Six months into the operative phase of the Digital Personal Data Protection Rules, a clear pattern has emerged across the enterprises and Global Capability Centres we work with. The organisations now under regulator scrutiny are not the ones that failed to take DPDP seriously, they are the ones that took it seriously, but treated it as a documentation exercise rather than an operating-model question. The distinction matters, because it is exactly the line on which early enforcement is being drawn.
The first error we see repeatedly is the conflation of a privacy notice with a consent architecture. A notice tells a user what is being collected. A consent architecture is the technical, contractual and operational machinery that ensures the collection actually matches what was disclosed, that withdrawal is honoured downstream, and that every processor in the chain is bound to the same terms. Most enterprises have published the notice. Far fewer have built the architecture. When the Data Protection Board asks for evidence that a consent withdrawal in March propagated to a third-party analytics processor in April, the notice is not the answer.
The second error is the under-investment in the Data Protection Officer function. DPDP frames the DPO as a designated individual, and enterprises have responded by designating one, usually a senior compliance or legal hire, without giving the role independent authority, a budget, or a reporting line that survives the next reorganisation. The DPO is not a title. It is an operating capability with statutory standing, and a regulator that finds the function under-resourced will draw the same inference an auditor would.
The third error is the treatment of cross-border data transfers as a legal opinion problem. The Rules permit transfers subject to the framework the Central Government notifies from time to time, but the operating reality is that group entities are moving data on the assumption that yesterday's transfer mechanism will be valid tomorrow. It will not necessarily be. Enterprises whose India operations depend on data flows to parent jurisdictions need a transfer architecture that can be re-papered on short notice, not a single opinion letter filed in a binder.
Where is regulator attention likely to land next? Three places. First, breach disclosure: the timelines are short, the threshold for notification is low, and the early enforcement signal is that the Board will treat late or selective disclosure as an aggravating factor. Second, children's data, where the consent architecture and age-verification obligations have meaningful operational cost and most enterprises have under-built. Third, the Significant Data Fiduciary designation, which will introduce a tier of obligation, independent audits, periodic impact assessments, an India-resident DPO, for which the affected entities are largely unprepared.
The operating principle we are now applying with clients is straightforward: DPDP compliance is not a project with an end date. It is a programme with a steady-state cost. The enterprises that internalise this in 2026 will spend less, defend better and be cited less often in the regulator's annual report than those that continue to treat each new clarification as a one-off remediation. The cheapest DPDP programme is the one that was built once, well, and updated continuously, not the one that was built three times in three years because each previous build was scoped as a one-time fix.
If your organisation has not yet conducted an honest internal review of the gap between published policy and operating reality, that is the work to do this quarter. The regulator is not yet citing the gap. It will.
Privileged commentary · Not legal advice · © Zuber & Partners