When I look back at the last three decades of regulatory transitions in India from excise to GST implementation, from IT Act amendments to sectoral cybersecurity standards, then one lesson has remained unchanged:
Those who wait for the deadline always lose the advantage. Not legally, but operationally.
The DPDPA is no different.
On paper, the law offers an 18 month runway. In reality, organisations that treat this period as a cushion will find themselves negotiating bottlenecks, vendor delays, misaligned teams, and a fog of last-minute ambiguity.
Those who approach it as a 12 month discipline will be prepared, steady, and confident long before the noise begins.
Below is the framework we have seen work repeatedly not because it is theoretical, but because it reflects how organisations actually function under pressure.
1. Foundation Phase (Months 0–4)
This stage is less about drafting policies and more about discovering the truth, Where data actually lives. Who touches it. Where accountability begins and ends.
To build governance structures, map data flows, conduct deep audits and create the privacy backbone. If this phase is weak, every later phase collapses. If this is strong, compliance becomes routine.
2. Implementation Phase (Months 4–8)
This is where the law enters the bloodstream of the organisation.
Consent mechanisms must work in real environments, not in presentations. Security controls must respond within seconds, not in memos. Rights of access, correction, erasure, grievance these must operate without friction, across teams that do not speak the same technical language.
This is the phase where compliance becomes muscle memory.
3. Optimisation Phase (Months 8–12)
Here, the organisation sees itself in the mirror.
Impact assessments uncover risks nobody anticipated. Vendor management exposes dependencies that have gone unquestioned for years. Mock audits reveal gaps that only surface under scrutiny.
By Month 12, the organisation is not merely compliant but it is audit-ready, evidence ready and structurally accountable.
My Experience
In one of our early DPDP readiness projects, the most significant challenge was not legal interpretation it was organisational alignment. Progress stalled until we created a unified governance roadmap and assigned role based ownership to each milestone accompanied with global benchmarks of committe et al.
Once that shift occurred, clarity replaced friction. Foundational compliance was achieved within six months. Audit-readiness followed before the twelfth month.
We weren’t facing a legal problem. We were facing a coordination problem the kind that quietly derails compliance months before anyone realises it.
We resolved it by creating a single governance narrative, assigning responsibility at the right levels, and synchronising timelines.
What followed was remarkable:
Foundational compliance in 6 months.
Audit-readiness before the 12th month.
Lesson for others : Compliance is rarely delayed by law. It is delayed by coordination.
Why 12 Months Is Not Ambition?
The 18 month timeline is a legal allowance. But the 12 month timeline is an organisational necessity.
A compressed, disciplined 12 month approach forces organisations to:
- eliminate ambiguity early,
- mature internal coordination,
- stabilise privacy operations,
- and gain breathing space for real optimisation.
By Month 12, organisations reach not just compliance, but audit grade readiness.
When the regulatory lens sharpens and it will then the organisations that moved early will speak with clarity, not anxiety.
What’s the biggest hurdle your organisation is facing in meeting DPDP timelines?
Your reflections may help others navigating the same realities.
This newsletter is an academic initiative brought to you by the Data Privacy Pro team of AMLEGALS. Subscribe – Stay updated, Stay compliant.