Data Protection law gets delayed in India causing significant operational challenges for tech giants

The rollout of India’s Digital Personal Data Protection (DPDP) Act 2023, which aims to regulate how personal data is processed, has hit significant delays, causing considerable operational challenges for tech companies.

Initially designed to elevate India’s data privacy standards to match global norms, the DPDP Act’s postponement is fostering uncertainty and hesitation among businesses as they struggle to navigate an unclear regulatory environment.

The DPDP Act was intended to establish a robust legal framework for personal data protection in India, a move eagerly anticipated by businesses both within the country and abroad.

However, the final draft of this legislation is still pending public consultation and full enforcement may be pushed back until 2026. This extended timeline has left many companies in a state of uncertainty, unclear about what specific compliance requirements will look like and how these might affect their operations.

Tech firms, in particular, have responded to this uncertainty with caution. Without a concrete set of rules and guidelines, many are reluctant to fully commit to the infrastructure and processes necessary for compliance. Instead, they are adopting a wait-and-see approach, focusing on preliminary compliance activities while awaiting more definitive regulations.

The delay in rolling out the DPDP Act has brought about several operational hurdles for businesses, especially those in the technology sector. One of the primary challenges is resource allocation for data protection management.

As firms anticipate the eventual enforcement of the law, many have been forced to assign employees dual responsibilities—juggling their regular duties alongside new tasks related to data protection. This situation not only strains resources but also creates inefficiencies within the organization.

Additionally, the financial strain of preparing for compliance in the absence of clear guidelines is considerable. Companies are tasked with managing complex data systems and ensuring these systems meet the anticipated standards of the DPDP Act.

However, given the fluid nature of the final rules, there is a significant risk that current investments may need to be revised or completely redone once the law is fully in force.

This creates an environment of uncertainty, where businesses are investing in compliance efforts without knowing if these efforts will satisfy the final requirements.

Experts like Supratim Chakraborty, a partner at Khaitan & Co, and Lalit Kalra, who leads PwC India’s data protection practice, have highlighted the operational difficulties businesses are encountering.

They point out that the delay in finalizing the law has led companies to take a conservative approach, balancing the need for compliance with the risk of potentially redundant investments in systems and processes.

Chakraborty observes that the delay has resulted in companies assigning employees to dual roles, balancing their regular responsibilities with the additional workload of data protection. Kalra emphasizes the cost implications, particularly for smaller companies that might struggle to allocate the necessary resources without clear guidance.

Despite the current difficulties, there is hope that the final draft of the DPDP Act will soon be released for public consultation.

Once the law is finalized, companies will have a clearer understanding of the compliance roadmap, allowing them to invest with greater confidence in the required infrastructure and processes.

However, until the law is fully implemented—potentially not until 2026—uncertainty will continue to loom over businesses.

Many companies are eager to begin full compliance efforts but are held back by the lack of definitive guidelines. This ongoing uncertainty is not only causing operational disruptions but also forcing companies to shift their focus as they try to balance immediate needs with long-term compliance strategies.

In summary, the delays in implementing India’s DPDP Act 2023 are presenting significant challenges for tech firms. The absence of finalized regulations has led to a cautious approach, with many companies focusing on preliminary compliance efforts while awaiting clearer guidance.

With the final draft still pending public consultation, the full impact of the DPDP Act may not be realized until 2026, leaving businesses in a state of uncertainty and facing increased operational and financial burdens.