Between September 2025 and January 2026, AMLEGALS conducted a structured readiness assessment across 50 organisations in 12 Indian industries. We spoke with General Counsels, Data Protection Officers, CISOs and compliance heads. We then cross-referenced our findings with published research from EY, PwC India, Protiviti-CII, and ComplyZero to build the most comprehensive picture of India's DPDPA preparedness to date.
The findings confirm what the national data tells us — and in several areas, the ground reality is worse.
The national baseline: what published research reveals
Before presenting our survey findings, context matters. Consider what India's leading advisory firms have already documented:
- EY India Privacy Survey: 70% of Indian organisations are not familiar with the DPDPA's requirements. 81% have not updated their privacy policies. 83% have not begun implementation. 77% say they are not equipped with the right privacy-enabling technology. Only 48% have even initiated a gap assessment.
- PwC India Survey: Only 16% of Indian consumers understand the DPDP Act. Among organisations, a mere 9% have a comprehensive understanding of the law's obligations.
- Protiviti-CII Data Privacy Survey 2024: 52% of Indian organisations have experienced a data breach in the past five years. Over 60% engage in practices that raise privacy concerns. Only 39% have a dedicated Data Privacy Office.
- ComplyZero Research: 95.9% of Indian websites collect user data without proper cookie consent mechanisms — a direct violation of the consent architecture required under Section 5 and Section 6 of the DPDPA.
These are not projections. These are documented findings from reputable institutions. Our 50-company survey validates them at ground level.
What our 50-company survey found
Across the 50 organisations we assessed, 92% have no documented, defensible consent architecture compliant with Section 5 and Section 6 of the DPDPA and Rule 3 of the DPDP Rules, 2025. This aligns precisely with ComplyZero's 95.9% finding on cookie consent non-compliance — the problem extends well beyond websites into core business processes.
78% of organisations had no formal Data Protection Officer appointed, despite the DPDP Rules, 2025 making this a structural requirement for Significant Data Fiduciaries. Protiviti-CII's finding that only 39% have a dedicated Data Privacy Office confirms this is a systemic deficit, not an outlier.
84% had no documented breach notification protocol. Under Section 12 of the DPDPA, a Data Fiduciary must notify both the Data Protection Board and the affected Data Principal. In our survey, the majority could not describe what a "personal data breach" means under the Act, let alone respond to one within the timeframes the Board will expect.
Findings by sector
BFSI (Banking, Financial Services & Insurance): Scored highest in awareness but lowest in implementation velocity. Regulatory fatigue from RBI, SEBI and IRDAI compliance cycles has made DPDPA feel like "one more requirement." EY's finding that 77% lack the right privacy technology is acutely visible here — banks have cybersecurity infrastructure but not privacy-specific tooling for consent management, data subject access requests, or purpose limitation tracking. The irony: BFSI holds the most sensitive personal data and faces the highest penalty exposure — up to ₹250 Crores.
IT Services & SaaS: Scored highest in technical readiness but lowest in legal documentation. They have encryption. They have access controls. They do not have the Data Processing Agreements, consent registers, or breach notification protocols that the Data Protection Board will actually examine. PwC's finding that only 9% of organisations have comprehensive understanding explains why: the technical teams are capable, but without legal architecture, capability is not compliance.
Healthcare & Life Sciences: Scored lowest across every dimension. DISHA (Digital Information Security in Healthcare Act) readiness is non-existent. Medical data — among the most sensitive categories under DPDPA — is being processed with general employment consent forms that would not survive five minutes of Board scrutiny. EY's 83% non-implementation figure is conservative for this sector; in our sample, the number was closer to 96%.
E-Commerce & EdTech: Scored reasonably on cookie consent mechanisms but poorly on children's data obligations under Section 9. Most EdTech platforms serve users under 18. Most have no verifiable parental consent mechanism. The DPDP Rules, 2025 require verifiable consent from a parent or lawful guardian before processing children's data — a requirement that fundamentally challenges the onboarding flows these companies rely on.
Manufacturing & Logistics: The least-discussed sector in DPDPA conversations, yet one with significant exposure. Employee data processing, vendor data sharing, and IoT sensor data from smart factories all fall within the DPDPA's scope. In our survey, 100% of manufacturing companies lacked a data inventory — they could not tell us what personal data they hold, where it resides, or who processes it.
Pharma & Clinical Research: Clinical trial data, patient records, and pharmacovigilance data all constitute sensitive personal data. Cross-border data transfer obligations under Section 16 of the DPDPA are particularly relevant here, as global CROs process Indian patient data across jurisdictions. Only 1 of the 4 pharma companies in our survey had reviewed its cross-border data transfer arrangements against the DPDPA framework.
The maturity distribution
Using a five-stage compliance maturity model adapted from OneTrust and McKinsey capability frameworks, here is how our 50 organisations distributed:
- Stage 1 — Unaware: 36% of organisations surveyed (18 out of 50) — no awareness of DPDPA obligations, no internal discussion initiated
- Stage 2 — Reactive: 28% (14 out of 50) — aware of the law's existence but no structured response; compliance is ad hoc
- Stage 3 — Managed: 20% (10 out of 50) — gap assessment completed, some policies drafted, but no operational implementation
- Stage 4 — Optimised: 12% (6 out of 50) — consent architecture in place, DPO appointed, breach protocol documented, ongoing monitoring
- Stage 5 — Strategic: 4% (2 out of 50) — DPDPA compliance embedded as a competitive differentiator; privacy-by-design integrated into product development
Only 2 out of 50 organisations — 4% — have reached the stage where DPDPA compliance is a strategic asset. The remaining 96% are distributed between "we have not started" and "we have a checklist but no architecture." This mirrors EY's national finding that 83% have not begun implementation.
The implementation timeline is not theoretical
The DPDP Rules, 2025 prescribe a phased implementation timeline that organisations must understand:
- November 2025: Obligations for Significant Data Fiduciaries take effect — including DPO appointment, Data Protection Impact Assessment, and periodic audits
- November 2026: General Data Fiduciary obligations come into force — consent mechanisms, data subject rights infrastructure, and breach notification protocols
- May 2027: Full enforcement, including the Data Protection Board's adjudicatory powers and penalty framework — with penalties of up to ₹250 Crores
For the 64% of organisations in our survey at Stage 1 or Stage 2, the window to build a compliant architecture before enforcement is closing rapidly.
Do this now
Take the AMLEGALS readiness assessment. Five questions. Ninety seconds. Know your maturity stage before the regulator does. Then ask: where do we want to be in 90 days?
The data is clear. The timeline is fixed. The question is not whether your organisation will comply — it is whether you will comply before the Data Protection Board asks you to explain why you have not.