⚠ Top 12 DPDP Act Compliance Pitfalls
Treating DPDP as a copy-paste of GDPR
High Risk❌ Problem: Many consultants assume DPDP is 'India's GDPR' and apply GDPR frameworks verbatim. While there are similarities, DPDP has unique features (Consent Manager, Data Principal Duties, no data portability right, children defined as under 18) and different structures (only two lawful bases, a Board instead of supervisory authority).
✓ Solution: Use GDPR experience as a foundation but conduct a line-by-line analysis of the DPDP Act. This playbook highlights all key differences. Build a DPDP-specific compliance framework.
Ignoring the multi-language notice requirement
Medium Risk❌ Problem: Section 5(2) requires privacy notices to be available in English and all 22 languages in the Eighth Schedule of the Constitution. Many organisations prepare English-only notices and consider the job done.
✓ Solution: Plan and budget for professional translation of all privacy notices into at least the major scheduled languages. Start with Hindi and the languages most relevant to your user base, then expand to all 22. Do not use machine translation for legal documents.
No plan for re-consent of existing data
High Risk❌ Problem: The DPDP Act requires that for personal data collected before the Act comes into force, the Data Fiduciary must provide a notice and offer the opportunity to withdraw consent 'as soon as reasonably practicable.' Many organisations are ignoring this retroactive requirement.
✓ Solution: Plan a re-consent campaign: send a DPDP-compliant notice to all existing Data Principals, explain how their data is used, and provide a clear way to withdraw consent. Track responses and delete data for those who withdraw.
Children's data treated as an afterthought
High Risk❌ Problem: India's under-18 threshold means a much larger population of 'children' compared to GDPR's under-16. Many organisations, especially in edtech, gaming, and social media, have no age verification and process children's data without verifiable parental consent.
✓ Solution: Implement age-gating at the point of data collection. If your service might have users under 18, build a verifiable parental consent workflow. Immediately disable tracking and targeted advertising for child users.
Overlooking informal data sharing channels
High Risk❌ Problem: In many Indian businesses, personal data is shared via WhatsApp groups, personal email, shared Google Drives, and Excel spreadsheets emailed between departments. These channels are invisible to formal data mapping exercises.
✓ Solution: Explicitly ask about informal channels during discovery. Implement policies prohibiting personal data sharing through unsanctioned channels. Provide secure alternatives (internal data sharing platforms, encrypted file transfers).
Assuming cloud provider handles compliance
High Risk❌ Problem: Some organisations believe that using a cloud provider (AWS, Azure, GCP) that is 'compliant' means they are compliant too. Under DPDP, the Data Fiduciary is responsible for the Data Processor's actions. Cloud compliance certifications help but do not transfer liability.
✓ Solution: Execute proper DPAs with all cloud providers. Understand the shared responsibility model: the provider secures the infrastructure, you secure the data and access controls. Verify that data residency and cross-border transfer requirements are met.
Grievance Officer is a phantom role
High Risk❌ Problem: Many companies publish a generic 'privacy@company.com' address but no one actually monitors it, or the Grievance Officer is named on paper but never responds. Under DPDP, an unresponsive grievance mechanism is a direct path to DPBI complaints.
✓ Solution: Appoint a real person who actively monitors the grievance channel. Set up ticketing, SLAs, and escalation. Test the process monthly by submitting a test grievance and measuring response time.
Data retention means keeping everything forever
Medium Risk❌ Problem: Many Indian organisations have a 'keep everything' culture, especially in IT services and banking. Data is never deleted because it 'might be useful later.' Under DPDP, data must be erased when the purpose is fulfilled and no legal retention requirement exists.
✓ Solution: Develop a data retention schedule with specific periods for each data category. Implement automated purge jobs. Get legal sign-off on retention periods to balance compliance obligations. Start with the easiest data categories and expand.
Consent fatigue from over-consenting
Low Risk❌ Problem: Some organisations go to the opposite extreme and ask for consent for everything, including processing that qualifies as a 'Certain Legitimate Use' under Section 7. This creates consent fatigue and devalues the consent mechanism.
✓ Solution: Carefully map each processing activity to its correct legal basis. Use Section 7 legitimate uses where applicable (employment, legal obligation, medical emergency). Reserve consent for processing that genuinely requires it. Document the rationale for each choice.
No breach detection — only breach reaction
High Risk❌ Problem: Many organisations have no proactive breach detection capabilities. They only discover breaches when data appears on the dark web or a customer complains. By then, the notification window may have passed, triggering a Rs 200 Crore penalty.
✓ Solution: Invest in SIEM, intrusion detection, data loss prevention, and anomaly detection tools. Breaches detected and contained quickly result in lower penalties and less damage. The cost of detection tools is a fraction of a single penalty.
Privacy policy hidden in website footer in 8pt font
Medium Risk❌ Problem: Burying the privacy notice in an obscure corner of the website, using tiny fonts, legal jargon, or requiring multiple clicks to access defeats the purpose of 'informed' consent. The DPBI is likely to treat this as non-compliant.
✓ Solution: Make the privacy notice prominent, accessible, and readable. Use layered notices: a short summary at the point of consent, with a link to the full notice. Use plain language, large fonts, and clear formatting.
Waiting for Rules before starting compliance
High Risk❌ Problem: Some organisations are using 'we are waiting for the Rules to be notified' as an excuse to delay all compliance work. While Rules will provide specifics, the Act itself contains clear obligations that can and should be addressed now.
✓ Solution: Start with what you know: consent mechanism redesign, data inventory, privacy notices, security safeguards, breach readiness, and grievance redressal. These are clear requirements in the Act itself. Adapt when Rules are published, but do not wait to start.