With the government stating that it is exploring whether the 18-month compliance deadline under the Digital Personal Data Protection (DPDP) Act can be shortened, industry stakeholders have indicated that they are ready. Union IT and Electronics Minister Ashwini Vaishnaw said on Monday that he is in discussions with companies, especially large global tech firms that already follow data-protection rules in other countries, to see how much the implementation timeline can be compressed. Several firms have indicated that they are prepared and would be able to meet a slightly tighter schedule.
The current 18-month window was originally seen as giving companies enough time to rebuild systems, strengthen consent frameworks and modernise internal processes. A shorter transition period, however, is now being viewed by many players as an opportunity to speed up execution instead of stretching compliance work until the last minute. Companies have started planning investments in data-governance and privacy operations so that they do not fall behind once enforcement begins.
The impact of a reduced deadline will not be felt evenly across the board. Large established institutions such as banks and financial firms operate complex legacy systems and will need time to overhaul their infrastructure. “For the established players and those with legacy systems, it takes time to adapt as operators like banks, financial institutions have comprehensive systems to revamp,” Sameer Kulkarni, SVP – IT infrastructure support, Decimal Point Analytics, said. “But for start-ups, the process could be slightly smoother, given the scale and headcount, of course,” he added.
Yet, not all companies are beginning from scratch. Many multinational firms in sectors such as BFSI, telecom, cloud services, e-commerce, health-tech and social media have already gone through full GDPR-level compliance in Europe. These companies already have consent management structures, data-minimisation controls, breach-response practices and audit-ready documentation. For them, DPDP compliance now requires alignment rather than a complete rebuild.
Industry advisors say companies should not wait for every rule and specification to be formally notified before they start internal work. Even though full enforcement will begin only after the Data Protection Board of India becomes operational, organisations are already preparing for changes in how personal data is collected and used. “Phase 1 enterprise would be focusing on assessment and governance, which will be an immediate action area, and in Phase 2 enterprises should be doing their system redesign and process implementation,” Rajarshi Dasgupta, executive director – Tax, Aquilaw, said.
A major shift under the DPDP regime will be the introduction of independent consent managers, which is expected to shape a new compliance-tech ecosystem. “This is going to be like an independent third party and we expect a surge in privacy tooling as seen during GDPR adoption,” Raghuveer Kancherla, co-Founder and COO, Sprinto, said.
Consultants pointed out that the first priority is for companies to know what data they collect, where it resides, how it moves across systems and who has access to it. “The modus operandi for every smart company, starting today, is not policy-writing; it is data discovery,” said Nikhil Jhanji, senior product manager, IDfy.
With the possibility of compressed timelines, privacy specialists expect the coming months to involve closer coordination between legal, technology, cybersecurity and business teams. “The immediate priority is to apply a risk-based approach and plan for key activities in a phased manner,” Mayuran Palanisamy, partner, Deloitte India, said.