Introduction
The enactment of the Digital Personal Data Protection Act, 2023[i] (“DPDP Act” or the “Act”) has caused a substantial revolution in how personal data regulation is handled in India. For businesses, particularly startups, micro, small, and medium enterprises (“MSMEs”), and fast-growing companies, this change has posed regular challenges. Data protection in the DPDP Act affects the handling of employee data, the engagement of vendors with the business, the collection of customer information, and, especially, the management of data security systems. As a result of such influence, compliance cannot remain static or an occasional affair, it becomes a continuous process requiring routine monitoring.
The article reviews the dynamic scenario for data protection in India under the new DPDP Act,. The article reviews the technical, organisational, financial, and legal challenges businesses face in adapting to DPDP compliance. This article will then critically examine how the Fractional General Counsel (“Fractional GC”) approach is a useful method for adapting to this challenge and how a continuous legal monitoring approach will ultimately help organisations adhere to DPDP requirements.
Key Challenges faced by companies while complying with the DPDP Act and Rules
A. Technological Challenges:
One of the key reasons for the challenges in implementing the DPDP Act lies in its technology-driven framework, as the Act and the new DPDP Rules require companies/organisations to establish robust data protection systems to secure individual data. Organisations lacking highly efficient cyber protection systems or technical experts will have to incur significant costs, either by purchasing new technology or by training their staff.[ii]
B. Organisational and Governance Challenges:
The DPDP Act emphasises accountability and governance within an organisation. Organisations’ existing policies will have to be reviewed and amended in accordance with this legislation. Awareness of data protection obligations among all staff members is important, as an ordinary mistake by a junior staff member can have dire consequences for an organisation. To achieve this, companies are likely to establish positions, mechanisms, and training activities, which could pose a challenge for those that do not carry out their activities in a well-organised manner.[iii]
C. Financial Challenges:
Implementation of the DPDP Act requires substantial investment. Enterprises have to pay for data storage and cross-border transfer compliance mechanisms, consent management software, cyber security measures, legal consultancy, and staff training. All these expenses can be difficult to handle, especially for MSMEs and startups with limited budgets.[iv]
D. Foreign Applicability:
The DPDP Act would also apply to entities outside India when they process the personal data in relation to offering goods or services to a resident in India. Therefore, such foreign firms would be expected to comply with India’s data protection law even in the absence of an Indian presence. The above rule would make it more difficult for such firms to comply with laws in different countries.[v]
E. Ambiguity and Vague Legal Standards:
In addition to technology and operational challenges, a major concern is the lack of clarity in the framing of several obligations imposed under the DPDP Act (for instance, the meaning of the term “reasonable security safeguards” or the time within which a breach of security should be reported).[vi]
How minor compliance oversights can lead to Large DPDP Penalties
An illustration of regulatory scrutiny is the ₹213 crore penalty imposed by the Competition Commission of India on Meta Platforms, Inc., in relation to WhatsApp’s 2021 privacy policy update. Notably, the penalty did not arise from a data breach. Rather, it stemmed from concerns about a lack of meaningful user choice and insufficient transparency regarding how user data was proposed to be shared. The case underscores how regulatory action may follow even in the absence of a conventional breach, where user autonomy and transparency standards are found wanting.[vii] While arising under competition law, the case reflects increasing regulatory scrutiny over data practices.
The Act further heightens this exposure. The statutory framework provides for direct monetary penalties for a wide range of non-compliances, including routine or seemingly minor lapses. Failure to implement reasonable security safeguards to prevent personal data breaches may attract penalties of up to ₹250 crore. Failure to notify the appropriate authority and affected data principals upon the occurrence of a personal data breach may result in fines of up to ₹200 crore. Contraventions involving the processing of children’s personal data may similarly attract penalties up to ₹200 crore. Non-compliance with obligations imposed on Data Fiduciaries may result in fines of up to ₹150 crore.[viii]
One such error starts with poorly written or outdated privacy policies. If a privacy notice fails to clearly identify what information is being collected for what purpose and with whom it will be shared, then a consumer’s consent is deemed legally invalid. Lack of consent renders all subsequent data processing illegal, and fines of up to 200 crores are levied.[ix] Another common mistake is poor consent management systems. While several businesses collect consent, they lack systems to manage it across platforms or to take immediate action when it is revoked. Even the accidental continuation of data processing after withdrawal is likely to invite penalties of up to ₹50 crore for infringement of the rights of data principals.[x]
The biggest fiscal risk is posed by data security failures. Under the DPDP Act, a business can be fined up to ₹250 crore simply for failing to implement “reasonable security safeguards”, even if no breach has yet occurred. Outdated security systems, poor access controls, or the absence of an incident-response plan are sufficient to trigger this penalty. Business entities also incur fines for the failure to comply with grievance redressal requirements and if it is not facile to lodge complaints or for individuals to exercise their rights like access, correction, or erasure, then the regulator imposes penalties up to ₹50 crore.[xi]
In the case of businesses involved with minors, the risk is much higher. Failure to obtain verifiable parental consent or to apply additional safeguards for children’s data may attract penalties of up to ₹200 crore, even in the absence of actual harm.[xii]
Besides financial penalties and reputational damage, such cases of major data breaches and mishandling of personal data often result in lost consumer confidence in the organisation concerned, reduced user retention, and obstacles to forming new commercial partnerships.
