DPDP ‘18-month runway’ is a myth, say industry leaders as compliance clock starts now

New Delhi: Industry leaders tracking India’s new data protection regime say the widely-assumed “18-month runway” under the Digital Personal Data Protection (DPDP) Act is more myth than reality. 

With the government notifying the DPDP Rules, 2025, they argue that the most demanding phase of compliance has already begun, with key obligations kicking in from day one.

Soon after the government notified these rules, Ashok Hariharan, Co-founder and CEO, IDfy, termed the move a watershed for India’s digital ecosystem. 

“The notification of the DPDP Rules marks a pivotal shift in India’s data protection landscape. It isn’t simply about meeting obligations – it’s about redefining how we honour the trust placed in us by every individual whose personal data we steward,” he said.

Hariharan urged companies to move beyond a box-ticking approach. “As an industry we must elevate our thinking from ‘Can we comply?’ to ‘How will we lead?’ – designing systems where consent is not an afterthought, breach-readiness is built-in, and privacy by design becomes the default,” he added. 

According to him, the government has now fulfilled a promise made years ago. “With the launch of the DPDP Act, the government has redeemed its pledge, not in half measure, but wholly and substantially, to guarantee privacy as a constitutional right for the people of Bharat, which it made in 2018.”

Building on the urgency, Nikhil Jhanji, Senior Product Manager at IDfy, warned that the real challenge begins immediately. 

“The next 90 days are when the real work begins, turning policy into process, and intent into infrastructure. It’s the difference between being DPDP-ready on paper, and being DPDP-proof in practice,” he said, adding that the commonly-assumed 18-month buffer is misleading. “The 18-month runway is a myth.”

According to Jhanji, the new data regime demands a rapid, verifiable, organisation-wide shift in how companies govern data. He noted that most organisations today have significant gaps in purpose linkage, consent mapping and retention clarity – gaps that now constitute immediate board-level risk. 

Systems will need to demonstrate auditability, furnish deletion proofs and maintain continuous data lineage, a capability that only a fraction of companies currently possess. Strong governance, he said, will no longer be a backend hygiene function but a frontline differentiator, shaping enterprise deal flow and partner selection.

Jhanji added that marketing-intelligence workflows, in particular, face a hard reset. Opaque enrichment models and third-party data streams without clear provenance are now operational liabilities, with a sizable share of current use cases likely to require redesign or deprecation. “The era of ‘dirty data’ is over,” he said, underscoring that the DPDP framework demands a clean, defensible data supply chain from day one.

Together, the industry leaders signal that while the DPDP Rules provide long-awaited clarity, they also compress timelines and raise the stakes, making the coming weeks and months critical for companies aiming to transition from theoretical compliance to real-world accountability.

For now, the notification puts the DPDP’s staggered rollout into motion, giving companies a clear but demanding compliance runway. Key obligations for Data Fiduciaries, including consent, data-processing norms and breach reporting, take effect immediately.

The government has given a one-year window for Consent Managers to register and align with the Act’s technical and operational criteria. 

The remaining operational requirements, including detailed notice formats, children’s data safeguards, security standards and grievance-redress protocols, will become enforceable within 18 months.

While the timelines offer structure, industry leaders say they compress years of work into an accelerated transformation cycle.