Major companies in the country are intensifying compliance audits and are updating privacy polices to enhance data protection measures and onboard Data Protection Officers (DPOs), to oversee sensitive personal data and ensure compliance with data protection regulations. The move follows the release of draft Digital Personal Data Protection (DPDP) rules on January 3, 2025.
Additionally, companies in large numbers have started reaching out to consultancy and law firms to achieve compliance with the Act and its rules.
The likes of Meta, Muthoot Fincorp and Fynd (Shopsense Retail Tech) are on the lookout to hire DPOs to strengthen their respective privacy framework; meanwhile American Express is actively hiring for Director, Data Governance & Management and McDonald’s for Senior Director- Data Governance. While the Act does not explicitly mandate all data fiduciaries to appoint a DPO, companies processing large amounts of personal data must appoint a DPO to comply with the rules.
Jasprit Singh, partner, Grant Thornton Bharat told Storyboard18 that post the release of the DPDP Act and its rules, a majority of its clients have reached out the advisory firm regarding how to achieve compliance with the Act.
Read more: DPOs in demand: DPDP draft rules push Meta, Kotak, GMR to seek Data Protection Officers
“We are advising clients to conduct a quick gap assessment/internal audit to understand their current privacy landscape followed by updating their privacy documentation such as privacy notices, policies/procedures, templates, cross-border transfer clauses etc.
Growing Pro Technologies, an IT firm, has taken proactive steps to ensure that data practices align with the evolving regulations, particularly following the release of the DPDPA draft rules. Among several other types of audits, it has conducted Data Flow and Processing Audit; Security and Compliance Audit; Third-Party and Vendor Risk Assessment to review the data-sharing policies and practices with its external partners and vendors to ensure there are no gaps in compliance. Accordingly, it is revising its privacy policies also.
Heightened regulatory expectations are driving organisations across various sectors to proactively strengthen their data protection frameworks.
A recent study by the Advertising Standards Council of India (ASCI) found that only 6% of Indian websites are ready to comply with the Act’s cookie processing requirements, showing how online marketing could be impacted by the framework.
So, while businesses are preliminarily assessing the suitability of their data practices with the requirements under the Act and the draft rules, another consideration has to be how to suitably obtain consent without experiencing friction and user drop, points out Sidharth Deb, associate director-Public Policy, TQH Consulting.
Separately, businesses are studying how the draft rules and the Act impact their ability to use algorithmic software or train AI models using public data.
The public feedback period on draft rules was accepted till March 5, 2025. While businesses continue to strengthen their internal structure to comply with the rules, many industry bodies have pointed out the difficulties in achieving so- especially by the small-scale startup and businesses.
The Internet and Mobile Association of India (IAMAI) has raised concerns that the compliance framework of the demands significant technical and financial resources, which can hinder the growth of startups and MSMEs in the country.
Read more: Feedback on draft DPDP rules extended till March 5, 2025
In its recommendations to the Ministry of Electronics and Information Technology (MeitY), IAMAI (which represents over 600 Indian and global digital companies) said, “India’s data protection framework may inadvertently disadvantage start-ups and MSMEs compared to large corporations. Compliance to the DPDP Act demands significant financial and technical resources, which large companies, with dedicated legal and IT teams, are better placed to absorb such requirements.
“In contrast, start-ups and MSMEs, often operating on tighter budgets, may struggle to meet these obligations without diverting resources away from growth and innovation.”
IAMAI also called for a 24-month implementation period to allow companies to adapt to the regulatory changes.
Read more: IAMAI urges MeitY for 24-month implementation period of DPDPA Rules
The body also highlighted ambiguity around the designation of Significant Data Fiduciaries (SDFs). IAMAI said that criteria for classification, such as volume and sensitivity of personal data processed, remain vague and subjective. Additionally, it recommended that companies be allowed to be heard before being designated as SDFs and called for clearer guidelines on compliance.
Indian non-governmental trade association and advocacy group, NASSCOM, too has opposed the government’s plan to restrict cross-border data transfer by significant data fiduciaries, asserting that the move could discourage investment, impact global competitiveness, and increase compliance costs for companies.
Read more: NASSCOM opposes DPDPA rules on cross-border data transfer restrictions