NEW DELHI (India CSR): As India transitions from policy making to on-ground implementation of the Digital Personal Data Protection Act (DPDP Act), EY India’s latest report, India’s digital privacy crossroads: Understanding the DPDP Act’s impact and enterprise readiness, reveals a clear momentum toward compliance, but also underscores significant gaps in operational readiness across sectors. The report also highlights that while awareness of the DPDP Act and Rules is growing, the depth of understanding and maturity of implementation remains highly uneven.
The survey indicates that close to 71% of respondents have limited understanding of the Act and the Rules, highlighting that knowledge gaps persist not only at operational levels but also within leadership cohorts. Industry-wise insights indicate a staggered initiation of the DPDP journey across sectors. Consumer, retail and e-commerce emerge at the forefront, with 50% of respondents stating that they have initiated their DPDP journey. Technology services follow at 38.8%, while 34.7% of financial services firms report having taken initial steps. Metals, mining and energy remain relatively behind, with only 20% of respondents indicating progress. Healthcare and life sciences record the lowest momentum, with just 9.9% of organisations having initiated their DPDP journey.
Across organizations, awareness is strongest within legal, risk, cybersecurity and technology functions, while business operations, HR, finance and manufacturing teams show significantly lower levels of understanding, despite handling personal data on a day-to-day basis. This functional disparity points to a critical need for organization-wide privacy education and cross-functional ownership of DPDP compliance.
From a readiness perspective, the survey indicates that 48% of organizations have initiated gap assessments, making it the most common first step toward compliance. However, only about 44% have progressed in documenting data processing procedures, close to 38% are currently categorizing personal data, and a similar proportion have identified third-party vendors handling personal data. However, nearly 80% of organizations have not updated or drafted DPDP-aligned privacy policies or established governance frameworks, and over 83% have not initiated end-to-end implementation of DPDP requirements across systems and processes.
Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India, said, “The DPDP Act has moved decisively from interpretation to execution. Our survey clearly shows that while organizations recognize the importance of data privacy, many are still early in their operational journey. The next phase will require enterprises to go beyond assessments and embed privacy into governance, systems and culture. Those that treat DPDP compliance as a structural transformation rather than a regulatory checkbox will be far better positioned to build trust, resilience and long-term competitive advantage.”
The survey identifies key challenges expected to hinder DPDP implementation. Nearly 77% point to the lack of ability to adopt privacy technology such as consent management, data discover and rights fulfilment, in legacy environment. About 76.4% indicate limited access to subject-matter expertise. While, 71% of respondents cite difficulty in understanding and interpreting the Act, over 58.8% cross-border data transfer complexities continue to pose challenges and 45.3% highlight financing and budget constraints.
The report also highlights that privacy is fast emerging as a strategic business imperative rather than a compliance obligation. With the DPDP Rules now notified and the compliance window till May 2027, organizations can no longer afford a wait-and-watch approach. Enterprises that proactively modernize data governance, strengthen consent and rights-management frameworks, and build audit-ready, privacy-by-design systems will not only meet regulatory expectations but also help shape a more trusted and sustainable digital economy for India.
(India CSR)
