As the government weighs feedback on compressing timelines under the Digital Personal Data Protection Act, privacy experts warn that many organisations are mistaking paperwork for preparedness. Across startups and mid-sized firms especially, the focus remains on consent banners and updated legal language, while the heavy operational lifting required by the law is still pending.
Redacto says a common misconception is that existing privacy policies are sufficient. Rule requirements demand clear, stand-alone notices with itemised descriptions of data collected and its purpose. “Most assume they comply already. They don’t,” said CEO Amit Kumar.
The bigger blind spot is visibility. FRS Labs notes that organisations often rely on interviews and gap assessments, even though legacy systems, mergers, and shadow IT mean few truly know where personal data resides.
Meanwhile, IDfy cautions against reading the 12–18 month runway as a grace period. According to COO Malcolm Gomes, this is the build phase—time to map flows, assign accountability, implement controls, and prepare response mechanisms. Once enforcement begins, regulators will expect maturity, not intent.
Consultants echo the concern. Rahul Garg of Asire Consulting says awareness is uneven, and parallel reforms are distracting leadership teams from what is a cross-functional, multi-year transformation.
The consensus is clear: DPDP compliance is operational, not cosmetic. Companies that delay groundwork risk discovering that the race has already started without them.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
