In November 2025, Digital Personal Data Protection (DPDP) Rules were notified, and since then our feeds have been flooded with summaries, expert opinions about the 18-month timeline, the penalties, and the new grievance forms etc.
With the government setting a staggered timeline leading up to May 2027 for compliance, the consensus in many boardrooms is that we have a comfortable cushion.
People often think, “Why worry now when we have 18 months?”
This can be a major strategic blunder. Although privacy regulations are new to India, under other privacy regulations like General Data Protection Regulation (GDPR), cumulative fines have exceeded ₹500,000 crore, with an average penalty of up to ₹25 crore per violation. DPDPA has provisions for fines of up to ₹250 crore.
The implementation of DPDPA compliance can be confusing. It may appear like a checklist for legal compliance. However, it is a massive operational overhaul involving a major shift in how organizations treat data.
There is a need to look beyond obvious compliance checks and look for hidden risks of operational reality.
Regular Compliance Checklist
By now, you must be familiar with certain mandates: multilingual privacy notices, cookie compliance and, consent management framework.
Most companies view this as a front-end task: “Update the website, change the cookie banner, integrate the application programming interface (API), and we are compliant.”
However, this may not be enough. The real liability is your unstructured data — the years of downloaded files, legacy dumps, and bad data hygiene that cannot change overnight by just updating policies.
The ‘Spreadsheet’ Reality: Shadow IT
People are likely to face challenges not only in protecting the data but also in completely remediating it from the systems. Deleting a record from a customer relationship management (CRM) is of no use if a copy remains in a downloaded spreadsheet or email. If even one file remains, you have technically failed the request.
As per available stats, a single non-compliance incident may cost up to ₹22 crore in lost revenue alone, not counting reputational damage.
Information Technology (IT) teams focus on system uptime and security and cannot audit their own work. There are operational blind spots as the IT teams try to make sure that systems work flawlessly; however they may not know how the data is being used. You need an external auditor to simulate a regulator’s analysis — someone who looks at data flows with an independent perspective, trying to find risks.
We Are Digital Hoarders
We have years of legacy data, which itself is a risk. The internal teams like human resources (HR), marketing, sales, and even legal often resist to delete data as they think they may need it in the future. IT may also fear that if some data is lost, there may be dependencies that affect workflows. An external independent perspective looks at the data objectively to make sure the data you are retaining is a necessity and will support your business rather than posing a risk and liability.
The ‘Unsubscribe’ Nightmare
Do you have an “unsubscribe” link in your emails?
The meaning of “unsubscribe” needs to be revisited. We have always thought when someone says unsubscribe from marketing emails, that we make sure we do not send them future marketing communication. But now consent revocation means a “kill chain” that traverses through the entire ecosystem. If a user revokes consent, that signal must transmit from your consent manager to your CRM, your analytics vendors, and your third-party processors. For many companies, this is not an easy task of working through a couple of weeks, rather it will need a change in infrastructure.
The ‘Integration Gap’: Why You Cannot Wait
This brings us back to the 18-month timeline. Why start now?
Drafting a policy may take a couple of weeks. But creating an inventory of data in various platforms, locating and classifying, and later on deleting unwanted data may take up to an year.
If you do not plan in advance, you will be forcing a complex engineering project into a few months’ sprint. This is when mistakes happen. Systems break, critical business data gets accidentally deleted, and operations fail.
Some proactive companies have already started mapping their data flows and stress-testing their deletion protocols while there is no pressure. This ensures that when the deadline hits, their business continues as usual.
Conclusion: Do Not Wait for the Deadline
The DPDPA is a transformation event, similar to the Goods and Services Tax (GST) rollout. The 18-month timeline is not a waiting period; it is a time that you need to use rolling out the data privacy implementation. The companies need to use this time to ruthlessly clean their house, minimizing their data footprint and simplifying their architecture.
Do not treat this timeline as a waiting period. Treat it as an opportunity to clean the house. The stakes are high: Data breaches in India cost an average of ₹19.5 crore in 2024, climbing to a record ₹22 crore in 2025. Investing early in compliance architecture is far cheaper than paying penalties or breach costs later.
If you are waiting until the compliance deadline looms to bring in expert help, you are already late. Now is the time to start the renovation — before the inspectors arrive.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
