India's DPDP Law Progresses, Startups Show Uneven Readiness
India's Digital Personal Data Protection (DPDP) Rules are being phased in, with companies facing significant penalties for non-compliance. Startups' preparedness varies widely across the sector.

India's Digital Personal Data Protection (DPDP) Rules are now in a phased rollout, presenting a compliance challenge for startups and businesses. The first milestone, involving the Consent Manager framework, takes effect November 13, 2024, with full DPDP compliance due by May 13, 2027.
Penalties for non-compliance are substantial, with fines reaching up to ₹250 crore (approximately $3 million USD) for failing to implement reasonable security safeguards. Additional penalties apply for data breaches and the mishandling of children's data, with potential fines of ₹200 crore for each. Some violations carry fines of up to ₹50 crore.
A February survey by EY India revealed that while awareness of DPDP is growing, implementation remains in early stages. Nearly 81% of organizations had not yet updated or drafted compliant privacy policies or governance frameworks, and 48% had begun gap assessments. Sectors like fintech, banking, and telecom are reportedly further ahead due to existing regulatory environments, while global companies are adapting GDPR processes. Traditional industries and many mid-sized businesses are lagging behind.
Experts highlight challenges in basic data mapping and integrating compliance into daily operations, particularly for micro, small, and medium-sized enterprises (MSMEs). These smaller firms often lack the budget and access to specialist consultants. The cost of compliance, including legal fees, data mapping, audits, and technology investments, can be significant, potentially ranging from several lakh to tens of lakh rupees annually per company. EY India estimates the DPDP law will drive a compliance services market exceeding ₹10,000 crore over three years.