Role of fractional GC in Long-Term DPDP Compliance
A Fractional GC is a senior legal professional who provides services to an organisation on a part-time, retainer, or flexible basis. Unlike external counsel, the Fractional GC is closely involved in the business on an ongoing basis. At the same time, unlike a full-time in-house lawyer, the engagement remains cost-efficient and scalable. This structure lets businesses access experienced legal leadership without committing to permanent overheads.[xiii]
This model is particularly suited for the management of compliance under the Act. DPDP compliance is not limited to drafting privacy policies or responding to isolated incidents. It demands constant vigilance, as data practices change with business scale, technological advancements, and new partnerships. A Fractional GC supports long-term compliance by embedding legal oversight right into everyday business decision-making.
One of the major advantages of having a Fractional GC is the ability to be involved much earlier in business processes. Instead of examining decisions after they have happened, a Fractional GC is called upon at the outset of plans for new products, services, and internal systems.[xiv] Such a course ensures that all considerations regarding DPDP, such as lawful purpose, consent requirements, data minimisation, and security safeguards, are addressed at the outset of operations. This, in due course, would reduce the need for corrective measures and lower the risk of regulatory non-compliance.
Another key part of the Fractional GC’s responsibilities involves continued alignment of legal requirements with the actual data practices. As businesses scale, they often expand their data sources, software tools, and vendors. This exponential growth can lead to the gradual development of compliance gaps without continuous legal review support. Fractional GC reviews, from time to time, the flow of data, arrangements with vendors, and internal processes to ensure that DPDP obligations are continuously met while business operations evolve.[xv]
The Fractional GC model also helps institutionalise compliance within the organisation. Instead of having the legal team as the only group involved, the Fractional GC will work with management to build internal accountability, standard operating procedures, and training programs. In due course, this will enable employees across departments to understand their roles in data protection, reducing accidental violations due to ignorance. Importantly, the Fractional GC approach is one of risk prevention, not risk reaction[xvi]. Through consistent engagement, the Fractional GC assists organisations in detecting compliance risks in their infancy, such as outdated notices, consent mechanisms that do not work, or poor vendor controls, and takes the necessary steps to prevent such issues from drawing the interest of regulators. This plays into the long game of risk management, which, under the DPDP Act, can be quite costly if things go wrong.
Conclusion
The DPDP Act has shifted data protection from a peripheral legal issue to a key aspect of good governance. Often, DPDP compliance fails not because of any ambiguity in the law, but because there’s a complete misalignment between legal oversight and business activity. In the long run, the role of the Fractional GC is one of strategic compliance partnership rather than transactional support. For businesses operating within DPDP regimes, this approach offers an attractive middle ground between specialised legal knowledge, business understanding, and affordability. It is through this approach that an organisation is assured of maintaining an optimal state of compliance and resilience within the increasingly regulated environment.
References:
[i] ‘Challenges under the Digital Personal Data Protection Act’ (International Journal of Research and Analytical Reviews) accessed 16 December 2025
[ii] ‘Challenges under the Digital Personal Data Protection Act’ (International Journal of Research and Analytical Reviews) accessed 16 December 2025
[iii] Ibid 1
[iv] isasoftech, ‘DPDP Act 2025: Key Compliance Challenges and How They Can Be Addressed’ (Jisasoftech) accessed 16 December 2025
[v] K&S Legal, “Territorial Scope of the Digital Personal Data Protection Act, 2023: Applicability to Foreign Entities” (Kochhar & Co, 2023) accessed 3 January 2026
[vi] Ernst & Young LLP, Unlocking opportunities and navigating challenges: The impact of the Digital Personal Data Protection Act on M&A (EY-Parthenon, March 2024) accessed 3 January 2026.
[vii] Wolters Kluwer, ‘Analysing CCI’s Order on WhatsApp’s 2021 Privacy Policy: A New Era for Data Protection and Competition Law Enforcement in India’ (Wolters Kluwer Competition Law Blog) accessed 19 December 2025
[viii] CMS INDUSLaw, FAQs on the Digital Personal Data Protection Act and Rules (CMS IndusLaw, India, 2 Dec 2025) accessed 22 February 2026
[ix] DPO India, ‘The DPDPA Penalty Trap’ (DPO India) accessed 19 December 2025
[x] IDfy, ‘Penalties under DPDP: Fines, Breach Scenarios and How to Reduce Risk’ (IDfy) accessed 19 December 2025
[xi] Seqrite, ‘Data Breach Penalties under the DPDPA: What Businesses Need to Know’ (Seqrite) accessed 20 December 2025
[xii] iValue Group, ‘DPDP Non-Compliance Costs in India’ (iValue Group) accessed 20 December 2025
[xiii] Lexology, ‘Fractional General Counsel: A New Legal Leadership Model’ (Lexology) accessed 20 December 2025
[xiv] BizTech Lawyers, ‘What Is a Fractional GC and Why Are More Startups Hiring One’ (BizTech Lawyers) accessed 20 December 2025
[xv] Nextera Legal, ‘What Is a Fractional General Counsel?’ (Nextera Legal) accessed 20 December
[xvi] Peerpoint, ‘The Rise of the Fractional General Counsel’ (Peerpoint) accessed 20 December
