Summary
As the DPDP Rules progress toward enforcement, readiness varies sharply by industry. The organisations most exposed are consumer-data-heavy sectors that lifted a GDPR programme or wrote policies before mapping their data.
Readiness by industry
- Healthcare & e-commerce: largest consumer-PII exposure, often the least-mature privacy programmes — highest risk.
- Fintech: DPDP stacks on PCI + RBI; consent and cross-border are the gaps.
- SaaS & IT/ITES: enterprise-driven security maturity, but DPDP consent/rights are newer gaps.
- BFSI: strong governance muscle; SDF classification and DPO reporting are the action items.
The common failure
The single most common gap across industries is starting with policies before data mapping. Without a personal-data inventory you cannot scope consent, rights, retention or breach response — so the policy sits on top of an unknown estate.
Priorities
- Map your personal-data inventory and flows first.
- Determine SDF status and appoint a DPO with a board reporting line.
- Make consent, rights and breach procedures demonstrably operate.
- Integrate DPDP with existing governance rather than running a parallel programme.
