India Is Building One of the World's Largest Digital Economies. Most Businesses Have No Idea How to Protect the Data Powering It.
Over 96 crore Indians are online. UPI transactions crossed INR 314 lakh crore in FY26. The digital economy is on track to contribute 20% of India's GDP by 2029. By every measure, India's digital transformation is one of the most remarkable stories in the world.
But underneath this growth sits a problem that most businesses have chosen to ignore — or simply do not understand.
Every transaction, every app login, every form filled, every purchase made online generates personal data. That data belongs to the individual. The DPDP Act, 2023 — and the Rules that came into force on November 13, 2025 — now make that ownership legally enforceable. And the majority of Indian businesses are not ready for what that means.
A PwC India survey of over 3,000 consumers and nearly 200 organisations across India produced findings that should alarm every business leader in this country.
- Only 16% of Indian consumers are aware that the DPDP Act exists.
- 56% do not know what rights the law gives them over their personal data.
- 69% are unaware they can withdraw consent at any point — consent they may have given years ago without fully understanding what they were agreeing to.
- 72% do not know that collecting a child's data requires explicit parental consent.
Now look at the business side. Only 9% of Indian organisations report a comprehensive understanding of the Act. Nearly half had not even begun implementation at the time of the survey. An EY India report from January 2026 found that close to 71% of professionals surveyed — including senior leaders — had limited familiarity with both the Act and the Rules.
This is not a compliance gap. It is a knowledge crisis. And it exists at every level — among the people whose data is being collected and among the businesses collecting it.
Some business leaders are watching the May 2027 enforcement deadline and quietly deciding to wait. That calculation is more dangerous than it appears.
The Act authorises penalties of up to INR 250 crore per violation — not per company per year, but per incident. A single poorly managed breach, one inadequately obtained consent, one rights request left unanswered — each carries its own exposure.
The financial cost of getting this wrong is already visible. IBM's 2025 Cost of a Data Breach Report recorded the average cost of a data breach in India at INR 220 million — an all-time high, and a 13% jump from the previous year. That figure covers detection, containment, legal response, and remediation. It does not include regulatory penalties. It does not include reputational damage.
And that reputational damage is real. The PwC survey found that 42% of Indian consumers are unsure whether they would continue using a company's services after a data breach. In Tier-1 cities, that number rises to 46%. In a market where customer acquisition costs are high and loyalty is hard-won, a single breach event can permanently reshape a business.
The ETCISO Intelligence Cybersecurity Leadership Report 2025 found that only 20 to 25% of Indian organisations consider themselves fully compliant with the DPDP framework. 60% of CISOs and compliance leaders believe full implementation is still 12 to 18 months away — for organisations that have already started.
For those who haven't, the gap is wider still.
Here is where the most dangerous misconception lives — and it is costing businesses both money and security.
The DPDP Act is not a cybersecurity law.
It is a rights law. A consent law. An accountability law.
It governs the relationship between a business — called a Data Fiduciary — and the individual whose data it holds — called a Data Principal. It requires that every act of data collection be backed by a clear, specific, and freely given consent. It gives every Indian citizen the right to know what data is held about them, the right to correct it, the right to demand its deletion, and the right to nominate someone to exercise those rights on their behalf.
It requires breach notification — to the Data Protection Board and to affected individuals — within strict timelines. It requires documented records of every data processing activity. It requires that vendors and third parties who handle your data are contractually bound to the same standards you are held to.
This is not about having a strong password policy. It is not about encrypting your servers. Those things matter — but they are the floor, not the ceiling. An organisation with impenetrable cybersecurity and no consent records, no erasure workflow, and no mechanism for handling a user's rights request is completely non-compliant with the DPDP Act.
Security keeps data safe from attackers. DPDP makes you accountable to the people the data belongs to.
These are fundamentally different obligations — and conflating them is one of the most expensive mistakes an organisation can make right now.
Not every sector is starting from the same place.
Banking, financial services, insurance, and pharmaceuticals carry decades of regulatory discipline. They understand what structured compliance looks like and have the governance machinery to adapt. Consumer retail and e-commerce have also shown early movement — approximately 50% of respondents in those sectors told EY they have already initiated their DPDP journey.
But the picture changes sharply when you look elsewhere.
