On this page · 13 sections
- The deadline that actually matters
- What the rules actually require
- The penalty ladder
- What vendors quote versus what it costs
- Where the money actually goes
- What you can build yourself
- Are you a Significant Data Fiduciary? Probably not
- Retention: Schedule III mostly is not about you
- A 10-month plan from July 2026
- India-specific considerations
- FAQ
- How eCorpIT can help
- References
Summary. Full compliance with India's Digital Personal Data Protection Act is due on 13 May 2027. That is the date consent, notice, security safeguards, breach intimation and data-principal rights all become enforceable, and it is roughly 10 months away. The DPDP Rules 2025 were notified on 13 November 2025 and land in three phases: the Data Protection Board of India stood up immediately, penalties and Consent Manager registration begin on 13 November 2026, and everything else bites on 13 May 2027. The penalty schedule is not proportionate to your size: up to ₹250 crore for failing reasonable security safeguards, ₹200 crore for failing to notify a breach, and ₹150 crore for missing Significant Data Fiduciary obligations. There is no revenue or headcount exemption. The cost gap is where founders get hurt. Vendors routinely quote ₹15 lakh to ₹2 crore for DPDPA compliance, while a startup under 10,000 users can be substantively compliant for under ₹50,000 a year. India's privacy and data governance market is worth roughly $1 billion to $1.5 billion today, per IDfy founder Ashok Hariharan speaking to Inc42 in April 2026, and a lot of that revenue depends on you not reading the rules yourself.
This is a budgeting guide, not a legal opinion. The rules are short. Read them, then price the work.
The deadline that actually matters
There are three dates, and only one of them is a real deadline for most startups.
| Phase | Date | What switches on | Does it affect a typical startup? |
|---|---|---|---|
| Phase 1 | 13 November 2025 | Data Protection Board of India established, Rules notified | No direct obligation, but the Board can already receive complaints |
| Phase 2 | 13 November 2026 | Consent Manager registration opens, penalty framework and enforcement powers begin | Only if you intend to register as a Consent Manager |
| Phase 3 | 13 May 2027 | Notice, consent, security safeguards, breach intimation, retention, children's data, data-principal rights | Yes. This is your deadline |
Phase 2 confuses people. Consent Manager registration is not something a normal startup does. A Consent Manager is a regulated intermediary that lets people manage consent across fiduciaries, and Schedule I Part A of the Rules requires it to be a company incorporated in India with a net worth of at least ₹2 crore. If you are a D2C brand or a SaaS company, you are a Data Fiduciary, not a Consent Manager. You may use one. You do not register as one.
So the working number is 13 May 2027, and the planning horizon from mid-July 2026 is about 10 months.
What the rules actually require
Most cost estimates float free of the rules. Here is what the text says, rule by rule, and what each one costs in engineering terms.
Rule 3, notice. You must give the data principal a notice that is understandable independently of any other information, listing the personal data collected and the purpose. Engineering cost: low. This is copy plus a consent-capture screen.
Rule 6, reasonable security safeguards. Encryption, obfuscation, masking or virtual tokens; access control; logs and monitoring; backups; contractual terms with processors. Engineering cost: this is the big one, and most of it is work you should already be doing.
Rule 7, breach intimation. Two obligations fire the moment you become aware of a breach. You must tell each affected data principal without delay, in plain language, covering the nature and extent of the breach, likely consequences for them, your mitigation, safety measures they can take, and a contact. Separately you must tell the Board without delay, then file a detailed report within 72 hours of becoming aware, extendable only on written request. Engineering cost: moderate, and it is detection tooling, not paperwork.
That 72-hour figure is worth pinning down because secondary summaries drift. Rule 7(2)(b) says "within seventy-two hours of becoming aware of the breach". The notification to individuals and the first intimation to the Board are both "without delay", which is stricter than 72 hours, not looser.
Rule 8, retention. Data must be erased once the specified purpose is no longer served, with Schedule III setting default periods for large platforms.
Rule 13, Significant Data Fiduciary obligations. DPO, data protection impact assessment, annual audit, algorithmic due diligence. Only applies if the Central Government notifies you.
Rule 14, data-principal rights. Access, correction, erasure, grievance redressal, nomination. Engineering cost: moderate. This is a workflow, and it is the line item vendors price highest.
The technology lawyer Mishi Choudhary, founder of the Software Freedom Law Center, put the asymmetry plainly to Inc42 in November 2025:
"The rules are simple in words but will require investment in implementation. Large companies already have security and compliance teams but it's going to require a lot of restructuring and investments by smaller players." Mishi Choudhary, technology lawyer and founder, Software Freedom Law Center
She also made the point that decides your breach budget: "The reporting timelines are aggressive and will require external tooling. Forensic disclosures cannot be made within the expected timelines."
