India’s data protection law is no longer a can that companies can kick down the road. With the Digital Personal Data Protection (DPDP) Rules now on a phased rollout, startups have just over four months until the first compliance milestone and around 10 months until the law fully comes into effect.
The penalties for non-compliance are severe, so it’s no surprise that companies are scrambling to get set for the new reality.
Come November 13, the Consent Manager framework will get into effect. Once this happens, the Data Protection Board, an independent adjudicatory body established under the Act, can begin registering Consent Managers.
These are regulated intermediaries that allow users to give, review and withdraw consent for sharing their personal data through a single platform. For businesses that plan to rely on these platforms, this means preparing systems that can integrate with them, receive consent updates and act on them in real time before the broader DPDP compliance requirements take effect on May 13, 2027.
The penalties are steep. Companies can face fines of up to ₹ 250 Cr for failing to implement reasonable security safeguards. Failing to report a data breach and mishandling children’s data can each attract penalties of up to ₹ 200 Cr, while other violations carry fines of up to ₹ 50 Cr. Under certain conditions, the DPDP Act further empowers the Central Government to direct any agency or intermediary to block public access to information that enables a data fiduciary to provide goods or services in India, say experts.

The question now is simple: Are Indian startups ready?
Entering The DPDP Readiness PhaseThe short answer to that question is not everyone.
A FebruaryEY India survey of more than 150 professionals across industries found that while awareness of the DPDP framework is improving, implementation remains at an early stage. Nearly 81% of organisations are yet to update or draft DPDP-compliant privacy policies or governance frameworks, highlighting significant gaps in preparedness. Around 48% of respondents said they have begun conducting gap assessments, making it the most common first step in their compliance journey.
Law firms advising companies on DPDP say the same thing.
“Preparedness is improving, but it is still highly uneven,” said Ambuj Sonal, partner at Dentons Link Legal. According to Sonal, regulated sectors like fintech, banking, insurance, and telecom are much further ahead because compliance is already part of how they operate. Global companies are also adapting existing GDPR processes for India.
The laggards are traditional industries such as manufacturing, offline retail, real estate, and many mid-sized businesses where customer data is spread across different teams and systems. Many companies, he said, are still choosing legal and technology partners before beginning implementation.
Before a company can comply with DPDP, it first needs to understand what personal data it collects, where that data is stored, who has access to it, who it is shared with and how long it is retained. That basic exercise is proving harder than expected. “Without that map, almost every other compliance step becomes difficult and time consuming,” Sonal said.
The second challenge is bringing compliance into day-to-day operations. Many frontline employees still collect customer information over WhatsApp or through informal processes. Making sure consent is captured properly in these situations is far more difficult than updating a privacy policy.
The situation is more dire for micro, small and medium enterprises (MSMEs). Since this is India’s first comprehensive data privacy regime, many MSMEs are finding it difficult to adapt existing processes while simultaneously educating employees, customers and business partners, said Amrish Kumar Jain, chief information officer at Tally Solutions, an enterprise resource planning software provider targeted at small and medium businesses.
Unlike large enterprises and social media companies, MSMEs often lack the budgets and access to specialist consultants needed to implement compliance programmes. While he stopped short of calling it a disadvantage, he said placing businesses of vastly different scales under the same regulatory framework inevitably makes compliance more challenging for smaller firms.
Cost of compliance is another factor. In fact, DPDP compliance could come at a significant cost, particularly for startups and MSMEs. Beyond legal fees, companies may need to invest in data mapping, reviewing data flows, auditing vendor contracts, appointing compliance officers, deploying encryption and breach detection tools, and strengthening internal governance around data protection.
As per consent management provider Consently’s estimates, compliance costs can range from a few lakh rupees to several tens of lakhs a year, depending on a company’s size and complexity. A consent management platform can cost anywhere from nothing to ₹15 Lakh annually, while data audits and inventory mapping may cost ₹1-10 Lakh.
Meanwhile, legal work, including privacy policies and vendor agreements, typically ranges from ₹50,000 to ₹5 Lakh, while employee training and breach response can add another ₹50,000 to ₹20 Lakh annually.