Healthcare organisations, often managing the most sensitive personal data imaginable, continue to struggle with fragmented systems and legacy infrastructure. Manufacturing firms, educational institutions, logistics companies, and mid-market technology providers — many of which have never had a formal data governance function — carry significant exposure without the institutional muscle to address it quickly.
And then there are India's small and medium enterprises — the backbone of the economy, collectively handling millions of customer records through basic CRMs, WhatsApp groups, spreadsheets, and email threads. Unlike the GDPR in Europe, which carves out certain exemptions for smaller organisations, the DPDP Act applies to every organisation that processes the digital personal data of Indian citizens. Regardless of size. Regardless of sector. Regardless of how informally that data is being managed.
An SME with 500 customers in a contact list carries the same legal obligation as a fintech with 50 million users. The law does not grade on a curve.
The software market has responded to DPDP with speed and considerable noise. Compliance platforms, consent management tools, data discovery software, breach notification systems — they are proliferating rapidly, and many are genuinely useful.
But a dangerous shorthand has taken hold: that buying a DPDP compliance tool is the same as achieving DPDP compliance.
It is not even close.
DPDP compliance has three inseparable dimensions — legal, organisational, and technical. Technology serves the technical dimension. The other two require human expertise, institutional commitment, and genuine cultural change.
The legal dimension demands qualified counsel — to interpret ambiguous provisions, to draft privacy notices that actually meet the law's requirements, to review vendor contracts, to advise on data categories the government has yet to formally define. The organisational dimension demands trained employees, cross-functional ownership of compliance, privacy embedded into product development from the start, and governance structures built to last beyond any single regulatory deadline.
EY's survey found that 77% of organisations identified the inability to implement privacy technology in legacy environments as their biggest barrier — and 76% cited a lack of access to subject-matter expertise. The tools exist. The knowledge and the organisational infrastructure to use them effectively largely do not.
As PwC India put it directly: technology alone will not solve this. It is the combination of technology, people, and process that determines whether an organisation genuinely meets the DPDP Act's requirements — and whether it can prove that it does when a regulator asks.
There is a version of this story that is not about risk and penalties. It is about competitive advantage — and most Indian businesses have not seen it yet.
44% of Indian consumers told PwC they are willing to pay more for products and services from companies that genuinely protect their data. That is not a marginal preference. That is a significant and measurable market signal.
In the global arena, the signal is even clearer. India hosts 55% of the world's Global Capability Centres. Its technology sector is projected to reach USD 300 billion in revenue in FY26. In cross-border commerce — particularly in financial services, healthcare, and technology — a credible, auditable data protection posture is increasingly a condition of partnership, not merely a differentiator. Global clients perform data due diligence as standard practice. M&A investors factor data governance into valuations. Foreign regulatory frameworks — GDPR, CCPA, and others — require their counterparts to meet equivalent standards.
Organisations that build genuine DPDP compliance into their foundations are not just avoiding penalties. They are building something that opens doors — to enterprise clients, to global partnerships, to investors who understand that in a data-driven economy, how you treat people's information is a direct reflection of how you run your business.
Full enforcement begins May 13, 2027. That date feels distant until you understand what the journey to compliance actually involves.
EY estimates a 12 to 18 month readiness gap for most mid-to-large organisations that have already begun. For organisations that have not started — and the data suggests the majority have not — the realistic timeline to meaningful compliance is now, not next year.
Compliance does not begin with a software purchase. It begins with a data inventory — a systematic effort to understand what personal data your organisation holds, where it lives, why it was collected, who can access it, how long it is retained, and who it is shared with. Without that foundational visibility, no compliance program can function and no tool can deliver its value.
From there, the work involves legal gap analysis, consent infrastructure, internal policy development, employee training, vendor due diligence, and the technical implementation of rights management and breach notification workflows. It requires ownership — not from the legal team alone, not from IT alone, but across the organisation, led from the top.
India's digital economy is one of the greatest growth stories of our time. The DPDP Act is the legal framework that makes that growth sustainable — that ensures the data powering it is handled with accountability, transparency, and respect for the individuals it belongs to.
The businesses that will define India's next phase of digital growth are not the ones who treated DPDP as a deadline to manage. They are the ones who recognised it for what it is: a framework for building the kind of trust that no marketing campaign can manufacture.
Privacy is not a cost of doing business in digital India. It is a condition of doing it well.