining a clearer view of the data processing landscape and help in mapping associated compliance requirements.

2. Gap Assessment: Organisations must assess and analyse the different outcome(s) of the scoping exercise to map and identify gaps in compliance. This exercise i.e., gap assessment will not only bring clarity on the legal requirements, but also better present the compliance posture to senior management and other stakeholders and enhance transparency.

3. Policy, Contract and Notice Review: A yet another important cornerstone of the compliance exercise is around policy review and notice. Organizations must focus on review of existing internal policies, preparation of privacy notices, consent forms and associated documentation, SOPs implemented and other relevant aspects. Such processes, policies will help in crystallization of compliant practices.

In addition to policies, review of existing contracts entered into with internal and external stakeholders and developing standardized approaches for future engagements would also be highly useful to ensure data flows, as contemplated in assessments, are backed by appropriate and robust documentation. 

4. Platform Compliance: Organizations must enlist and assess the digital tools and platforms implemented, including owned and third-party platforms deployed by them which may collect or handle personal data. This may necessitate UI/UX review, evaluating notice and consent methodologies (as appropriate) and implementing necessary remedial measures for alignment with the DPDPA and Rules.

5. Consent Methodology: Consent forms an important cornerstone in data protection compliance and may require organizations to adopt appropriate consent methodologies that may demonstrate the free, specific, informed, unconditional and unambiguous consent threshold of the DPDPA, and more so for ‘verifiable parental consent’. 

This may require review of consent practices, logs for consent and notice and associated requirements that contribute in demonstrating compliance. Such consent methodology, coupled with integration with consent managers and requests for consent (which are to be made available in regional languages at the option of the Data Principal) makes consent management a challenging curve for organizations.

6. Process and Culture: While documentation builds compliance posture, a sizeable portion of compliance is driven on a privacy-first and compliance culture in organizations. This may be achieved through well-defined SOPs and processes which translate policies into actionable controls as well as through periodic training, sensitization, and other hands-on exercises that play a key role in filling this compliance gap.

As we move past the twelve-month compliance deadline, organizations, regardless of their nature of business or sector, must prioritize visibility and data mapping exercises, and conduct gap assessments to assess legal requirements against their current compliance posture. While compliance exercises may form the first line of preparedness, entities must conduct periodic assessments, exercises, training and evaluate the strength of policies, processes and practices to actively foster a privacy compliance culture.

[The authors are Principal Associate and Executive Partner, respectively, in Data Protection and TMT practice at Lakshmikumaran & Sridharan Attorneys]

[1] DPDP compliance timeline may be cut to 12 months - Business News | The Financial Express