As India moves from rule-making to on-ground execution of the Digital Personal Data Protection (DPDP) Act, a majority of enterprises remain poorly prepared to translate the law into operational action, according to a new survey by EY India.
Nearly 71 percent of Indian enterprises surveyed said they continue to struggle with interpreting the DPDP Act and its rules, highlighting a widening gap between regulatory intent and enterprise readiness, even as the compliance clock begins to tick, the EY report said.
The findings, based on a survey of nearly 150 professionals across sectors, show that while awareness of the DPDP framework is improving, implementation maturity remains uneven and limited. Close to 80 percent of organisations have not yet updated or drafted DPDP-aligned privacy policies or governance frameworks, pointing to a lack of structural preparedness.
From a readiness standpoint, 48 percent of respondents said thetey have initiated gap assessments, making it the most common first step toward compliance.
However, fewer firms have moved beyond that stage. Only about 44 percent have documented data processing procedures, while around 38 percent have started categorising personal data or identifying third-party vendors handling such data. More than 83 percent have not begun end-to-end implementation of DPDP requirements across systems and processes.
Sector-wise, consumer, retail, and e-commerce firms appear to be ahead, with half of the respondents indicating they have initiated their DPDP journey. Technology services firms followed at 38.8 percent, while 34.7 percent of financial services companies reported taking initial steps. Metals, mining and energy lagged at 20 percent, while healthcare and life sciences recorded the lowest momentum, with just 9.9 percent of organisations having started compliance efforts.
The survey also points to sharp internal disparities in understanding the law. Awareness is strongest within legal, risk, cybersecurity, and technology teams, while business operations, HR, finance, and manufacturing functions show significantly lower levels of understanding, despite handling personal data regularly.
EY said enterprises face multiple hurdles in moving from intent to execution. Nearly 77 percent cited the inability to adopt privacy technologies such as consent management and rights fulfilment within legacy systems. Around 76.4 percent pointed to limited access to subject-matter expertise, while 71 percent flagged difficulty in interpreting the Act itself. Cross-border data transfer complexities and budget constraints were also highlighted as key challenges.
With the DPDP Rules now notified and the compliance window running until May 2027, EY said organisations can no longer afford a wait-and-watch approach. Enterprises that embed privacy into governance structures, systems, and organisational culture, rather than treating compliance as a checklist exercise, will be better positioned to manage regulatory risk and build long-term trust in India’s digital economy.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
