Experts are warning that efforts to compress compliance timelines under India’s Digital Personal Data Protection (DPDP) Rules could unintentionally penalise both large corporations and startups by overloading them with complex obligations too quickly. At a media briefing hosted by Ingovern Research Services, speakers cautioned that moving from an 18‑month transition to 12 months or immediate enforcement risks creating disproportionate costs, regulatory uncertainty and investor anxiety at a critical phase for India’s digital economy.​
Compressed Timelines Turn Compliance into a Structural Risk
Participants at the briefing stressed that industry is not resisting the DPDP framework itself, but the speed and manner of implementation. Obligations such as mandatory one‑year retention of personal data, traffic data and processing logs require deep changes to technology architecture, governance and contractual arrangements, which cannot be meaningfully completed in a compressed timeframe.
Speakers argued that without sufficient time, guidance and clarity, compliance could become a recurring operational burden, particularly for large enterprises with complex systems and for startups without surplus storage, legal or compliance capacity.​
Startups and Investors Face Disproportionate Impact
Startups and MSMEs are seen as the most exposed, given that many are still building basic compliance capabilities and lack access to specialised privacy and security expertise. Mandatory retention and audit‑readiness would divert scarce capital from product development and growth into infrastructure and legal costs, potentially shortening runways and slowing innovation.
Investors are already watching timelines and enforcement closely; with penalties and enforcement practices still unclear, it becomes difficult to model regulatory risk, which can directly affect funding decisions and valuations.​
Uncertainty Around SDFs and Enforcement Readiness
Experts also flagged ambiguity around how and when entities will be designated as Significant Data Fiduciaries (SDFs), even as SDF‑specific obligations—such as audits, DPIAs and algorithmic accountability—are proposed to be fast‑tracked. Without knowing whether they will fall into the SDF category, companies cannot plan budgets, staffing or governance structures in advance, increasing the risk of last‑minute, reactive compliance.
Concerns were raised about enforcement readiness as well: with the Data Protection Board empowered to act digitally and individuals able to complain easily, premature enforcement could lead to a surge of disputes and compliance anxiety, especially for startups without in‑house legal teams.​
Call for Predictable, Phased and Proportionate Rollout
Panelists urged policymakers to retain the originally notified 18‑month transition period and to adopt a phased, risk‑based implementation approach aligned with global precedents such as the GDPR’s two‑year runway.
They emphasised that effective data protection depends not only on strict rules but also on predictable timelines, sector‑specific guidance and supervisory engagement that allow organisations of all sizes to adapt their systems and culture. Done well, India could set a benchmark for data protection in emerging digital economies by balancing strong citizen safeguards with the need to preserve startup momentum and innovation‑friendly conditions.​
