Six Months Into India’s DPDPA Timeline – Why Many Organizations Still Aren’t Operationally Ready

India's DPDPA implementation clock is ticking. Six months in, many organizations still misunderstand what operational readiness actually requires - and the gap is cultural as much as technical.

Regulation · DPDPA · India

Six Months Into India’s DPDPA Timeline – Why Many Organizations Still Aren’t Operationally Ready

India’s Digital Personal Data Protection Act (DPDPA) has moved beyond legal commentary and policy webinars. The implementation clock is already ticking.

Organizations effectively received an 18-month window to demonstrate compliance readiness. We are now roughly six months into that timeline, and across conversations with CISOs, architects, compliance leaders, privacy teams, HR stakeholders, and operational defenders, one pattern continues to emerge:

Many organizations still do not appear operationally prepared for what DPDPA compliance may realistically demand.

Outside sectors like BFSI, healthcare, retail, and logistics – where regulatory pressure already shaped some level of governance discipline – urgency still feels inconsistent.

And the problem is not purely technical.

In many cases, organizations are still misunderstanding what DPDPA readiness actually is.

DPDPA Is Not a Consent Management Project

One of the biggest misconceptions right now is the assumption that DPDPA readiness can largely be solved through consent management platforms, DLP deployments, updated privacy policies, governance documentation, and legal wording adjustments.

Those things matter. But DPDPA is not fundamentally a tooling exercise. It is a data lifecycle discipline problem.

The uncomfortable question many organizations still cannot answer consistently is:

“Why are we still storing this data?”

That question sounds simple until it reaches operational reality. Because the moment organizations start tracing personal data across HR systems, ticketing platforms, CRM exports, analytics environments, third-party vendors, archived mailboxes, spreadsheets, unmanaged shared drives, and historical backups – they often discover something uncomfortable:

Personal data exists everywhere, ownership is fragmented, and retention is mostly policy language rather than operational enforcement.

For years, enterprises aggressively optimized around the idea that data is the new oil. DPDPA introduces a very different operating pressure:

“Prove why this data still needs to exist.”

That changes the conversation entirely.

The Paperwork Trap

Another concerning pattern is the belief that organizations simply need enough documentation to demonstrate “reasonable compliance” if scrutiny eventually arrives.

Realistically, regulatory ambiguity will exist in early phases. That happens in almost every emerging compliance ecosystem. But many organizations already appear to be optimizing around defensibility, paperwork, audit narratives, minimum viable governance, and procurement-led compliance – instead of operational data discipline.

That distinction matters because DPDPA exposure is not limited to external breaches. A large portion of future privacy failures may emerge from excessive retention, internal oversharing, uncontrolled replication, stale datasets, unmanaged exports, and process-level negligence.

The ₹50 crore to ₹250 crore penalty discussions are often spoken about casually in boardrooms and conferences. But one phrase continues to get ignored:

“Per instance.”

Most organizations still mentally model privacy risk as one breach equals one penalty. Operational reality may not unfold that neatly.

A single uncontrolled recruitment workflow involving hundreds of rejected applicants – with data replicated across HR teams, recruiters, BGV vendors, archived mailboxes, and unmanaged spreadsheets – may not remain a single neat compliance issue once scrutiny begins. Especially if the organization cannot justify retention, prove deletion, trace downstream sharing, or consistently demonstrate purpose limitation.

The Scenario Few Organizations Are Taking Seriously

One of the least discussed DPDPA realities today is the risk surrounding HR and recruitment workflows.

Think about the average hiring process. Organizations routinely collect Aadhaar details, PAN information, personal addresses, salary records, educational documents, background verification data, references, identity proofs, and financial information.

Now combine that with operational reality: rejected candidates, offers never rolled out, abandoned hiring pipelines, third-party recruiters, BGV vendors, spreadsheets over email, unmanaged local copies, and indefinite retention.

The real question organizations should ask themselves:

“What happens when a disgruntled employee or unsuccessful applicant begins aggressively exercising their rights as a data principal?”

Because unlike external attackers, these individuals already know what data was collected, when it was shared, why it was requested, and which process handled it. That fundamentally changes the risk model. And most organizations are nowhere near operationally ready for that conversation.

DPDPA Is Also Exposing a Privacy Culture Problem

Perhaps the biggest gap is not technological. It is cultural.

A cybersecurity leader recently shared a candid example during a discussion. He requested employee names from a department, and HR forwarded an Excel sheet containing full names, Aadhaar numbers, PAN details, birth dates, marital status, employee IDs, and additional personal information. No malicious intent. No attacker. No malware. Just normalized over-sharing.

Indian organizations spent years building data-driven cultures without simultaneously building privacy-conscious cultures. That gap is now becoming visible.

Most enterprises successfully operationalized phishing awareness, ransomware awareness, password hygiene, and suspicious email reporting. But privacy awareness often remained superficial. Employees are still rarely trained to think critically about internal oversharing, spreadsheet leakage, uncontrolled forwarding, or retention accountability.

DPDPA readiness is not measured by how many privacy products an organization purchases. It is measured by whether employees understand when personal data should not be collected, shared, retained, or exposed unnecessarily.

Waiting for Regulatory Clarity Is Becoming a Strategy

Another growing concern is the assumption that organizations still have time because classifications are evolving, enforcement structures are maturing, and Significant Data Fiduciary (SDF) classifications remain unclear.

Some organizations appear to be interpreting regulatory evolution as implementation delay. That may become a dangerous assumption.

Governance maturity does not happen quickly. Retention discipline, deletion enforcement, engineering alignment, auditability, vendor governance, DPO structures, and privacy-aware operational culture cannot realistically be built in the final few months before enforcement pressure arrives.

The safer approach today is simple: prepare as though your organization will eventually face higher scrutiny than expected. Because if that assumption turns out wrong, the organization still matures. If it turns out correct, the organization avoids panic-driven governance later.

The Real Test of DPDPA Will Not Be Policy Language

At this stage, many organizations still view DPDPA primarily as a regulatory obligation. But the real test of the law will not be policy announcements, vendor marketing, compliance dashboards, awareness posters, or conference panels.

It will be whether organizational behavior actually changes. Whether enterprises begin collecting less, retaining less, sharing less, exposing less. Whether personal data finally stops being treated as operational exhaust.

“The day I stop getting spam calls for personal loans, credit cards, and overdraft facilities, I’ll know something actually changed.”

The views and opinions expressed in this article are personal and belong solely to the author. They do not represent the views of any employer, organization, or affiliated entity.