Read that as an engineering requirement. You cannot answer Rule 7 in 72 hours from cold logs.
The penalty ladder
| Failure | Maximum penalty | Rule or section | Realistic exposure for a startup |
|---|---|---|---|
| No reasonable security safeguards, leading to a breach | ₹250 crore | Schedule to the Act, Rule 6 | The headline number, applied proportionately |
| Failure to notify the Board or data principals of a breach | ₹200 crore | Rule 7 | High, because it is a process failure you control |
| Non-compliance with children's data provisions | ₹200 crore | Rules 10 to 12 | Only if you process children's data |
| Failure to meet additional SDF obligations | ₹150 crore | Rule 13 | Zero unless notified as an SDF |
| General breach of other obligations | Lower tiers | Schedule to the Act | Most likely category |
Two things founders misread here.
The ₹250 crore number is a maximum, not a tariff. Penalties can also stack: one incident can be both a safeguards failure and a notification failure.
The more useful observation is that the notification penalty is the one you fully control. A breach may happen despite good engineering. Missing the 72-hour report is a choice you made 18 months earlier when you decided not to instrument anything.
What vendors quote versus what it costs
The published quotes vary by a factor of 400. That is not a market. That is an information gap.
| Buyer profile | Typical vendor quote | What the same outcome costs built in-house | Source of the quote |
|---|---|---|---|
| Startup, under 10,000 users | ₹15 lakh to ₹2 crore | Under ₹50,000 a year | Consently, 2026 |
| SME, around 500,000 users | ₹15 lakh to ₹2 crore | ₹3 lakh to ₹8 lakh | Consently, 2026 |
| End-to-end consulting, startup or SME | ₹1.5 lakh to ₹2 lakh | Varies | TCSA, 2026 |
| End-to-end consulting, mid-market | ₹2 lakh to ₹3 lakh | Varies | TCSA, 2026 |
| Enterprise or SDF programme | ₹3 lakh to ₹4 lakh | Varies | TCSA, 2026 |
Treat every figure in that table with the incentive attached. Consently sells a consent management platform. TCSA sells DPDP consulting. Both figures come from companies whose revenue is the number they are quoting you. We are citing them because published neutral pricing for DPDP work does not exist, not because they are disinterested.
The market context explains the spread. India's privacy and data governance market is around $1 billion to $1.5 billion today with the potential to reach $3 billion to $4 billion over the next decade, per Ashok Hariharan, founder of IDfy, speaking to Inc42. IDfy's own revenue from operations rose to ₹188.5 crore in FY25 from ₹145 crore in FY24, and crossed ₹200 crore in FY26. A market that size, growing that fast, in front of a hard deadline, produces exactly the quoting behaviour above.
Where the money actually goes
Three cost centres, in the order they will actually consume budget.
Consent infrastructure. A consent record needs to be immutable, timestamped, versioned against the notice text, and queryable per data principal. Most startups already have a users table and no consent table. This is a schema and an API, not a product.
Data rights workflows. Access, correction and erasure requests need an owner, an SLA and an audit trail. This is where teams underestimate. Erasure is genuinely hard once data has fanned out into analytics, backups, logs, a data warehouse and three SaaS tools. The engineering cost is proportional to how many copies of personal data you made before anyone asked.
Governance footprint. Policies, processor contracts, breach runbook, logging. Cheap in rupees, slow in calendar time, because it needs decisions rather than code.
The real cost is almost never the consent banner. It is the erasure path through your data warehouse.
What you can build yourself
For a startup under 10,000 users with no children's data and no SDF notification, the compliant core is smaller than the quotes suggest. A consent record is roughly this shape:
create table consent_record (
id uuid primary key,
data_principal uuid not null references users(id),
purpose text not null, -- one row per purpose, never bundled
notice_version text not null, -- ties consent to the exact notice shown
status text not null, -- granted | withdrawn
granted_at timestamptz not null,
withdrawn_at timestamptz,
source text not null, -- signup | settings | consent_manager
evidence jsonb not null -- ip, user agent, rendered notice hash
);
create index on consent_record (data_principal, purpose, status);
Two design rules do most of the compliance work. One row per purpose, because bundled consent is not consent under the Act's purpose limitation. And notice_version with a hash of the rendered notice, because a year from now you must show what the person actually saw, not what your current privacy page says.
Withdrawal has to be as easy as granting. That is a product decision more than an engineering one, and it is the item most likely to fail an audit.
