Is Corporate India Ready for the DPDP Act Rules?

With the Digital Personal Data Protection (DPDP) Act rules expected to be notified by the end of September, corporate India is entering a decisive phase. In less than two weeks, companies will move from preparing policies on paper to executing compliance in practice.

Across industries, the momentum is clear. Organisations are appointing Data Protection Officers (DPOs), running data-mapping exercises, and strengthening consent systems. Yet, experts note that most of these measures are still in their early stages.

“Firms have done what they could with the information available, particularly mapping how data is collected, processed, and shared. But since the final rules are still awaited, compliance remains at a formative stage,” explained Meghna Bal, Director at Esya Centre.

While the Act does not make DPO appointments compulsory for all, entities classified as Significant Data Fiduciaries (SDFs)—those handling large volumes of sensitive personal data—are expected to formally designate DPOs. Industry reports suggest that companies like Meta, Kotak Mahindra Bank, GMR Group, and Cars24 are already seeking dedicated officers, while consulting giants such as EY and Others are preparing to support clients with specialised hires.

Some businesses are treating the waiting period as a strategic opportunity. Tarun Wig, Co-Founder & CEO of Innefu Labs, described his firm’s “compliance-first, innovation-aligned” model, which focuses on flexible systems that can adapt once rules are finalised, without slowing innovation.

Others are pursuing dual-track strategies. Amit Jaju, Senior Managing Director at Ankura Consulting, said his organisation has introduced non-negotiable safeguards such as layered notices, security controls, and breach playbooks while leaving adjustable elements open to reflect final rule changes.

Startups, particularly those working with AI-driven content, are also weaving compliance into their DNA. Dipankar Mukherjee, Co-Founder & CEO of Studio Blo, revealed that his firm has made consent central to all operations, even building an “ethical celebrity cloning” platform governed by an independent ethics board.

For emerging ventures like Binge Labs, compliance is viewed as a trust-building exercise rather than a regulatory burden. “By tightening consent practices, reducing data retention, and ensuring vendor compliance, we see this as a chance to strengthen transparency with users,” said Co-Founder Aryan Anurag.

Compliance service providers are also in high demand. Karma Management Global Consulting Solutions, for instance, is helping clients chart phased roadmaps covering data mapping, gap assessments, and privacy-by-design integration. “Most organisations are prioritising DPO appointments, stronger consent systems, and breach readiness. Our role is to connect legal requirements with workable execution,” explained Managing Director Pratik Vaidya.

As the notification date approaches, the consensus across boardrooms and startups alike is that the next six weeks will be critical. The focus now is on freezing risky changes, finalising data inventories, and preparing consent templates so organisations can act decisively once the rules take effect.

As one compliance leader summed it up: “The sprint has begun. The real test will be how quickly companies can translate plans into practice the moment the rules are published.”

Get compliant today, contact us now at info@dpdpconsultants.com