Mumbai: As India transitions from policy formulation to on-ground implementation of the Digital Personal Data Protection (DPDP) Act, a new report by EY India highlights growing awareness but uneven readiness among enterprises. The report, India’s digital privacy crossroads: Understanding the DPDP Act’s impact and enterprise readiness, finds that while momentum toward compliance is building, significant gaps remain in interpretation, governance, and execution across sectors.
According to the survey, nearly 71% of respondents report limited understanding of the DPDP Act and its Rules, indicating that knowledge gaps persist not only at operational levels but also within leadership teams. While awareness of data privacy obligations is increasing, the depth of understanding and maturity of implementation varies widely across industries.
Sector-wise analysis shows that consumer, retail and e-commerce companies are leading the compliance journey, with 50% of respondents stating that they have initiated DPDP-related efforts. This is followed by technology services at 38.8% and financial services at 34.7%. Progress remains slower in metals, mining and energy, where only 20% of organizations have begun their DPDP journey, while healthcare and life sciences lag significantly, with just 9.9% reporting initial steps.
Functionally, awareness is highest within legal, risk, cybersecurity and technology teams, while business operations, HR, finance and manufacturing functions show considerably lower levels of understanding, despite routinely handling personal data. This disparity underscores the need for enterprise-wide privacy education and shared ownership of DPDP compliance.
From an implementation standpoint, 48% of organizations have conducted gap assessments, making it the most common entry point into compliance. However, only 44% have started documenting data processing procedures, around 38% have begun personal data categorization, and a similar proportion have identified third-party vendors handling personal data. Alarmingly, nearly 80% of organizations have not updated or drafted DPDP-aligned privacy policies or governance frameworks, and over 83% have yet to initiate end-to-end implementation across systems and processes.
Commenting on the findings, Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India, said, “The DPDP Act has moved decisively from interpretation to execution. Our survey clearly shows that while organizations recognize the importance of data privacy, many are still early in their operational journey. The next phase will require enterprises to go beyond assessments and embed privacy into governance, systems and culture. Those that treat DPDP compliance as a structural transformation rather than a regulatory checkbox will be far better positioned to build trust, resilience and long-term competitive advantage.”
The report also outlines key challenges likely to impede DPDP implementation. Nearly 77% of respondents cite difficulty in adopting privacy technologies, such as consent management and data rights fulfillment, within legacy environments. 76.4% point to limited access to subject-matter expertise, while 71% continue to struggle with interpreting the Act itself. Additionally, 58.8% highlight complexities around cross-border data transfers, and 45.3% flag budgetary constraints.
With the DPDP Rules now notified and the compliance window extending until May 2027, the report stresses that privacy is rapidly evolving from a regulatory requirement into a strategic business imperative. Enterprises that proactively modernize data governance, strengthen consent and rights-management frameworks, and embed privacy-by-design across operations will not only meet regulatory expectations but also contribute to building a more trusted and resilient digital economy in India.
