With the Digital Personal Data Protection (DPDP) Act set to take effect in 18 months, the long shadow of uncertainty on a data privacy regime has lifted. At the same time, a very real countdown has begun. For businesses, especially those which already comply with global standards like the European Union’s General Data Protection Regulation (GDPR), it will be tempting to assume that compliance will be straightforward and there is a long runway to get there. This will not be the case. While the DPDP Act draws inspiration from global models, it has its own approach to core privacy concepts in ways that create new obligations and, in some cases, higher expectations. This means even mature privacy programs will need to be re-examined, re-engineered and adapted for the Indian context well before the law takes effect.
Businesses that have previously mapped their data governance to GDPR or other frameworks will likely need to revisit the same for the DPDP Act. Updating those maps with India’s requirements in mind becomes the natural starting point for the rest of the compliance effort.
Notice and consent architecture is a point where GDPR alignment does not guarantee Indian compliance. The DPDP Act expects notices to be short, clear, immediately understandable and available in local Indian languages. In terms of legal grounds for processing, the Indian law relies predominantly on consent. It does not have an equivalent of the EU’s “legitimate interests” ground, and its other grounds are narrower and more tightly framed than the EU’s. Many processing activities that companies justify under legitimate interests in Europe may require explicit consent here. This difference will require companies to redesign their consent journeys and rewrite the language that frames them.
Contracts will need significant attention. Most global companies use master service agreements that allocate responsibility in ways that reflect European law or US privacy expectations. India’s DPDP Act creates its own allocation of duties between data fiduciaries and data processors, and the law ultimately only holds fiduciaries accountable. Updating vendor and partner contracts therefore becomes essential, not optional. This can be slow work, especially in outsourcing-heavy sectors, and is something companies must begin well before the law becomes enforceable.
Large, or data-intensive organizations also need to plan for the possibility of being designated as Significant Data Fiduciaries. India uses its own set of criteria to make this determination, including the sensitivity and volume of data handled and the use of emerging technologies. Once designated, a company must meet higher levels of governance, maintain more detailed records and appoint a senior Data Protection Officer based in India. These obligations require mature internal structures and cannot be assembled quickly. Once the designation is made, compliance will be expected quickly, so it is prudent to start preparations early.
Children’s data will require a deeper rethink than most organizations expect. India requires verifiable parental consent and expects businesses to avoid behavioral profiling of children. This is not a simple policy change. It forces companies to examine their methods of age verification, evaluate their onboarding practices, and in some cases change long-standing product assumptions. This applies across gaming, streaming, edtech and even social commerce. The engineering effort involved is substantial and needs an early start.
Breach reporting is perhaps the clearest example of how India diverges from global norms. Under the GDPR, companies assess the risk of harm and report a breach to regulators only if that threshold is crossed. India takes the opposite approach. Every personal data breach, regardless of severity, must be reported to the Data Protection Board and to the affected individuals. This means companies must be able to detect incidents quickly, escalate them immediately and communicate with users without delay. It is a demanding standard and one that requires incident-response capabilities far sharper than what most businesses currently maintain.
None of this will work without investing in people. Engineers, product teams, marketing departments and frontline staff all interact with personal data in ways that legal and privacy teams cannot micromanage. Building new habits and a shared understanding of the Act’s expectations takes time. Training is rarely glamorous, but it is the difference between compliance on paper and compliance in practice.
India’s law ultimately asks companies to revisit long-settled assumptions about how data is collected, used and protected. Those that treat the next 18 months casually will find themselves scrambling. Those that understand that global compliance does not automatically translate to Indian compliance, and begin building early, will be better placed to meet both the letter and the spirit of the law.
Aman Taneja and Nehaa Chaudhari are partners at Ikigai Law, a law and policy firm. The views expressed are personal
