Nearly 71% Indian enterprises struggle to interpret DPDP Act, EY flags uneven readiness

New Delhi: As India shifts from policy to on-the-ground implementation of the Digital Personal Data Protection Act (DPDP Act), EY India’s latest study has flagged a widening gap between intent and execution, with nearly 71% of surveyed enterprises saying they still struggle to interpret the Act and Rules even as compliance work begins across sectors.

The report, India’s digital privacy crossroads: Understanding the DPDP Act’s impact and enterprise readiness, is based on a survey of nearly 150 professionals across industries, including financial services, technology, consumer and retail, healthcare, manufacturing, telecom, media, education and infrastructure. 

EY said awareness of DPDP is rising, but the maturity of implementation remains uneven, with knowledge gaps visible not only at operational levels but also within leadership cohorts.

EY’s findings show that 48% of organisations have initiated gap assessments, making it the most common first step towards compliance. However, the follow-through remains patchy. 

Only about 44% have progressed on documenting data processing procedures, close to 38% are categorising personal data, and a similar proportion have identified third-party vendors that handle personal data.

The larger concern, EY said, is that governance foundations are still missing in a majority of enterprises. Nearly 80% of organisations have not updated or drafted DPDP-aligned privacy policies or established governance frameworks, and over 83% have not initiated end-to-end implementation of DPDP requirements across systems and processes.

Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India, said enterprises now need to move beyond assessment exercises. “The DPDP Act has moved decisively from interpretation to execution. Our survey clearly shows that while organizations recognize the importance of data privacy, many are still early in their operational journey. The next phase will require enterprises to go beyond assessments and embed privacy into governance, systems and culture,” he said.

Media and entertainment: Low familiarity, complex data supply chains

For the media and entertainment (M&E) sector, EY’s report points to a tougher starting point. M&E firms are dealing with high-volume consumer data across platforms, multiple processing touchpoints linked to subscriptions, registrations, contests, loyalty programmes, and ad-led audience intelligence, and extensive third-party dependencies across agencies, measurement partners, ad-tech vendors, content partners and cloud service providers.

EY’s survey commentary indicates that sectors such as M&E tend to show lower familiarity with DPDP compared to more compliance-mature segments, which becomes a material risk when the focus moves from broad awareness to operational actions such as privacy notices, consent management, grievance handling and breach response.

The execution challenge in M&E is amplified by legacy and fragmented systems. EY’s survey flags that a large majority of respondents expect DPDP implementation to be hindered by the inability to adopt privacy technology such as consent management, data discovery and rights fulfilment in legacy environments. 

This is particularly relevant for M&E organisations that have built stacks over time across OTT, broadcast, digital publishing, CRM, ad serving and analytics, often with limited standardisation.

Cross-border data transfer is another pressure point for M&E players with global ad-tech pipes, measurement tools, cloud deployments and content distribution partnerships. 

EY’s survey respondents flagged cross-border data transfer complexities as a key hurdle, a concern that could force companies to revisit vendor arrangements and data-flow architectures.

Tech services: higher momentum, but delivery models need rework

EY’s findings suggest technology services firms are relatively ahead in initiating DPDP work compared to several other sectors, driven by deeper exposure to privacy programs through global clients, security frameworks and contractual obligations. 

Even so, the report flags that “readiness” is not uniform, and many organisations are still early in the journey despite high awareness in legal, risk, cybersecurity and technology functions.

For tech services companies, the DPDP challenge is less about acknowledging the law and more about operationalising it across delivery. 

Privacy-by-design controls need to be embedded into products, platforms and managed services, while contractual frameworks with clients and subcontractors must clearly define fiduciary-processor responsibilities, breach reporting flows, log retention, and audit readiness.

EY’s survey also highlights a strong constraint on execution capacity: limited access to subject-matter expertise. This becomes especially critical for tech services firms that must interpret DPDP obligations across multiple client contexts, industry-specific rules, and cross-border delivery structures.

In addition, tech services teams face pressure to modernise or retrofit consent and rights-management capabilities in environments that still depend on legacy integrations, manual processes, and older data lakes. 

The survey flags that many organisations are not yet at the stage of end-to-end implementation, signalling that the heavy lift of system and process transformation is still ahead.

What is slowing enterprises down

EY’s survey identified five hurdles that are expected to hinder DPDP implementation across sectors: the lack of ability to adopt privacy technology in legacy environments, limited access to subject-matter expertise, difficulty in understanding and interpreting the Act and Rules, cross-border data transfer complexities, and financing and budget constraints.

EY said privacy is rapidly shifting from a compliance obligation to a business imperative, and with India moving into the execution phase and the compliance runway extending to May 2027, enterprises can no longer afford a wait-and-watch approach. 

It added that companies that treat DPDP compliance as a structural transformation, modernising governance, strengthening consent and rights management, and building audit-ready privacy-by-design systems, will be better placed to build consumer trust and long-term resilience.