Compliance costs seen rising 15–30% amid tighter timelines
The Union government has been considering shortening the timeline for DPDP implementation from 18 months to 12 months.
India Inc may have to pay a steeper price for data protection compliance, as the fast-tracking of the Digital Personal Data Protection (DPDP) Act timeline is likely to push up costs by 15-30 per cent depending on company size.
The Union government has been considering shortening the timeline for DPDP implementation from 18 months to 12 months. Drawing parallels with other regions, compressed regulatory timelines typically lead to higher compliance costs of 30-50 per cent for major companies, driven by external consulting and rework from rushed data mapping and consent implementations, estimated Forrester. Data security solutions company Futurex estimated a 10-15 per cent increase in costs for start-ups and smaller companies.
“Applied to DPDP, this means Indian firms meeting a 12-month deadline should expect higher upfront spend with residual enforcement and remediation risk persisting well beyond the go-live window,” Biswajeet Mahapatra, of Forrester Research told businessline, adding that the revised timelines can double the likelihood of breach and non-compliance incident during the first 12-18 months, owing to rushed implementation.
Sources in the know said the shortening of time is considered amid growing sophistication in cyber attacks ranging from identity spoofing to financial frauds.
“A strong framework like DPDP will bring down 60-70 per cent of the breaches. However, it is an ongoing process and will take some time for a better adoption,” said Ruchin Kumar, Vice-President, South Asia, Futurex.
Even so, compliance remains a significant challenge. EY India recently reported that 81 per cent of companies have not begun work on privacy governance structures, including defining roles and responsibilities. Further, 80 per cent of organisations have not initiated drafting or updating policies aligned with the DPDP Act and Rules, while over 83 per cent have not started implementation across relevant processes and systems.
Addressing these gaps,, Mahapatra said, “Indian enterprises historically treat data protection as a legal checkbox rather than an operating model change, leading to fragmented ownership between IT, legal, and business teams and slow execution once timelines become real.”
Many companies also chose to wait on further clarity on DPDP provisions in the initial period. These companies are now discovering that years of data growth have left them with privacy debt they don’t know how to pay off, said Sanchit Vir Gogia, Chief Analyst and Founder at Greyhound Research.
Additionally, many CIOs and CISOs have yet to receive incremental budgets required to meet a 12-month compliance window, Gogia said. This could result in a split landscape, where well-capitalised organisations build mature, defensible privacy systems, while others scramble merely to remain compliant, he added.
Tall order for start-ups?
Earlier, consulting firms told businessline, the annual DPDP compliance could be as high as ₹20,000 crore . Considering this, the fast-tracking costs could pile up, especially start-ups and MSMEs.
Further, proxy firms like inGovern, along with IndusLaw firm, have held virtual discussions highlighting how the shortened timeline could hit investor sentiment. When asked about this, Tracxn said the development could strain resources and investor confidence because many organisations are still in the early stages of compliance readiness.
“Shortening the DPDP compliance timeline may create some near-term caution among investors, particularly for early-stage start-ups that could face higher compliance costs and operational pressure. However, it is unlikely to significantly reduce overall investor appetite for India, as strong data protection frameworks typically improve market credibility and trust over time. In the long run, clearer regulation may even benefit start-ups by making them more attractive to global investors who prioritise governance and data security,” said Neha Singh, Co-Founder, Tracxn.
Building on this, Gogia noted that not all start-ups are equally vulnerable, as some have embraced privacy as a competitive differentiator. However, he cautioned against assuming regulatory leniency.
“The belief that regulators will go easy on start-ups can collapse with a single complaint or data breach. Given how visible start-ups are online, it takes just one angry user or one curious journalist to trigger a reckoning,” he said.
Published on February 6, 2026
aniltikotekar4sme.com 