India's DPDP rules: Compliance cost likely to rise for companies

The cost of operations for companies and data fiduciaries dealing with user data in India is likely to increase over the next 18 months as they implement new systems for data mapping, deploy consent management tools, and establish data protection offices, according to industry and legal experts. These new systems must be implemented to comply with the rules of the Digital Personal Data Protection (DPDP) Act. 

The rules, notified on November 14, say that while companies have to implement a data protection and consent management system by November 2026, the systems for data mapping or seeking individualised consent must be put in place by May 2027. 

Arun Prabhu, partner and co-head of the digital, technology, media and telecommunications practice at Cyril Amarchand Mangaldas, said companies in Europe initially spent between $250,000 and $10 million when the General Data Protection Regulation (GDPR) was rolled out in May 2018. 

“Companies, particularly those that are notified as Significant Data Fiduciaries, will have to make extensive investments in data mapping, process modification, consent management tools, tools to enable Data Principal Rights, and establish a well-structured Data Privacy Officer organisation,” Prabhu said. 

The information technology (IT) cost of the commercial banks, which is around 10-15 per cent of their total expenditure, is also set to increase as they align their systems along the lines of the Act. 

“Banks are now required to conduct regular audits, monitor data flows, and assess third-party vendors. These are not one-time efforts but ongoing responsibilities,” a senior official of a public-sector bank said on the condition of anonymity. “We need to reorganise our consent framework completely; as we have given time of 18 months, we will be able to mitigate some of the operational costs,” the person added.

 

While companies may eventually be able to absorb the initial cost, despite the staggered timeline of up to 18 months, there could be other challenges to DPDP Act compliance, experts said.

 

Under the rules, the government has placed additional obligations on significant data fiduciaries. These include an annual data protection impact assessment, a yearly audit to ensure compliance with the provisions of the Act, and continuous due diligence to verify that the technology being used by the company, including the software and algorithm, is not likely to “pose a risk to the rights of data principals”.

 

All companies, social media platforms, and internet intermediaries that deal with the digital personal data of users will fall under the category of data fiduciaries. All users whose personal data is sought to be processed by these entities will now be referred to as data principals.

 

Several large public sector lenders like State Bank of India, Bank of Baroda, Union Bank of India, among others are developing advanced data governance tools, encryption technologies, and automated compliance monitoring systems.

 

Though the government has notified the additional compliances for significant data fiduciaries, it has not yet set out the parameters which will define this class of data fiduciaries, said Shreya Suri, partner at law firm CMS INDUSLAW.

 

Experts said that while firms may eventually be able to absorb the initial cost of implementing the new framework, despite the staggered timeline of up to 18 months, there could be other challenges to it as well.

 

Many organisations are struggling with conservative systems that are incompatible with privacy-by-design principles, and this would be a major hurdle for governance mechanisms, especially given the robust penalty framework in place, said Anandaday Misshra, founder and managing partner at AMLEGALS. 

Apart from MSMEs, most other organisations lack the visibility into their own data inventory and face the daunting task of comprehensive data mapping across fragmented legacy systems and vendor ecosystems, said Akshayy S Nanda, partner at law firm Saraf and Partners.

 

“Data mapping is not just a compliance checkbox but a foundational, resource-intensive process essential for understanding data flows, assessing privacy risks, and demonstrating compliance, yet it is often hindered by data fragmentation, poor documentation, and the absence of a data governance culture, making it the single most significant operational hurdle for organisations striving to meet DPDP Act requirements,” Nanda added.

 

Enterprises must immediately start prioritising data discovery, classification, and data-mapping exercises, implementing consent and retention workflows, strengthening breach-response mechanisms, and deploying technology-led governance tools that provide real-time visibility across the data lifecycle, said Murali Rao, partner and leader of the cybersecurity consulting at EY India.

 

“These requirements are not just regulatory checkboxes. They reshape how organisations collect, manage, and safeguard personal data,” said Sanjay Katkar, joint managing director of Quick Heal Technologies. 

Key concerns

• Data mapping of all users across their organisation
• Setting up of consent management, data protection offices
• Annual data impact assessment, audit for compliance with DPDP Act
• Fines likely to be imposed by DPB in case of data breach, unintentional retention
• Legal complexities in case of cross-border data transfer, storage 

 

With inputs from Anupreksha Jain