India’s Digital Personal Data Protection Act is often described as a watershed moment for privacy. On paper, it introduces long-overdue clarity on consent, purpose limitation, data fiduciary obligations, and individual rights. Yet, despite the law being notified, actual DPDPA implementation across large enterprises such as Banks or Insurance or large e-commerce companies remains slow. This is most visible in highly regulated sectors such as Banking and Insurance.
This leads to a common and reasonable question. If DPDP is now law, why are organisations still ‘preparing’. And has any large Bank or Insurance company publicly stated that it is fully DPDPA compliant.
The answers lie in the fact that there is intent and even ongoing work on DPDPA implementation, but the realities are biting hard, where one question leads to ten other questions that require answers in order to be fully compliant. And so the execution keeps moving from one to the other with a never ending stream of things to accomplish and suddenly even the 18 months seems not enough.
The DPDP act is new, but the ecosystem is old
The Digital Personal Data Protection Act has only recently become operational (November 2025). For most large organisations, especially regulated financial institutions, compliance is not something that starts after notification. It usually starts during draft stages.
The problem is that DPDP went through a protracted delay from when the law was passed to when the rules were announce, leading to evolving interpretations. That uncertainty led many organisations to invest in partial readiness. Privacy notices, consent language updates, DPO appointments, and vendor pilots but not in full DPDPA implementation effort.
What most avoided doing was irreversible DPDPA implementation engineering work until the rules were fully announced (which was announced on 14 November 2025). This has created a visible gap between ‘we are working on DPDP’ and ‘we are fully compliant’.
Regulated entities operate under different regulations
Banks and Insurers and regulated entities in general – who are most likely first in line for compliance – do not operate under a single law. They must comply with RBI, IRDAI, TRAI, SEBI, UIDAI, and sector specific mandates.
DPDP introduces principles such as data minimisation, purpose limitation, and storage limitation. In contrast, financial regulators often require extensive data collection for verifying identiteis (KYC and AML) , long retention periods, and broad auditability.
These are not theoretical conflicts. They surface daily in questions like. Can customer data be deleted if another law mandates retention. Is consent required where processing is mandated by regulation. How should legacy datasets be treated.
Resolving these questions requires documented legal positions, internal governance, and regulator specific (and approved) interpretations. That takes time.
Legacy systems are the hardest part of DPDPA implementation
For large Banks and Insurers, data does not live in one place.
It lives in core systems built decades ago.
In downstream analytics systems.
In call recordings and ticketing tools.
In third-party vendor platforms (sometimes locked in proprietary datasets that are impossible to access for discovery or classification or RoPA) .
In backups and archives.
In peoples laptops and personal devices (rare but still true)
DPDP compliance requires organisations to know where personal data exists, why it exists, how consent was obtained, and how long it should exist.
This cannot be solved by a single tool or policy. It requires data discovery, system mapping, consent traceability, and defensible deletion workflows.
This is why implementation is slow. It is engineering-heavy, not documentation-heavy.
Consent under DPDP is operationally complex even with a Privacy Tool
Consent under DPDP must be informed, specific, revocable, auditable, and accessible in multiple Indian languages.
Banks and Insurers collect consent across multiple channels. Branches, mobile apps, websites, IVR systems, relationship managers, and agents.
Unifying consent across these channels into a single, provable system is non-trivial. Many organisations underestimated this complexity initially.
They are now rebuilding consent architecture more carefully. A tool such as Atlas Privacy Manager greatly helps with this architecture from ground zero, but it still cannot be underestimated as just a static notice.
Have any large Banks or Insurers announced full DPDPA implementation?
As of today (Jan 2026), there is no publicly available, independently verifiable announcement from a large Indian Bank or Insurance company stating that it is fully DPDPA compliant across all systems and products. We looked through publicly available information and scoured through annual reports for any mention of full compliance but we couldn’t find any.
Some institutions have publicly announced DPDP-related initiatives, internal programmes, or technology partnerships. These are meaningful signals of intent. However, announcing an implementation programme is not the same as declaring end-to-end compliance with demonstrable evidence across the organisation. That distinction matters. Of course product sellers will greatly exaggerate their claim of where they are with the implementation cycle.
What ‘Fully DPDPA Compliant’ actually says
True DPDP compliance is not just a press release. It is an operational state and a cultural mindset change towards safeguarding personal information and handling them with due care.
It means having clear, DPDP-aligned privacy notices across channels and languages.
It means maintaining tamper-proof, time-stamped consent records.
It means being able to honour data principal rights within defined timelines.
It means having breach response workflows that meet statutory requirements.
It means contractually governing vendors and processors.
It means enforcing purpose-based retention and deletion, not just stating it in policy.
It means recording every processing log in an auditable way.
Most large organisations are still on this journey.
Why the slow pace of DPDPA implementation is not a bad sign
The absence of ‘we are fully compliant’ announcements does not mean DPDP is failing. It means organisations are treating it seriously. However, this is a question that keeps repeating in every Client conversation we have – How many of your customers are using the Atlas Privacy Manager product?
Over the next 12 to 18 months, compliance will become more visible. Not through marketing claims, but through quieter indicators such as a multi lingual consent notice, trusted consent experiences, improved data governance, access to privacy portal rather than any long winding process to make changes etc that a visible to Data Principals. Until then, we will find it hard to answer who has implemented DPDP fully in India?
About
We are your friends at frslabs
FRSLABS is an award-winning research and development company specialising in Privacy Management, Identity Verification and Fraud Prevention solutions for businesses. Whether you are a big bank, insurance, telco or a small investment broker, we help you onboard and verify your customers with greater flexibility, compliance and reliability.
Built for you, not for investors
We do what is right for you (and only you) at scale. Nothing is off-limits for us when it comes to innovation, a culture best reflected in the array of patents we have filed. We want to be your trusted partner, to build the solutions you need, and to succeed when you succeed.
Priced for success
We are driven by our mission to touch a billion lives with our tools and not beholden by venture capital or mindless competition. We therefore have the freedom to do the right thing, and price our products sensibly, keeping your success and our staff in mind.
Supported by humans
Whatever it takes, we are here to help you succeed with our products and services. For a start, you get to talk to a human for help, not bots, to figure things out one-to-one. Whatever your needs, however trivial or complex it may seem, we have you covered.
