DPDP final rules set off a compliance stress test for India’s MSMEs and startups
With steep penalties, strict consent norms, and 18-month rollout timelines, India’s smallest digital businesses face a disruptive reset, forcing them to rebuild data operations, vendor contracts, and product flows from the ground up.
ADVERTISEMENT
India’s newly notified Digital Personal Data Protection (DPDP) Rules have triggered a moment of reckoning for the country’s micro, small and medium businesses- many of whom rely heavily on digital customer acquisition, third-party tech tools, and low-cost data infrastructure. While the law marks a long-awaited shift toward global-grade privacy protections, its operational demands pose the steepest challenge for the smallest players in the ecosystem.
Karthik Prabhakar, Managing Partner at PeerCapital, calls the DPDP transition “one of the most significant shifts India’s technology ecosystem has seen in a decade.” According to him, the Rules “turn privacy into a measure of maturity for every business,” creating a competitive divide between those who treat regulation as “a roadmap, not a restraint,” and those still relying on discretionary data practices.
Startups and MSMEs face full obligations- no exemptions, high penalties
Redacto’s Co-Founder and CPO, Shashank Karincheti, is blunt about the risk, “Penalties can reach Rs 250 crore per violation. That changes board priorities, product design, vendor management, security posture, and marketing fundamentals in one stroke.”
The law does not dilute compliance requirements for smaller entities. “Startups and mid market firms carry the same duty as the giants,” Karincheti stresses.
Legacy systems, unmanaged data flows, BYOD practices, and informal vendor arrangements—features that define much of India’s MSME tech landscape, “raise risk overnight.”
He warns that “none of this is optional because the cost of a single failure can wipe out a young company’s balance sheet.”
Consent, retention, logs, breach reporting: A heavy operational lift
The DPDP Rules mandate explicit consent, purpose limitation, and tight retention timelines. They also require one-year log retention, 72-hour breach reporting, and grievance responses within 90 days.
These expectations, Karincheti says, “reset how India treats personal data” and demand immediate shifts in how young companies build products and manage customers. Every contract with a processor “will need mandatory security clauses,” and “logs and backups are not nice to have but essential controls.”
Grant Thornton Bharat’s Akshay Garkel notes the practical reality: more than 70% of India’s MSMEs rely on digital advertising, and around 60% depend on WhatsApp for Business.
Under DPDP, these firms must now “collect valid consent, map their data flows, and put in place grievance-mechanisms.” Garkel advises that even the smallest firms start with a basic data inventory: WhatsApp chats, CRM entries, ad cookies, followed by updating consent language and re-evaluating vendor contracts.
Infrastructure and security: The steepest hill for small businesses
MSMEs and early-stage startups typically lack dedicated privacy or cybersecurity teams, and many operate on legacy tools. As Siddharth Chandrashekhar, Advocate at the Bombay High Court, points out, the law demands encryption, tokenisation, activity logs and retention workflows—technical requirements that “demand significant infrastructure.”
He warns that SMEs will struggle with “implementing advanced security measures and consent frameworks,” especially without clarity on what constitutes “reasonable safeguards.” The absence of a reference standard such as ISO 27001 creates further uncertainty for resource-strapped companies.
Cross-border data flows remain unpredictable, adding to startup concerns
For startups working with global clients or cross-border data processors, transferring personal data abroad remains a grey zone. Chandrashekhar notes that the government’s broad discretion on international transfers “creates a certain level of unpredictability,” making it harder for exporters of services to plan data strategies.
Phased timelines help, but not enough for those starting from zero
The government has offered a staggered rollout: • Some duties take effect immediately • Consent-manager registration begins after one year • Full obligations—including operational requirements—apply in 18 months
JSA Partner Raj Ramachandran says stakeholders “have about 12–18 months to comply… a welcome move,” but for MSMEs with no existing data frameworks, even 18 months will require accelerated execution.
EY’s Murali Rao emphasises the scale of the shift: the Rules “set fixed obligations” that will increase compliance, legal and operational costs. He calls this a “regulator-driven opportunity” that could turn privacy into a competitive advantage, if MSMEs treat it as a maturity-building exercise rather than a “checkbox.”
What makes this transition especially tough for small firms
Several experts point to structural barriers facing MSMEs:
• fragmented systems and poor documentation • lack of in-house legal teams • shadow IT and informal data practices • missing data governance culture • dependence on inexpensive third-party tools that may not be compliant
Karincheti sums up the challenge: “This is not a punitive moment. It is a maturity moment.” But for firms that ignore the shift, the financial risk is existential.
The road ahead: transformation, not patchwork fixes
Akshayy S. Nanda of Saraf and Partners frames the choice for organisations, big or small, as binary: embrace DPDP as a “transformational business initiative requiring executive sponsorship,” or attempt incremental patchwork fixes that will collapse under scrutiny.
His warning is sharp: those that choose the latter “will likely face enforcement action, financial penalties, and operational disruption beginning in May 2027.”
For MSMEs, the DPDP era marks more than compliance, it signals a structural change in how even the smallest Indian companies must handle personal data. Automation and privacy-tech tools may ease the burden, but the message from experts is clear: the clock is already ticking, and the window to prepare is far narrower than it seems.
