Planning isn’t enough. That was the clear message from TrustArc’s webinar: “DPDPA Execution Strategies for Conglomerates” featuring Val Ilchenko (TrustArc Chief Legal and Strategy Officer), Sanyogeeta Gaekwad (Founder, Provisioned), and Priyanka Sharma (Group DPO, Aditya Birla Group)
The webinar poll said it all: most attendees were aware of DPDPA and in planning mode. The panel’s message back? Planning isn’t enough. May 2027 is closer than it feels, especially if you’re in a large organization where getting engineering or marketing to do anything privacy-related takes months on a good day.
Here’s what they covered.
The DPDPA in 5 Minutes
The Digital Personal Data Protection Act was enacted August 11, 2023; six years after India’s Supreme Court recognized privacy as a fundamental right. If you’re a practitioner, mark your calendars: the groundwork was laid in early 2025, but the actual compliance clock began ticking on November 13, 2025. That’s when MeitY finally gazetted the DPDP Rules, setting off a high-stakes 18-month countdown to the May 2027 deadline. Three implementation phases are now in motion, with substantive compliance (notice, consent, security, rights, breach response) due by May 2027.
A few terms worth getting right:
| Data Fiduciary | That’s you, if you determine the purpose and means of processing. “Significant data fiduciaries” get extra obligations: annual DPIAs, audits, a mandatory India-based DPO. Missing that DPO? Penalties up to ₹150 crore ($17M USD) for that violation alone, with overall penalties reaching ₹250 crore ($29M USD) per violation across the broader penalty framework. |
| Data Processor | Your vendors. They do what you tell them. If the fiduciary says jump, they ask how high. |
| Data Principal | The individual. Think “data subject” if you’re coming from GDPR. |
| Consent Manager ≠ Consent Management Platform | This one trips everyone up. A Consent Manager under DPDPA is a government-registered intermediary that acts for the individual, like a personal dashboard where citizens manage their consent across multiple companies. Think of India’s account aggregator model, but for data. A Consent Management Platform (CMP) is the enterprise technology you deploy on your website to collect, record, and evidence consent. You’ll likely need both. Neither replaces the other. |
The Big GDPR Contrast: Consent Is (Almost) Everything
If you’re coming from GDPR, here’s the adjustment that will hit hardest: India has no legitimate interest. No broad carve-out allowing you to process data without asking, as long as it doesn’t override people’s rights.
The narrow exceptions (voluntary sharing, employment purposes, state functions like Aadhaar services, emergency response) are genuinely narrow. Voluntary sharing is still purpose-limited. Employment purposes don’t cover sending birthday emails or cross-selling internal products to your own staff. Those still need consent.
What this means practically: That cookie banner you’re running? It’s no longer an optional add-on. Under DPDPA, you need an affirmative opt-in before a single pixel fires. Unlike California’s opt-out model or GDPR’s reliance on legitimate interest, India offers no such luxury. If your processing activity doesn’t fall into a tiny bucket of specific exceptions, you must secure explicit consent first.
And those consent notices? They can’t be buried in a privacy policy. They need to be layered, just-in-time, and available in 22 languages upon request. A sloppy auto-translation won’t cut it. “Withdraw consent” rendered as “withdraw money” in Hindi is a compliance failure waiting to happen.
Breach Notification: Think Hours, Not Days
Two-stage process: initial notice to the Data Protection Board and each affected individual “without delay,” followed by a detailed report to the Board within 72 hours.
The “without undue delay” language sounds vague. It isn’t. India’s CERT-IN already requires cybersecurity incident reporting within 6 hours.
Two other things worth noting:
- You can’t outsource your security obligations. Contractual flowdowns to vendors are necessary but not sufficient. If a vendor causes a breach, you’re the one notifying the regulator and affected individuals, not them.
- There’s no materiality threshold. Under GDPR, you can argue a breach isn’t notifiable if it’s unlikely to harm individuals. India doesn’t have that filter. Expect higher notification volumes, and regulators using AI tools to sift through them. Don’t assume volume means cover.
The Conglomerate Problem
Managing DPDPA across a portfolio of businesses (manufacturing, retail, financial services, B2C, B2B) is less like running one compliance program and more like air traffic control.
“You’re making sure the planes don’t collide while still reaching their destinations.”
The hardest part isn’t the law. It’s the heterogeneity. One business unit might have a massive employee database and minimal consumer data. Another has high-volume customer journeys, ad tech integrations, and sector-specific regulations on top of DPDPA.
For Multinationals: You’re Not Starting From Scratch
GDPR, CCPA, LGPD, DPDPA; they all trace back to the OECD Privacy Framework from 1980. The principles are the same. Data minimization, purpose limitation, storage limitation, accuracy. If you’ve built a GDPR-compliant program, a significant portion of your playbook transfers. The nuances are real; India’s consent requirements are stricter, the exceptions narrower, but the skeleton is familiar.
India took a blacklisting approach, not an adequacy model like GDPR. You can transfer data internationally until the government publishes a prohibited list. While the blacklisting approach feels less restrictive, remember that the government can refresh that prohibited list via notification at any moment. This doesn’t leave much room for operational maneuvering. The smart move? Architect your systems for built-in flexibility now, ensuring that if localized hosting becomes mandatory, it won’t turn into a high-stakes compliance scramble later.
Build Your Champions Network Now
Here’s the math problem: most privacy teams are one or two people managing 200+ applications and 400+ processes. You cannot do this alone.
Sanyogeeta’s prescription? Identify people in HR, marketing, IT, and procurement who understand their business functions, then actually train them on privacy; not just give them a title. A privacy champion who understands both their domain and privacy risk is far better positioned to spot gaps than a central DPO who can’t see into every corner of the organization. Your champions become your eyes and ears. They surface risks. You set a remediation strategy.
A privacy office will never be a 30-person team. An extended network of trained, empowered champions can be hundreds of people. That’s how robust programs scale.
Before May 2027: The Must-Do List
| Stand up your Champions Network | Run your first training cohort. Get more hands into the organization. |
| Fix your front door | Website, app, customer onboarding journeys; get these DPDPA-compliant first. |
| Implement your data principal rights process | And actually test it. |
| Run your breach tabletop | Your incident response playbook needs to be ready before enforcement starts, not after. |
| Map your data | It’s the thing everyone defers because it’s hard. Don’t defer it. Organizations that still haven’t mapped their data five years into GDPR are the cautionary tale here. |
Want the full data behind the discussion? Download India’s DPDPA Compliance Checklist to see how organizations across India are managing DPDPA readiness.
Download now
