Indian Startups Face Varying Readiness for New Data Protection Law
India's Digital Personal Data Protection (DPDP) law is rolling out in phases, with significant penalties for non-compliance. Startups are at different stages of preparedness, with compliance deadlines approaching.

India's Digital Personal Data Protection (DPDP) Act is moving towards full implementation, setting strict deadlines for businesses. With the Consent Manager framework set to go live on November 13 and broader compliance requirements by May 13, 2027, companies are facing a compressed timeline. Penalties for violations are severe, potentially reaching up to ₹250 crore for inadequate security safeguards and ₹200 crore for breach reporting failures or mishandling children's data.
A recent EY India survey indicates that awareness of the DPDP law is growing, but implementation remains in its early stages for many. Approximately 81% of organizations have yet to update their privacy policies or governance frameworks, highlighting significant preparedness gaps. While regulated sectors like fintech and banking, along with global companies adapting GDPR processes, are further along, traditional industries and many mid-sized businesses lag significantly.
Experts note that a fundamental challenge is the lack of a clear data map—understanding what personal data is collected, where it resides, and how it is shared. This basic step is proving more difficult than anticipated for many companies. Furthermore, integrating compliance into daily operations, especially for frontline employees using informal data collection methods, presents additional hurdles.
Micro, small, and medium-sized enterprises (MSMEs) face particular difficulties due to limited budgets and access to specialized consultants. The cost of compliance, including legal fees, data mapping, audits, and technology investments, can be substantial, ranging from lakhs to tens of lakhs of rupees annually, adding significant financial pressure on smaller firms.