Despite higher compliance costs, India’s top IT firms expect minimal disruption from DPDP Rules 2025, leveraging years of experience with global data-privacy frameworks
)
Most IT companies are building small language models (SLM) for internal use, mostly related to their business verticals or to help customers increase efficiency and reduce cost.
Listen to This Article
Indian IT services providers will have a short learning curve to adapt to India’s digital landscape post the notification of the Digital Personal Data Protection (DPDP) Rules last week because they have already been following such regulations in other parts of the world, especially Europe, for the last few years, according to experts.
While compliance costs will surely go up — some estimate them to be in double digits — that is not expected to materially impact operations or dent margins because Indian companies have been gearing up for this for the last two years since the Act came into existence. All firms have had enough time to beef up their systems and house cybersecurity professionals to ensure minimal breach.
The impact will be minimal because most of the companies, barring TCS, Infosys, Wipro and Tech Mahindra, have minimal India-facing businesses and clients in the BFSI, telecom, healthcare, government, or business process outsourcing and customer relationship management (CRM) space.
The big four, however, will have to set up their systems to be compliant. TCS handles mission-critical government projects like passport issuance and post office modernisation programmes; Infosys handles the goods and services tax (GST) portal; Tech Mahindra is part of the India AI Mission to develop sovereign large language models (LLM) with a trillion parameters; while LTIMindtree was recently awarded a contract of about $100 million by the income tax department for the PAN 2.0 project.
“DPDP 2025 impacts only IT services firms with exposure to the India market as they handle Indian citizens’ personal data. The impact will be minimal and it will only increase compliance cost on consent, data flows, localisation timelines, internal audits, data mapping and new tooling,” said Gaurav Vasu, founder, UnearthInsights. ALSO READ | Finance ministry’s Chintan Shivir reviews AI use and fund flow to states
India business contributed 9 per cent to TCS’ revenue for the second quarter ended September 30, while it was just 3 per cent for Infosys.
Some of the short-term challenges that these companies could face include procurement delays for BFSI, healthcare and government-related programmes, which may push new scope of work (SoW) by a couple of quarters.
Mini Gupta, EY India consulting partner, said these new rules give an opportunity for firms operating in India to not only ensure diligence for themselves but also for their third parties in their extended supply chain, very similar to climate goals of Scope 1, 2, and 3.
“If those vendors are smaller organisations and are non-compliant, they may claim bankruptcy if hit with massive back to back penalties. It is critical to do a thorough diligence going ahead in selecting the right third parties with right governance practices,” she added.
With consent at the core of the rules, companies will also have to rethink how they use customer data to train internal artificial intelligence models, including removing any training data where consent is not granted.
Most IT companies are building small language models (SLM) for internal use, mostly related to their business verticals or to help customers increase efficiency and reduce cost. Going ahead, they will need to re-scope such AI and generative AI (GenAI) analytics projects using Indian personal data, and some models may have to be rebuilt with stricter purpose or consent filters.
Jignesh Oza, a partner at Deloitte India, believes most of these companies largely know what is to be done. “If you have a privacy-compliant product, you go ahead and become a good differentiator. While the costs will go up, one needs to comply with the regulations too. That means better engineering practices that are privacy compliant and focusing on nuances like privacy by design. This will mean your customers are compliant too and you will have better serviceability in the market.”
aniltikotekar4sme.com 