With DPDP clock ticking, India Inc braces for ₹20,000-crore compliance spend – The HinduBusinessLine

lipped from: https://www.thehindubusinessline.com/info-tech/with-dpdp-clock-ticking-india-inc-braces-for-20000-crore-compliance-spend/article70446314.ece

Following the notification of rules under the DPDP Act in November, the 18-month countdown for complying with the norms has begun for institutions to align business processes with privacy measures

For small and medium firms said that the initial costs will range from ₹1-2 crore and ₹6-8 crore respectively. Companies with a revenue higher than ₹2,500 crore will spend ₹6-8 crore, say experts | Photo Credit: istock.com

Privacy compliance is shaping up to be a major new cost centre for India Inc, with companies expected to spend nearly ₹20,000 crore in the first year of implementing the Digital Personal Data Protection Act, according to consulting firms.

Following the notification of the Rules under the Digital Personal Data Protection Act in November, the 18-month countdown, for complying with the norms, has begun for institutions to align business processes with privacy measures and understand the spends involved.

“In the first year of compliance, India Inc. is expected to spend ₹20,000 crore. It will also depend on how soon the Data Protection Board is established and how strict its members are,” said Sachin Tayal, Managing Director, Protiviti Member Firm for India. In comparison, European companies spent around $1 billion and US corporates among the Fortune 500 spent $7.8 billion for GDPR compliance in 2018, as per an IAPP-EY report.

Greyhound Research estimated India Inc. to cumulatively spend ₹50,000–₹60,000 crore on DPDP compliance over the next 2-3 years, combining one-time readiness costs with permanent increases in security, data governance and breach-response operations.

For small and medium firms said that the initial costs will range from ₹1-2 crore and ₹6-8 crore respectively. Companies with a revenue higher than ₹2,500 crore will spend ₹6-8 crore, said Tayal. However, Sanchit Vir Gogia, Chief Analyst at Greyhound Research argued for a higher range for large companies, stating, “For large enterprises the credible range expands to ₹10–18 crore when compliance is executed properly rather than cosmetically. DPDP cost is structural, and spans data discovery and classification across live systems, backups, shadow environments, consent and notice engineering across channels, security safeguards, etc.”

Spend breakup

While the initial investments will be dedicated towards consent management, cybersecurity posture, vendor data audits, and breach response frameworks, the biggest spend by companies will be towards implementation of the tools for compliance, said Tayal. He estimated the cost to be ₹1.5-5 crore for companies.

“Of the investments estimated, 50 per cent will be recurring annual cost and the rest will be a one-time cost,” said Tayal.

The organisation size, type of personal data and the industry vertical, also influence the size of investments, said Akshaya Suresh, Partner at JSA Advocates & Solicitors (JSA).

“Restrictions on data transfer will require investments to host data in data centres in India. There will also be costs to move data to India if it is hosted in a region that is subsequently blacklisted by the government. If companies have vendors that store data globally, there may also be a cost to require vendors to host data locally or change vendors if they don’t support local hosting. Separately, data retention, archiving and secure erasure will also need infrastructure capacity planning,” he said.

Cost burden

The trade-off on these investments are the huge penalties demarcated in the DPDP Act, ranging from ₹50-250 crore depending on violations.

“Enterprises are over-investing early rather than optimising later, because the downside risk of a breach or compliance failure is asymmetric. DPDP creates a permanent operating cost. Annual run rate spending on monitoring, audits, governance, and vendor oversight can plausibly range from ₹50 lakh to ₹10 crore depending on scale and fiduciary status. The correct framing is not average compliance cost, but long term privacy infrastructure cost,” said Gogia.

Tayal asked companies to look at the cost as an investment towards customer confidence rather than simple compliance.

Sectoral risks

Health and pharma, banking, insurance and financial services, retail, hospitality, e-gaming, telecom, ed-tech and gig and mobility are the sectors that face an elevated risk when it comes to data protection. This is either due to the sensitive nature of the data or the clientele, like children, who have an elevated compliance requirement.

Published on December 29, 2025