Only 50% consumer, retail & E-comm firms begin DPDP Act adoption: Report

As India moves from policy formulation to implementation of the Digital Personal Data Protection Act (DPDP Act), a new EY India report points to growing awareness but uneven preparedness among organisations.

The report, 'India’s digital privacy crossroads: Understanding the DPDP Act’s impact and enterprise readiness', found that while momentum toward compliance is building, operational readiness varies widely across sectors and functions.

According to the survey, about 71% of respondents said they have a limited understanding of the DPDP Act and its rules, indicating persistent knowledge gaps, including at senior leadership levels.

Sector-wise, consumer, retail and e-commerce companies are the most advanced, with 50% having initiated their DPDP journey. Technology services followed at 38.8%, while 34.7% of financial services firms reported taking initial steps.

Progress remains slower in other industries. Only 20% of respondents from metals, mining and energy said they had begun implementation, while healthcare and life sciences recorded the lowest momentum, with just 9.9% indicating progress.

The report found that awareness of DPDP requirements is highest within legal, risk, cybersecurity and technology teams.

In contrast, business operations, human resources, finance and manufacturing functions showed significantly lower understanding, despite regularly handling personal data. The gap highlights the need for broader, organisation-wide privacy education.

In terms of readiness, 48% of organisations said they have initiated gap assessments, the most common first step toward compliance. However, only about 44% have documented data processing procedures, around 38% are categorising personal data, and a similar share have identified third-party vendors handling personal data. Nearly 80% have not updated or drafted DPDP-aligned privacy policies or governance frameworks, and more than 83% have not begun end-to-end implementation across systems and processes.

Commenting on the findings, Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India, said, “The DPDP Act has moved decisively from interpretation to execution. Our survey clearly shows that while organizations recognise the importance of data privacy, many are still early in their operational journey. The next phase will require enterprises to go beyond assessments and embed privacy into governance, systems and culture. Those that treat DPDP compliance as a structural transformation rather than a regulatory checkbox will be far better positioned to build trust, resilience and long-term competitive advantage.”

The survey identified several barriers to implementation. Nearly 77% of respondents cited challenges in adopting privacy technologies such as consent management and data rights fulfillment within legacy systems.

About 76.4% pointed to limited access to subject-matter expertise, while 71% reported difficulty interpreting the Act. Cross-border data transfer issues were cited by 58.8%, and 45.3% highlighted budget constraints.

With DPDP rules now notified and the compliance window extending to May 2027, the report notes that organisations face increasing pressure to move beyond a wait-and-watch approach and strengthen data governance and privacy frameworks.