Two years after the Digital Personal Data Protection (DPDP) Act laid the foundation for India’s privacy framework, the government has now notified the DPDP Rules 2025. The rules which will govern the DPDP Act threaten to disrupt operations for a number of startups given the heavy compliance burden.

Where the DPDP Act only introduced broad ideas such as consent, deletion, user rights and breach disclosures, the new rules turn each of these ideas into strict, time-bound requirements that must be executed exactly as written.

The changes are one of the biggest regulatory shifts yet for young startups and small and medium businesses. Many bemoan the higher burden of compliance.

Mishi Choudhary, technology lawyer and founder of the Software Freedom Law Center (SFLC), says the problem is that implementation unduly adds cost to smaller companies, which usually tend to have fewer users and a lot less resources than tech giants.

“The rules are simple in words but will require investment in implementation. Large companies already have security and compliance teams but it’s going to require a lot of restructuring and investments by smaller players.”

Case in point: any data breach must be reported within 48 hours under the new rules, even if the company is still figuring out what went wrong. Every business is also mandated to maintain complete data logs for at least a year.

The rules for the DPDP Act also calls for automated deletion systems that warn users 48 hours before any data is erased. Businesses also have to set up a public channel that lets users request corrections and withdrawals. These timelines can become even stricter, as per recent reports.

The pressure becomes even heavier for companies that fall under the category of Significant Data Fiduciaries, such as an edtech platform or a fast-growing D2C brand. These businesses handle large volumes of user data or sensitive information. But the law does not relax penalties based on company size.

A Lopsided Regulation?

Needless to emphasise, most early-stage startups and SMEs do not have the infrastructure or resources to meet these obligations. With smaller teams and limited budgets, startups can expect to incur heavy costs for compliance.

Especially, because the data protection maturity is being thrust on them. The rules expect them to follow audit-grade security standards and maintain detailed records. To do this, they will have to buy new tools,........

© Inc42