The clock has started ticking for enterprises to align with the newly notified Digital Personal Data Protection (DPDP) Rules, with experts saying that the 18-month transition must be treated not as a grace period but as an execution runway. Although the phased rollout offers breathing room, companies will have to move fast on redesigning consent architecture, notices, governance structures, vendor contracts, breach-response systems and international data transfer flows to avoid bottlenecks as the deadline approaches.
Supratim Chakraborty, partner at Khaitan & Co, said the final rules mark the point where “stakeholders must fasten their belts and prepare for a comprehensive overhaul,” adding that the window until May 12, 2027 must be used to close gaps across consent, transfers, safeguards and children’s data. Probir Roy Chowdhury, Partner, JSA Advocates & Solicitors, said that with the Data Protection Board getting operational first, and staggered compliance kicking in, the next year and a half will be crucial for shifting from planning to on-ground execution while balancing user rights with business practicality.
The operational implications are already surfacing. Rishi Agrawal, CEO and co-founder, Teamlease Regtech, said that compliance can no longer sit at the level of functional SOPs, adding that the near-term workload includes appointing data protection officers, mapping data flows and classifying personal and sensitive data across systems. According to Anirban Sengupta, partner and co-leader cyber and digital risk, PwC India, regulated sectors such as BFSI, healthcare and telecom will feel the weight of expanded rights around access, correction, erasure and consent withdrawal, triggering meaningful workflow changes and tooling upgrades. He said enterprises must shift from “collect more” to “collect only what is needed,” even as contract re-negotiations and interpretation challenges complicate implementation.
Nasscom-DSCI underlined that the DPDP Rules have important implications for cross-border data flows, especially for IT-ITES, global capability centres and platforms that rely on integrated global systems. The body has emphasised that India now needs transfer mechanisms that ensure interoperability with key trading partners to avoid disruption to the country’s technology ecosystem. Rajiv Chugh, partner and national leader, policy advisory and specialty services, EY India, said the new definition of “user account” now covers nearly every form of online presence, requiring businesses to reassess how identifiers are collected and processed. While notices allow design flexibility, he said “the time has come to take stock and act before the 18-month moratorium runs out”.
Attention is also turning to the DPDP Rules’ restricted-transfer model, which permits outbound data movement but grants the Centre discretion to impose conditions or prohibitions through future notifications. Lawyers say this creates a flexible but unpredictable localisation landscape. Nikhil Nagendran, equity partner (TMT), Trilegal, said that “the contours of localisation are not yet clear,” and may involve general orders for all companies and targeted ones for specific countries or sectors, adding that any new restriction “could become an entry barrier for smaller companies”. Aprajita Rana, partner, AZB, added that although no restricted list currently exists, later notifications could still force companies to re-architect data flows or shift workloads. Rishi Anand, head of technology law practice group, DSK Legal, pointed out that significant data fiduciaries could see category-based localisation obligations, including storage of certain datasets and related traffic data in India.
According to Mini Gupta, partner, cybersecurity consulting, EY India, the next 18 months must be treated as a structured transformation period involving redesigned consent journeys, revised processor contracts, grievance systems aligned to the 90-day resolution mandate and security upgrades. She added that while the regime is principles-driven, its implementation is highly technical and will require encryption, access controls, continuous monitoring and one-year log retention to demonstrate reasonable safeguards, entailing investments that smaller firms may view as steep but necessary to avoid penalties later.
