I have conducted DPDP readiness assessments at over 40 Indian companies in the past year. Every assessment reveals the same mistakes, repeated across industries, company sizes, and maturity levels.
Here are the ten most common — and most dangerous — compliance failures I encounter. If any of these apply to your organisation, prioritise fixing them now.
1. Treating Privacy Policy as a Legal Formality
Most companies have a privacy policy. Almost none have one that complies with the DPDP Act. The typical policy was copied from a template three years ago, references GDPR instead of DPDP, and does not clearly describe what data is collected or why.
Under DPDP, your privacy notice must be clear, specific, and in plain language. It must be provided before or at the time of data collection. A boilerplate document buried in your website footer is not compliance.
2. No Record of Consent
Companies collect consent (sort of) but have no record of when, how, or what was consented to. When I ask "can you prove that User X consented to marketing emails?" the answer is almost always no.
Without consent records, you cannot defend against a complaint. And complaints about unsolicited marketing are going to be the most common type filed with the Data Protection Board.
3. Employees Have Access to Everything
The intern who joined last week can see the entire customer database. The marketing team has admin access to the production server. The founder's password is shared across five people.
Role-based access control is not optional under DPDP. If a breach occurs and you cannot show that access was restricted to people who needed it, your penalty exposure multiplies.
4. No Data Map Exists
I ask "what personal data do you collect and where is it stored?" and get blank stares. Or worse, I get a confident answer that turns out to be missing half the actual data collection points.
You cannot protect what you do not know about. A data map is the foundation of every DPDP requirement — consent management, rights requests, breach response, retention policies. Without it, you are operating blind.
5. Third-Party Vendors Are Unmanaged
Your CRM, email marketing tool, analytics platform, helpdesk software, HR system — they all process personal data on your behalf. Under DPDP, you are responsible for how they handle that data.
Most companies have no Data Processing Agreements with their vendors. No security assessments. No idea where the vendor stores data. This is one of the largest and most overlooked areas of non-compliance.
6. No Breach Detection Capability
I ask "how would you know if your database was breached?" The honest answer from most companies: "We would not know for weeks, maybe months."
The DPDP Act requires you to notify the Board and affected individuals of breaches. You cannot notify what you cannot detect. At minimum, you need logging on database access, monitoring for unusual patterns, and someone who actually reviews the logs.
7. Retaining Data Forever
"We never delete anything." I hear this proudly, as if hoarding data is a feature. Under DPDP, you must delete personal data when the purpose for which it was collected has been fulfilled.
Customer account data after they close their account? Delete it (with reasonable retention for legal obligations). Job applicant data after you rejected them? You do not need it two years later. Define retention periods and enforce them.
8. Ignoring Children's Data Requirements
Companies that clearly have users under 18 — educational platforms, gaming apps, social features — often have no age verification and no parental consent mechanism. Some do not even know this is a requirement.
The penalty for children's data violations is up to ₹200 crore. If your product can be used by minors, you need age gates and verifiable parental consent. No exceptions.
9. Cross-Border Transfers Without Documentation
Almost every Indian company uses at least one service with servers outside India — AWS, Google Workspace, Salesforce, HubSpot. This constitutes cross-border data transfer. Most companies have never documented these transfers, assessed the risks, or checked for contractual safeguards.
While DPDP currently allows transfers to most countries, you still need to document what data goes where and have appropriate contractual protections in place.
10. Compliance is "Legal's Problem"
This is the meta-mistake that enables all the others. Data protection is treated as a legal or compliance checkbox rather than an organisational responsibility.
The reality is that consent mechanisms involve product teams. Security safeguards involve engineering. Data mapping involves every department. Breach response involves IT, legal, communications, and management. When compliance is siloed in legal, the operational gaps never get fixed.
The Good News
None of these are hard to fix. Most can be addressed within 30-90 days with focused effort. The first step is knowing where your gaps are — which is exactly what a compliance assessment gives you.
The companies that face the worst regulatory outcomes are not the ones with imperfect compliance. They are the ones that never tried.