CFOs Prepare for DPDP Rules Amid Rising Compliance Challenges

As India edges closer to the formal notification of its Digital Personal Data Protection (DPDP) Rules, CFOs across industries are shifting from anticipation to action. The law, enacted in 2023, ushers in a consent-based framework that grants individuals the right to access, correct and erase personal data, while imposing stringent rules on companies handling such information. With penalties reaching ₹250 crore for violations, the stakes are unusually high.

The New Compliance Frontier

Across India Inc., CFOs are leading data impact assessments and drawing up playbooks for compliance. The first draft of the rules, released in January 2025, set in motion a wave of internal audits, vendor reviews and technology overhauls. As a result, a complex landscape is emerging that blends finance, legal and technology oversight into a new compliance discipline.

At large organisations, dedicated governance teams are being put in place, often led jointly by finance and technology functions. The focus is on upgrading infrastructure, realigning policies and embedding accountability. Many companies have begun appointing data protection officers and data security heads to make sure that data risk sits squarely within the enterprise risk matrix.

Mapping Data, Managing Consent

The most immediate challenge is data visibility. Companies are conducting extensive mapping exercises to identify personal data flows across business units and systems. The exercise is revealing not only the sprawl of data assets but also the uneven maturity of consent practices.

To bridge these gaps, enterprises are investing in consent management platforms capable of capturing, storing and revoking permissions dynamically. These systems will support compliance with the DPDP’s core tenets of granular consent, transparency and accountability. Contracts and vendor agreements are being rewritten to align with these standards, extending the compliance perimeter beyond the enterprise.

The Vendor Burden

The DPDP regime holds companies responsible for the actions of their data processors and third-party vendors. This cascading accountability is proving to be one of the toughest hurdles, particularly for sectors dependent on complex supplier networks such as retail, healthcare and e-commerce. CFOs are finding themselves as guarantors of data ethics across extended ecosystems.

Retailers and marketplace operators face a dual challenge of maintaining customer trust while redesigning legacy systems to accommodate rights of access, deletion and correction. The compliance burden is compounded for small and medium enterprises, many of which lack the budgets or expertise to meet the rule’s requirements.

Ambiguities and Evolving Definitions

Even as the rules near notification, ambiguities persist. Definitions around ‘Significant Data Fiduciaries’, breach reporting thresholds and enforcement timelines remain fluid. This regulatory uncertainty has slowed the finalisation of compliance frameworks within firms, forcing CFOs to plan for multiple contingencies.

For now, many companies are working through industry forums to shape the evolving framework, hoping that collaboration will reduce future compliance shocks.

From Governance to Strategy

For CFOs, the DPDP era represents more than another compliance obligation. It is a test of how financial stewardship intersects with digital ethics. As the country’s data protection architecture takes its final shape, CFOs stand at the intersection of finance, governance and public trust, quietly recalibrating corporate India’s data future.