This week we ran live privacy scans on six mid-market Indian companies: IT services firms, managed service providers, and BPO/KPO outsourcers, the kind of businesses that process personal data for clients every single day.
The result: 6 out of 6 had zero references to the DPDP Act 2023 or the DPDP Rules 2025 anywhere in their privacy policies. Eleven months before full enforcement.
What we actually found:
A Mumbai-based Microsoft cloud partner whose privacy policy was last updated in June 2020, still citing the IT Act 2000. Its grievance officer's email address points to a dead staging server, so anyone trying to exercise their rights hits a wall.
A 25-year-old Gurgaon IT services firm whose entire policy is four paragraphs, including the line "your accessing our site signifies your unconditional consent". The DPDP Act's consent standard (free, specific, informed, withdrawable) was written precisely to end that construction.
A Bengaluru BPO whose policy claims "cookies are not enabled, we do not track visitors" while the site runs analytics and embedded video trackers.
A Delhi NCR outsourcing firm whose policy appears machine-translated. It refers to cookies as "treats" throughout. Its teams handle medical, legal and bookkeeping work for overseas clients.
Why this matters now:
The DPDP Rules were notified on 13 November 2025. Full enforcement arrives on 13 May 2027, with penalties up to Rs 250 crore per breach category. There is no grace period after that date.
If you process data on behalf of clients, your deadline is effectively earlier than May 2027, because your clients' vendor-risk teams are already sending DPDP questionnaires to their processors. The first place they look is your privacy policy. It is your compliance shopfront, and right now most mid-market shopfronts are advertising the gaps.
The math for a 200-person services company: readiness assessment (3-4 weeks), fixing the gaps it finds (3-4 months), training your people (1-2 months), plus buffer. That is 8-9 months end-to-end. Count back from May 2027 and the comfortable window closes around September 2026.
Want to know what your own policy says?
We run a free 2-page Privacy Snapshot: the same scan we used above, specific to your website, with concrete findings and three recommended next steps. No charge, nothing needed from your side.
Write to hello@nitibharat.com or visit nitibharat.com.
Niti Bharat helps Indian mid-market companies get DPDP-ready: fixed-price readiness assessments, privacy documentation, vendor risk reviews, and employee training.