With less than a year to go before the Digital Personal Data Protection (DPDP) Act takes effect, startups are scrambling to understand what the law requires of them, leading to a rise in legal and compliance queries since the draft rules were notified in November last year. Experts say some founders wrongly assume smaller businesses are exempt and many are hazy on where there data actually is, even as they all grapple with data mapping, third-party processing and artificial intelligence (AI)-related privacy obligations.
The Act, which governs how organizations process individuals’ digital personal data, must be complied with by 13 May 2027.
A major concern among startups is understanding whether the law applies to them and what obligations they have under different business models.
“The question that we usually encounter is, ‘Hey, is this even applicable to us?’ There has been enough confusion and rumours suggesting that there is an exception for small businesses,” said Malcolm Gomes, chief operating officer at IDfy, an identity verification company.
Under these privacy norms, there is, in fact, no automatic exemption based on a company’s size, revenue, or stage of growth. “There was a possibility of some dilutions in terms of timelines and other relaxations for specific types of entities, which can include startups. But nothing to this effect has been notified, and depending on the nature, extent, and sensitivity of processing, startups should expect to be treated at par with other entities,” said Arun Prabhu, Partner & Co-Head, Digital, TMT, Cyril Amarchand Mangaldas, a law firm.
Another major challenge faced by companies is simply to understand the basics of the personal data it has as different teams collect it through websites, apps, emails, and even offline forms. For example, a customer may share their phone number on a website, upload ID proof through an app, and later connect with customer support over phone or email. Now, even with all the data in their kitty, many companies struggle for clarity on where it is stored or who has access to it.
This is where data mapping becomes important. It means tracking personal data from the moment it is collected to where it is stored, who uses it, and who it is shared with.
“I ask organizations to share their data mapping and explain what kind of data they collect, where it comes from, how it enters the organization, and who the third parties are,” said Akshayy S. Nanda, partner at Saraf & Partners, a law firm. “A lot of organizations simply have no visibility into the amount of data they hold.”
The challenge becomes bigger when companies share data with third parties such as cloud providers, payment gateways or collection agencies. Under the DPDP Act, the company that decides why and how personal data is used is called a ‘data fiduciary’, while the one that handles data on its behalf is a ‘data processor’.
“Even in cases where these companies are data processors, clients are asking how to verify that third-party platforms have actually secured ‘free, specific, informed, and unconditional’ consent covering all service providers,” said Anupam Shukla, partner at law firm Pioneer Legal. “Businesses are aggressively updating their Data Processing Agreements and indemnity clauses to protect themselves.”
Experts say companies should know where their data is going, who can access it, and whether third parties are handling it in line with the law.
“Every third party handling that data should be contractually obligated to delete it once the purpose is served and provide proof that the data has been purged to the fiduciary,” said Gomes of IDfy.
Data guzzling AI
Artificial intelligence needs massive data to train its algorithms. The DPDP Act doesn’t specifically regulate the technology, but Sections 4 and 6 apply: personal data can only be processed for a lawful purpose and based on the consent a person actually gives.
This creates a problem for AI-heavy startups in particular, since the Act doesn’t give companies a free pass to use public or aggregated data for training. As a result, these startups are looking for workarounds that let them keep building their models without breaching the law. Two approaches are emerging: masking sensitive data while preserving the context around it, and running automated filters that strip out personal details before they ever reach the model in the first place.
“Organizations are particularly concerned that the outputs generated by AI systems could extend beyond the original purpose limitation and potentially expose them to allegations that personal data is being used in a manner inconsistent with the consent obtained,” said Ankur Singhania, partner at Rajani Associates, a law firm. “Consequently, they are reassessing their privacy notices, considering whether AI-based processing activities should be expressly disclosed, evaluating whether additional consent mechanisms may be required for certain use cases.”
“There has been an increase of around 20% in compliance-related work and queries around the DPDP Act. We are looking to expand our team in this practice area as clients are increasingly seeking our guidance to ensure they are DPDP-ready by March 2027,” he said.
Experts also say many startups still underestimate the time and effort compliance will require.
“When the European Union introduced the General Data Protection Regulation (GDPR), businesses were given two years to prepare and were already operating under an established privacy framework. In India, companies are implementing a comprehensive data protection law for the first time, with less than 11 months to comply,” said Nanda. “Many assume compliance will be quick, and that is where they are going wrong.”
For startups, the challenges are manifold: from sapping of funds to the talent and time-intensive work and the sector’s evolving nature.
“As startups, our primary focus is survival. And it’s not just about the cost, it’s also about top management bandwidth, time, and effort. Compliance takes away focus from the business because we have to dedicate resources to it,” said the founder of a SaaS startup, who did not wish to be named. “On top of that, startup business models are constantly evolving, which creates additional compliance challenges. In one part of the business, I might just be a data processor because I’m providing a SaaS (software as a service) product. But in another part, let’s say I’m also a payment gateway, I become a data fiduciary. Understanding where those responsibilities begin and end is another complexity startups have to deal with.”