- India Inc is underprepared to manage privacy risks from third-party vendors under DPDP rules
- Over 80% of organizations have not updated privacy policies or started DPDP implementation
- Sectors with complex vendor ecosystems show lower readiness than financial and tech sectors
As India begins the execution phase of the Digital Personal Data Protection (DPDP) Act and Rules, a new fault line is emerging for corporate India: third-party vendors. According to a recent report by EY, India Inc is significantly underprepared to manage privacy risks arising from vendors, processors and partners embedded deep inside enterprise systems.
While organisations increasingly acknowledge DPDP as a board-level issue, EY's survey of nearly 150 professionals across sectors shows that implementation maturity, especially around third-party governance, remains worrying low.
Under the DPDP framework, companies classified as Data Fiduciaries are fully responsible for how their vendors process personal data. This includes IT service providers, cloud platforms, SaaS vendors, BPO partners and analytics firms. Even though Data Processors are not directly regulated, any lapse on their part becomes the fiduciary's legal and reputational liability.
Awareness Is High, But Readiness Is Not
EY's data shows that over 80% of organizations have not updated their privacy governance structures or policies, and more than 83% have not initiated DPDP implementation across processes and systems - including vendor controls. Third-party privacy risk assessments, periodic audits and contract remediation remain among the least adopted compliance activities across sectors.
EY's survey highlights a sharp gap between awareness and execution. While overall familiarity with the DPDP Act is relatively high, around 30% of respondents reported moderate to low awareness, with even larger gaps at operational levels. Crucially, sectors with complex vendor ecosystems - such as healthcare, manufacturing, education, shipping and metals - show lower readiness than financial services and technology.
Photo Credit: Unsplash
Legacy systems further compound the problem. Nearly 71% of respondents cited difficulty in adopting privacy technology in legacy environments, while almost 59% flagged a lack of subject-matter expertise as a key barrier to compliance.
Why Third-Party Risk Is Escalating Fast
EY notes that vendor exposure is particularly acute because DPDP mandates strict breach-reporting timelines, including notification to the Data Protection Board and affected individuals, followed by a detailed report within 72 hours. Vendors must also support one-year log retention, security safeguards and grievance redressal - obligations many are currently unequipped to meet.
Despite this, many organizations have only identified vendors handling personal data without validating whether they can actually meet DPDP requirements in practice.
With the DPDP Rules notified in November 2025 and an 18-month compliance clock underway, EY warns that delayed action on vendor governance could translate into penalties, operational disruption and reputational damage. The report stresses that privacy is no longer a contractual checkbox but an operational control - and vendor risk is now enterprise risk.
ALSO READ: Super Bowl AI Ad Beef: Anthropic Vs ChatGPT Is The Kendrick Vs Drake For Big Tech
Essential Business Intelligence, Continuous LIVE TV, Sharp Market Insights, Practical Personal Finance Advice and Latest Stories — On NDTV Profit.