India’s Digital Personal Data Protection Act (DPDP Act), 2023, represents a
landmark shift in the country’s approach to data privacy, establishing a
comprehensive framework to protect personal data while enabling lawful
processing. Enacted on August 11, 2023, following the Supreme Court’s 2017
Puttaswamy judgment recognizing privacy as a fundamental right, the act is set
for full enforcement from July 2025. As the deadline approaches, Indian
companies are in a race to comply, focusing on two critical requirements:
appointing Data Protection Officers (DPOs) and implementing robust consent
management systems. This article explores how businesses are navigating these
mandates, the challenges they face, and the opportunities for building consumer
trust in India’s evolving digital landscape.
Understanding the DPDP Act
The DPDP Act applies to the processing of digital personal data within
India, whether collected online or digitized from offline sources, and extends
to entities outside India offering goods or services to Indian data principals.
Key obligations for data fiduciaries—entities determining the purpose and means
of data processing—include ensuring data accuracy, implementing security
safeguards, notifying the Data Protection Board of India (DPB) of breaches, and
erasing data when no longer needed. The act also allows data transfers outside
India, except to restricted countries, and includes exemptions for activities
like crime prevention and government processing for security purposes.
A notable feature is the use of “she/her” pronouns in the legislation, a
first in Indian parliamentary acts, signaling a progressive approach to
inclusivity. The establishment of the DPB as the enforcement authority, with
the Telecom Disputes Settlement and Appellate Tribunal as the appellate body,
underscores the act’s robust regulatory framework.
The Role of Data Protection Officers
Significant data fiduciaries (SDFs), identified by the government based on
the volume and sensitivity of data processed, face additional compliance
requirements, including the mandatory appointment of a DPO based in India. The
DPO is responsible for overseeing compliance, conducting data protection impact
assessments, and ensuring adherence to the act’s provisions. Major
corporations, such as Meta, Muthoot Fincorp, and Fynd (Shopsense Retail Tech),
are actively recruiting DPOs to manage sensitive personal data, reflecting a
broader trend across sectors like e-commerce, technology, and finance.
The rush to appoint DPOs highlights a critical challenge: a shortage of
skilled professionals. A 2023 EY survey revealed that 50% of organizations lack
the necessary expertise to implement the DPDP Act, with many considering
outsourcing to bridge the gap. The DPO’s role is pivotal, requiring not only
technical knowledge but also an understanding of legal and regulatory nuances,
making recruitment a competitive endeavor.
Implementing Consent Architecture
Consent is the cornerstone of the DPDP Act, with Section 6 mandating that it
be free, specific, informed, unconditional, and unambiguous, demonstrated
through clear affirmative action. This rules out implied consent, pre-ticked
boxes, or bundled permissions. For children and persons with disabilities,
verifiable consent from parents or legal guardians is required, adding
complexity to compliance efforts.
To meet these requirements, companies are developing consent management
systems (CMS) to streamline the process of obtaining, managing, and documenting
user consent. In June 2025, MeitY released a Business Requirement Document for
Consent Management, outlining components like consent lifecycle management,
user dashboards, notifications, and grievance redress mechanisms. These systems
ensure that data principals can easily give, review, or withdraw consent,
enhancing transparency and control.
For example, e-commerce and tech companies, which handle vast amounts of
personal data, are revamping their platforms to include user-friendly consent
interfaces. However, technical implementation remains a hurdle, with 32% of organizations
in the EY survey anticipating challenges in building these systems. The act’s
emphasis on consent also necessitates consumer education, as many users are
unaware of their rights or find privacy notices too complex.
Industry Readiness and Challenges
Surveys paint a concerning picture of readiness. A 2024 PwC India survey
found that only 9% of 186 organizations surveyed have a comprehensive
understanding of the DPDP Act, while 80% anticipate compliance challenges,
particularly in the manufacturing sector. The banking, financial services, and
insurance (BFSI) and technology, media, and telecom (TMT) sectors are
relatively better prepared due to existing regulatory frameworks. Additionally,
64% of organizations have not planned initiatives to educate employees about
data privacy, indicating a gap in internal awareness.
Consumer awareness is equally low, with only 16% of 3,233 consumers across
24 cities aware of the DPDP Act, according to PwC. Alarmingly, 56% are unaware
of their data rights, and 69% do not know they can withdraw consent. This lack
of awareness complicates compliance, as businesses must not only implement
technical solutions but also educate users to ensure informed consent.
The Confederation of Indian Industry (CII) and Protiviti’s survey further
highlighted sector-specific challenges, noting that while the act addresses
significant privacy concerns, readiness varies widely. Technical
infrastructure, skill shortages, and the complexity of consent management
systems are recurring issues, particularly for smaller enterprises.
Opportunities for Businesses
Despite these challenges, compliance with the DPDP Act offers significant
opportunities. The PwC survey revealed that 44% of consumers are willing to pay
a premium for services that prioritize data protection, and 42% of
organizations see compliance as a chance to build trust. Companies that invest
in robust data protection frameworks can differentiate themselves in a
competitive market, particularly in sectors like e-commerce and technology,
where consumer trust is paramount.
Moreover, the act’s alignment with global standards, such as the EU’s
General Data Protection Regulation (GDPR), positions compliant Indian
businesses favorably in international markets. By leveraging technology, such
as AI-driven consent management tools and cybersecurity solutions, companies
can streamline compliance while enhancing operational efficiency.
Best Practices for Compliance
To prepare for DPDP Act enforcement, businesses should consider the
following steps:
|
Action
|
Description
|
|
Appoint a DPO
|
Identify and recruit a qualified DPO based in India,
particularly for SDFs, to oversee compliance and liaise with the DPB.
|
|
Develop Consent Systems
|
Implement a CMS that ensures consent is explicit,
informed, and revocable, with user-friendly interfaces and robust
documentation.
|
|
Conduct Training
|
Educate employees and consumers about data privacy rights
and obligations to bridge the awareness gap.
|
|
Perform Data Audits
|
Regularly audit data processing activities to ensure
accuracy, security, and compliance with storage limitations.
|
|
Engage Stakeholders
|
Collaborate with industry bodies and consultancies to stay
updated on regulatory developments and best practices.
|
Conclusion
As the DPDP Act’s enforcement begins in July 2025, Indian companies are in a
critical phase of preparation, racing to appoint DPOs and implement consent
architecture. While challenges like skill shortages and low awareness persist,
proactive compliance can transform data protection into a strategic asset. By
prioritizing transparency, investing in technology, and fostering consumer
trust, businesses can not only meet regulatory requirements but also position
themselves as leaders in India’s digital privacy era.
