Where India’s Privacy Push Stalls Inside Enterprises
A new MIT Sloan Management Review India-IDfy study finds that large enterprises have built privacy frameworks and consent systems, but struggle to enforce them consistently across engineering teams, data workflows, and legacy systems.
Topics
News
- Codex Gains Early Traction as OpenAI Pushes Agent-Led Coding
- Supreme Court Raises Red Flags Over Meta, WhatsApp Data Practices
- Musk Merges SpaceX and xAI in Deal Valued at $1.25 Trillion
- Firefox Moves to Make AI Optional for Users
- OpenAI, Snowflake in $200 Million Deal to Embed AI in Enterprise Data
- Oracle to Raise Up to $50 Billion in 2026 to Scale Cloud Capacity
India’s companies in data-intensive sectors have largely built the basic machinery for data privacy, but running it smoothly at scale remains a challenge, according to a new study by MIT Sloan Management Review India in collaboration with IDfy.
The findings are based on a survey of 78 senior leaders conducted between December 2025 and January 2026 and show that while privacy-by-design frameworks and consent management systems are now commonplace, those controls weaken when they have to operate across legacy technology, fragmented tooling, and high-volume data environments.
That execution gap shows up early in the software lifecycle. Privacy-by-design within product development is most commonly described as “managed” rather than “embedded,” indicating that while practices exist, they are not consistently integrated into engineering standards, design reviews, and release processes across organizations.
Core technical capabilities appear more mature. All respondents said fewer than 10% of their data-processing applications are unable to support granular, individual-level deletion without significant manual intervention, suggesting that the mechanics required to execute basic rights are largely present across enterprise application environments.
Operational consistency, however, remains uneven. While many organizations have defined channels to receive and log data subject requests, automation and coordination across systems and teams vary widely, limiting scalability as volumes increase.
Consent management illustrates this tension most clearly. Capturing consent is widespread, but applying it consistently downstream remains difficult, particularly as data moves across tools, functions, and business units, exposing gaps between governance intent and system-level enforcement.
These weaknesses become material as scale increases. Reliance on manual steps and partial automation can work at low volumes, but it becomes unreliable as request volumes rise, systems proliferate, and regulatory scrutiny intensifies.
The study describes the gap between policy and practice as a shift from interpreting India’s Digital Personal Data Protection Act to executing it. High-level policies are no longer sufficient, and organizations increasingly need privacy controls embedded directly into technology systems and workflows.
The execution gaps identified in the study come into sharper focus as the government weighs reducing DPDP compliance timelines, potentially accelerating the pressure on companies to translate privacy frameworks into working systems.
Engineering emerges as a central bottleneck. Every respondent cited developer skills and adoption as a challenge in implementing privacy by design. Half also pointed to legacy systems, while an equal share cited fragmented tooling that does not integrate. The constraint, the study suggests, is not regulatory ambiguity but the difficulty of translating privacy requirements into system design and developer workflows.
Free Download: Where India’s Privacy Push Stalls Inside Enterprises
Financial governance presents a parallel weakness. About three-quarters of respondents said they either have no dedicated privacy budget or lack visibility into privacy-specific spending, limiting their ability to manage privacy as a measurable enterprise risk.
The way privacy performance is measured reinforces that gap. Most respondents said they do not quantify avoided costs from privacy controls, and boards continue to rely on narrative risk assessments rather than financial or probabilistic models.
Investment priorities reflect this framing. Avoiding regulatory fines and penalties is the most frequently cited driver of privacy spending, followed by reducing breach-related costs. Competitive differentiation ranks lower, while enabling partners or clients is typically deprioritized.
Privacy, in this context, is treated primarily as risk management rather than as a source of growth or product advantage.
Even so, privacy is gaining weight in strategic decisions. Three in five respondents said privacy posture is a critical go-or-no-go factor in decisions such as market entry or mergers and acquisitions, while the rest said it shapes valuation and integration planning.
That strategic importance does not translate into explicit marketing. Privacy is more often positioned as an implicit trust signal rather than a visible differentiator, aligning with executives’ emphasis on risk containment over competitive positioning.
Privacy-related trade-offs vary by activity. Marketing measurement and attribution are affected unevenly, depending on how consent is implemented, while cross-border data sharing and third-party data integration consistently face higher complexity due to layered regulatory and operational constraints.
Artificial intelligence (AI) presents fewer technical constraints than expected. Most respondents reported only moderate impact on AI and machine-learning model performance when using anonymized or similar data transformation techniques, indicating that privacy rules constrain data access and scale more than model functionality.
Overall, the findings point to a transition phase. Foundational privacy governance is largely in place, but the next stage depends on replacing ad hoc processes with repeatable workflows, linking consent more tightly to data use, embedding privacy earlier in system design, and developing measurement practices that allow it to be assessed alongside other enterprise risks.