Businesses designated as Significant Data Fiduciaries (SDFs) must also appoint a Data Protection Officer, with in-house hires costing ₹25-40 Lakh a year as per current market rates. Many smaller companies instead opt for fractional DPO services priced between ₹2 Lakh and ₹8 Lakh annually.
Those line items add up across the economy.EY India estimates the law will drive more than ₹10,000 Cr (around $1.2 Bn) compliance services market over the next three years, with consent management alone accounting for roughly a tenth of that.
More Than Just A Consent Pop-UpMany startups think DPDP is about adding a consent banner or updating their privacy policy. That’s only one part of the job, experts note. Deepak Chand Thakur, CEO and cofounder of payments technology company NPST, said the real challenge lies underneath.
“Most organisations are approaching DPDP at the interface layer with better consent forms, cleaner notices. That’s necessary, but it isn’t sufficient,” he said.
Instead, companies need systems that record why data was collected, what users agreed to, where the data flows, and whether that consent continues to be honoured across every application and partner.
The responsibility also extends beyond a company’s own systems. If a startup shares customer data with vendors or third-party service providers, it remains responsible for ensuring that data is handled properly.
The rise of AI makes this even more important. “When models are making decisions on customer data, you need provable consent lineage at every step,” NPST’s Thakur added.
As investors and enterprise customers increasingly scrutinise regulatory readiness, some startups are beginning to view strong DPDP compliance as a competitive advantage.
Digital lending platform Fibe told us it has already implemented consent management, retention policies and access controls across its products. “At the same time, we continue to actively review and enhance our processes as detailed implementation guidelines under the DPDP Act evolve and as the broader regulatory ecosystem matures,” said CTO Anil Sinha.
The bigger challenge, according Sinha, is consistency across the entire data lifecycle. As organisations grow, customer data may interact with multiple systems, partners, and workflows. Preparing for DPDP requires businesses to have clear visibility into how data is collected, processed, stored, and retained, he said.
Proptech platform NoBroker cofounder and CTO Akhil Gupta told Inc42 the company has also begun preparing and has mapped out the structure, or the parts of the operations where it acts as a data fiduciary (the entity deciding how customer data is used) and the other parts it functions as a data processor, handling data on behalf of housing societies through NoBrokerHood.
The real estate platform, which has added a number of service categories recently, is building its own multilingual consent platform and has formed a cross-functional team spanning engineering, product, cybersecurity, and legal.
When asked about the challenges faced, Gupta mentioned redesigning data infrastructure to support data minimisation and erasure without affecting the user experience. Operationally, there is focus in educating housing society administrators on their data protection responsibilities and how NoBrokerHood processes data on their behalf.
All said, even companies that have invested in compliance are waiting for greater regulatory clarity. According to Dentons Link Legal’s partner Sonal, businesses still need guidance on how detailed consent notices should be, when companies can rely on the ‘legitimate use’ provisions under the law without explicit consent, and what constitutes an acceptable method of age verification.
For startups, that means DPDP is no longer just a legal exercise. It requires rethinking how customer data moves across products, partners and AI systems.
Beyond hefty penalties, as mentioned above, non-compliance could directly affect a startup’s ability to grow. Companies that fail to build compliant consent, data governance and breach response systems may find it harder to sign enterprise customers, particularly in regulated sectors such as BFSI and healthcare, where privacy due diligence is becoming standard.
They could also face delays in fundraising as investors increasingly scrutinise regulatory and data governance risks during due diligence. Investors are increasingly assessing data governance during due diligence, and gaps such as weak consent management, missing vendor agreements or poor data retention practices can delay funding, say experts.
While DPDP may not force startups to halt operations immediately, repeated violations, regulatory scrutiny, reputational damage and loss of customer trust could significantly hamper growth and business opportunities.
[Edited by Nikhil Subramaniam]
The post DPDP Is Coming Fast But Indian Startups Are Moving At Different Speeds appeared first on Inc42 Media.