DPDP Timeline Push Could Choke India’s Economic Engine, Warn Experts

Bengaluru, Feb 4 : A move to compress compliance timelines under India’s Digital Personal Data Protection Rules could strain large corporations and place smaller businesses, especially startups and MSMEs, under severe pressure, experts warned at a media briefing hosted by InGovern Research Services.

While welcoming the objectives of the DPDP framework, speakers cautioned that accelerating implementation from the originally notified 18 months to 12 months—or in some cases immediate enforcement—could impose disproportionate costs, create regulatory uncertainty, and dampen investor confidence at a critical moment for India’s startup ecosystem.

“Businesses want to comply,” noted participants, “but compliance of this scale and complexity cannot be achieved meaningfully without adequate time, guidance, and system readiness.”

Shriram Subramanian, Founder of InGovern Research Services, highlighted,

“India needs strong data protection, but compliance cannot be designed in a way that unintentionally penalizes players. Mandatory data and log retention, combined with compressed timelines, creates real and recurring costs that could derail large companies and overwhelm startups. Without careful calibration, this risks creating an uneven playing field where size matters more than innovation.”

The briefing brought together policy, legal, and investment experts to examine the real-world impact of fast-tracked DPDP obligations. Speakers stressed that compliance is not just a paperwork exercise but requires deep changes to technology architecture, governance systems, and organizational processes.

Experts also noted that awareness and operational understanding of the DPDP Rules have yet to fully reach smaller companies and early-stage startups, many of which lack access to specialized legal or technical expertise. Shreya Suri, Partner at IndusLaw, observed, “Obligations such as mandatory one-year data retention and audit readiness require substantial re-engineering of systems and contracts. Even where exemptions exist, the compliance burden is significant. A risk-based, phased approach is essential to achieve the law’s objectives without constraining innovation.”

Startups Face the Sharpest Impact

Participants highlighted that startups often lack storage capacity, compliance teams, or the ability to renegotiate processor contracts quickly. Mandatory retention of personal data, traffic data, and processing logs for one year would raise storage, security, and breach-management costs, diverting scarce capital away from product development, hiring, and market expansion.

Investor confidence is also at stake. Lloyd Mathias, Angel Investor, noted, “When compliance becomes expensive and uncertain, it directly affects startup burn rates, runways, and funding decisions. If early-stage companies are forced to divert capital from growth to compliance too early, it can slow innovation across the ecosystem.”

Uncertainty Around SDFs and Enforcement

Experts flagged ambiguity around the designation of Significant Data Fiduciaries (SDFs). Shortened timelines for SDF-specific obligations—such as audits, DPIAs, and algorithmic accountability—pose planning challenges. Without knowing whether they fall under the SDF category, companies cannot budget, hire expertise, or design governance structures in advance.

Concerns were also raised about enforcement readiness. With the Data Protection Board empowered to act digitally and individuals able to file complaints easily, premature enforcement could lead to disputes, penalties, and heightened compliance anxiety, particularly for startups without in-house legal capacity.

Participants stressed that India is still developing a privacy culture across the ecosystem. “Even government agencies and public bodies will need time to operationalize these obligations because the law is complex and requires significant changes in processes, systems, and accountability frameworks,” they noted.

Call for Predictable, Proportionate Rollout

The briefing concluded with a call to retain the originally notified 18-month transition period, adopt phased and threshold-based obligations, and align implementation with global best practices. Speakers cited the EU’s GDPR as an example, where organizations were given a two-year implementation window before enforcement, along with extensive guidance, sectoral clarifications, and supervisory engagement.

“India has an opportunity to set a global benchmark for data protection in emerging digital economies,” the experts said. “Leadership will come not from rushing compliance, but from implementing it predictably and proportionately—protecting citizens’ data while preserving the country’s startup momentum.”