The 18-month deadline for compliance with DPDP weighs heavy on companies as failure to comply with it could lead to fines between ₹200-250 crore
| Photo Credit:
iStockphoto
Businesses, especially SMEs, are going to be hard-pressed when it comes to complying with consent management, data processing restrictions and other provisions of the Digital Personal Data Protection (DPDP) Rules within 18 months, according to experts.
The 18-month deadline for compliance with DPDP weighs heavy on companies as failure to comply with it could lead to fines between ₹200-250 crore.
A lot depends on how the current structure of a company responds in case of a cyber incident. The mechanism has to be mature enough to identify whether the data processed is personal information. Companies that don’t have this mechanism will have to start from establishing and creating additional customisations for DPDP, said experts.
According to Akshayy S Nanda, Partner at Saraf & Partners, the SMEs will suffer the most when it comes to putting in place the DPDP compliance mechanism since they lack both human and financial resources.
“The challenging part is going to be the 18-month deadline. India is implementing such a privacy law for the first time. Organisations will have to have data inventories ready, understand how information flows within their workflows. Larger companies operate across the globe, so they have some things in place but it’s going to be challenging for SMEs,” said Nanda.
On timeline
Similarly, Nikhil Jhanji, Senior Product Manager at IDfy, called the 18-month timeline insufficient for companies to ensure compliance considering they will have to re-architect data flows, redesign consent for each and every customer interaction, train AI and embed privacy into operational workflows.
Another concern raised by experts is the data breach provisions, whereby companies have to notify the likely impact of the breach to the Data Protection Board of India and the affected user. Probir Roy Chowdhury, Partner -JSA Advocates & Solicitors, said the firm had raised concerns regarding this provision during consultations.
“This requirement/disclosure will definitely be operationally burdensome to implement – particularly, when dealing with an ongoing breach. This will not create significant company liability, provided companies can demonstrate a bona fide effort to comply,” said Chowdhury.
While most experts doubted readiness in terms of compliance, Nitin Naredi, Partner, Deloitte India, argued companies have had ample time to prepare for the Rules considering the Data Protection Act was enacted in 2023.
“Companies had over two years to lay a strong foundation for their DPDPA programme. Rules offer such companies with required guidance to complete their readiness program. Those who didn’t take advantage of this time will now have to fast track their readiness journey,” said Naredi stating that companies will have to tweak their programs to identify whether the data compromised has a personal data component.
Published on November 14, 2025
