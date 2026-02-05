A move to compress compliance timelines under India’s Digital Personal Data Protection (DPDP) Rules poses risks for large corporations while putting startups and smaller businesses under severe strain, experts warned at a media briefing hosted by Ingovern Research Services.

While welcoming the intent behind the DPDP framework, speakers cautioned that accelerating implementation from the originally notified 18 months to 12 months, and in some cases immediate enforcement, could impose disproportionate costs, create regulatory uncertainty and dampen investor confidence at a critical moment for India’s startup ecosystem.

Speakers were clear that the concern is not about avoiding compliance. “Businesses want to comply,” participants noted, “but compliance of this scale and complexity cannot be achieved meaningfully without adequate time, guidance and system readiness.”

“India needs strong data protection, but compliance cannot be designed in a way that unintentionally penalises players,” said Shriram Subramanian, Founder, InGovern Research Services. “Mandatory data and log retention, combined with compressed timelines, creates real and recurring costs could de-rail large business and one that young companies simply cannot absorb at the same scale. If not calibrated carefully, this will create an uneven playing field where size matters more than innovation.”

The briefing brought together perspectives from policy, law and investment experts to examine the real-world impact of fast-tracked obligations under the DPDP Rules. Speakers stressed that compliance is not a paperwork exercise but requires deep changes to technology architecture, governance systems and organisational processes.

Participants also noted that awareness and operational understanding of the DPDP Rules have not yet cascaded fully to smaller companies, early-stage startups and MSMEs, many of whom are still building basic compliance capabilities and lack access to specialised legal or technical expertise. “From a legal and operational standpoint, the challenge is not intent but execution,” said Shreya Suri, Partner at IndusLaw. “Obligations such as mandatory one-year data retention and audit readiness require substantial re-engineering of systems and contracts. Even where exemptions exist, the compliance burden is significant. A risk-based, phased approach is essential to ensure the law achieves its objectives without constraining innovation.”

Startups Face the Sharpest Impact

Participants noted that players do not have excess storage capacity, compliance teams or the ability to rapidly renegotiate processor contracts. Mandatory retention of personal data, traffic data and processing logs for one year would raise storage, security and breach-management costs, diverting scarce capital away from product development, hiring and market expansion.

The concern is not limited to operational burden alone. Investors, speakers said, are already watching regulatory timelines closely. Additionally, the cost of non-compliance remains a major unknown, creating additional risk for businesses and investors who are unable to accurately model financial exposure in the absence of clear enforcement guidance.

“Regulatory cost structures matter deeply to investors,” said Lloyd Mathias, Angel Investor. “When compliance becomes expensive and uncertain, it directly affects startup burn rates, runways and funding decisions. If early-stage companies are forced to divert capital from growth to compliance too early, it can dampen investor appetite and slow the pace of innovation across the ecosystem.”

Uncertainty Around SDFs and Enforcement

Experts also flagged the lack of clarity around the designation of Significant Data Fiduciaries (SDFs), even as timelines for SDF-specific obligations such as audits, DPIAs and algorithmic accountability are proposed to be shortened. Without knowing whether they fall within the SDF category, companies are unable to plan budgets, hire expertise or design governance structures in advance.

Concerns were also raised about enforcement readiness. With the Data Protection Board empowered to act digitally and individuals able to file complaints easily, speakers warned that premature enforcement could lead to disputes, penalties and compliance anxiety, particularly for startups without in-house legal capacity.

Participants also observed that India is still in the early stages of building a privacy culture across the ecosystem. “Even government agencies and public bodies will need time to operationalise these obligations because the law is complex and requires significant changes in processes, systems and accountability frameworks.”

Call for Predictable, Proportionate Rollout

The briefing concluded with a call for retaining the originally notified 18-month transition period, adopting phased and threshold-based obligations, and aligning implementation with global best practices. Speakers cited GDPR as an example where organisations were provided a two-year implementation window before enforcement began in 2018, accompanied by extensive guidance from regulators, sectoral clarifications, FAQs, and supervisory engagement.