India’s newly notified Digital Personal Data Protection (DPDP) Rules are expected to significantly increase the compliance and operational costs for companies handling user data, including major data fiduciaries, digital platforms, financial institutions, and enterprises across sectors.
According to legal and industry experts, firms will need to upgrade or overhaul their data privacy frameworks, deploy digital consent management systems, strengthen data mapping processes, and build dedicated data protection offices — all of which will raise both capital and operational expenditure over the next 18 months.
DPDP Rules Timeline: Key Compliance Deadlines
The rules, published on November 14, outline a phased implementation plan:
- By November 2026, companies must put in place a data protection system and a digital consent management system for collecting and processing personal data in line with India’s new privacy law.
- By May 2027, businesses must establish advanced systems for data mapping, individualised consent workflows, granular bundled consent assessments, and mechanisms to track how personal data flows across internal and external systems.
These requirements apply to all organisations handling personal data in India, including banks, fintech firms, e-commerce platforms, telecom operators, IT service providers, digital payments firms, and social media companies.
Compliance Costs Expected to Rise for Companies & Data Fiduciaries
The DPDP Act introduces structural changes to how companies collect, store, process, and share personal data. As a result, both domestic and global firms operating in India will incur higher spending on:
- Data mapping and inventory systems, to track every instance of data collection, use, storage, sharing, and deletion.
- Digital consent management platforms, to ensure user consent, revocation mechanisms, and purpose limitation are implemented in compliance with MeitY’s DPDP rules.
- Data Protection Officers and privacy governance teams, wherein enterprises classified as Significant Data Fiduciaries will need dedicated staff, robust reporting structures, and independent oversight processes.
- Audit, monitoring, and grievance redressal systems, to meet ongoing obligations for privacy audits, risk assessments, DPIAs, and user grievance handling.
Impact on Banks and Financial Institutions
Banks handle large volumes of sensitive personal data, placing them among the entities most affected by stricter compliance norms. Their already high IT budgets — currently 10–15% of overall expenditure — are expected to increase due to mandatory investments in:
- automated consent lifecycle management,
- data storage localisation processes,
- identity verification,
- and advanced cybersecurity controls.
Financial institutions may also need to reconfigure legacy systems to support explicit consent, data minimisation, and limited data retention policies mandated by the DPDP Act.
Why DPDP Rules Will Increase Costs?
Industry analysts highlight that the DPDP requirements introduce several new obligations that most organisations currently lack:
- Purpose-specific consent instead of blanket or bundled consent
- Granular notice and transparency obligations
- Tracking third-party data sharing
- Deletion and withdrawal workflows for user data
- Data breach reporting compliance
- Stringent penalties for non-compliance
These factors will push companies to adopt advanced privacy tech, update IT architecture, and invest in governance teams, raising compliance spend significantly.
