India Data Privacy Deadline Is Closing In. Most Businesses Are Still Unprepared.

22 June 2026 · ComplyDP · Press & industry briefing

With enforcement of the Digital Personal Data Protection Act expected by May 2027, most Indian businesses are still in a holding pattern—aware of the law, but without operational compliance in place.

Why the deadline feels closer than the calendar suggests

When Parliament passed the Digital Personal Data Protection Act in August 2023, it set in motion one of the most consequential shifts in how businesses handle customer information. The 2025 Rules, notified in November 2025, operationalise consent, notice, security safeguards, breach notification, and Data Principal rights on a phased timeline. Penalties for serious violations can reach ₹250 crore per instance.

Full substantive compliance is expected by May 2027. Yet across D2C brands, fintech platforms, enterprise SaaS companies, and healthcare providers, most organisations have done little more than acknowledge the law exists. Regulatory uncertainty, a shortage of qualified DPDP counsel, and the complexity of auditing data flows across modern digital infrastructure have slowed progress.

Why manual compliance breaks down at scale

The traditional approach—engaging a law firm, conducting a manual audit, and generating a static report—is expensive and slow. For a mid-sized business with dozens of third-party integrations and multiple data collection touchpoints, a thorough manual audit can take months and cost several lakhs, with no guarantee the findings stay accurate as the business evolves. For smaller companies, the process is often out of reach entirely.

Continuous compliance, not one-time snapshots

DPDP compliance is not a one-time exercise. As businesses add products, enter new markets, or integrate new vendors, their data landscape changes—and so does their compliance posture. Static audits go stale quickly. What the market increasingly needs is continuous compliance monitoring, not periodic snapshots.

How ComplyDP closes the gap

ComplyDP was built to automate the end-to-end DPDP compliance process—from initial audit to ongoing monitoring. The platform scans digital properties, maps personal data flows, identifies gaps against DPDP requirements, and generates a structured action plan in a fraction of the time a manual engagement would take. It also handles cookie consent management, privacy notice generation, and Data Principal rights workflows—among the most operationally complex requirements under the Act.

"Having argued data privacy matters at the Supreme Court, I have seen firsthand how organisations underestimate regulatory risk until it becomes a crisis," said Sanket Sharma, Co-Founder and CEO of ComplyDP. "The DPDP Act is India's GDPR moment. The difference is that businesses here have a narrower window to act, and far less institutional infrastructure to help them do it. We built ComplyDP to close that gap."

Free readiness check

Businesses can start with a free DPDP compliance report at complydp.com/report. The scan covers website data practices, cookie usage, and consent flows, and generates structured output legal and compliance teams can act on.

Independent research context

ComplyDP also publishes the India DPDP Preparedness Report 2026—an automated audit of privacy policies, cookie banners, and data protection practices across leading Indian companies. The report is based on publicly observable signals, not internal system access. See complydp.com/report for methodology and sector scores.

About ComplyDP

ComplyDP (Nihonium Labs Private Limited) is an AI-native DPDP compliance platform for Indian businesses. The platform automates compliance audits, consent management, cookie scanning, and data mapping. ComplyDP is backed by NVIDIA Inception, Google Cloud for Startups, T-Hub, and the Department of Science and Technology.