For Rule 7 readiness, the question to answer before May 2027 is narrow: if personal data leaked at 02:00 on a Sunday, how long until someone knows, and can you reconstruct the nature, extent, timing and affected-principal list within 72 hours? If the answer depends on grepping application logs by hand, that is your gap, and it is a detection and logging investment, not a legal one. Our notes on privacy-first AI architecture cover the data-flow mapping that makes this answerable.
Are you a Significant Data Fiduciary? Probably not
This is the single largest source of over-quoting, so it is worth being blunt.
An SDF is not a size category you grow into. The Central Government notifies you. A data fiduciary that is not notified is not an SDF, even if it processes very large data volumes, and a fiduciary that is notified is an SDF from the date of notification irrespective of size.
So the DPO, the DPIA, the annual audit and the algorithmic due diligence in Rule 13 are not on your roadmap unless you have been notified. If a proposal prices a DPO retainer and an annual audit for a Series A company that has not been notified, it is pricing obligations you do not have.
Retention: Schedule III mostly is not about you
Schedule III sets default retention of three years from the last interaction, but only for named classes at real scale: e-commerce entities with at least 2 crore registered users, online gaming intermediaries with at least 50 lakh registered users, and social media intermediaries with at least 2 crore registered users.
Below those thresholds, Rule 8's general principle applies instead: erase when the specified purpose is no longer served. That is a judgement your team documents, not a number the Rules hand you. The absence of a bright line is why this line item gets padded.
A 10-month plan from July 2026
Months 1 to 2, discovery. Map every place personal data lands. Not the diagram you wish were true, the one your warehouse actually shows. Most teams find between three and ten copies they had forgotten.
Months 3 to 4, consent and notice. Ship the consent schema, version the notice, unbundle purposes, build withdrawal.
Months 5 to 7, rights and erasure. Build access, correction and erasure end to end, including the awkward paths: backups, analytics, third-party processors. Give it an owner and an SLA.
Months 8 to 9, breach readiness. Detection, alerting, log retention, a runbook with named roles, and one tabletop exercise against the 72-hour clock. This is where Choudhary's tooling point converts into a purchase order.
Month 10, contracts and evidence. Processor terms, records of processing, and the file you would hand the Board.
Deliberately not on the list: registering as a Consent Manager, appointing a DPO, or commissioning an annual audit, unless you have been notified as an SDF. If your compliance spend is dominated by those three, someone sold you an enterprise programme for a startup problem.
India-specific considerations
DPDP applies to processing of digital personal data within India, and to processing outside India where it relates to offering goods or services to data principals in India. A Delaware-registered startup with Indian users is in scope. Incorporation abroad is not an exemption.
The Board operates as a digital office under Rule 20, so complaints and proceedings are online. That lowers the barrier for a complaint against a small company, which is the practical enforcement risk for startups: not a regulator-initiated sweep, but a single annoyed user who cannot get their data deleted.
Sector overlays still apply on top. Healthcare AI deployments carry CDSCO considerations alongside DPDP, which we set out in our healthcare AI deployment guide, and public-sector AI work interacts with the IndiaAI Mission framework covered in our sovereign AI analysis. We design applications aligned with DPDP requirements rather than certifying compliance, because DPDP has no certification to hold.
FAQ
How eCorpIT can help
eCorpIT is a CMMI Level 5 certified, senior-led engineering organisation in Gurugram that treats DPDP as an engineering problem rather than a document exercise. We map where personal data actually lands, build consent and erasure paths that survive an audit, and get breach detection to the point where a 72-hour Rule 7 report is answerable. We design applications aligned with DPDP requirements and will tell you plainly which obligations do not apply to you. Talk to our team via /contact-us/ about a DPDP readiness review before the May 2027 deadline.
References
- Rule 7: Intimation of personal data breach. DPDP Rules 2025 text
- Rule 4: Registration and obligations of Consent Manager. DPDP Rules 2025 text
- Schedule I Part A: Conditions of registration of Consent Manager. DPDP Rules 2025 text
- India's Data Privacy Rules: Will DPDP Act Compliance Costs Crush Startups?. Inc42, 19 November 2025
- As DPDPA Kicks In, Are Startups Ready For Privacy Compliance Burden?. Inc42, 16 April 2026
- DPDP Act Compliance Cost in India: A Real Breakdown for Startups, SMEs and Enterprises. Consently, 2026
- Consent Managers under India's DPDP Act and DPDP Rules. AZB and Partners
- Enforcement of the DPDP Act and notification of the DPDP rules. Shardul Amarchand Mangaldas and Co
- How DPDP Rules 2025 Affect Data Fiduciaries and SDFs. Medianama, November 2025
- DPDP Act and Rules: Practical Overview, 2026 Edition. Glocert International
- Schedule III: class of data fiduciaries, purposes and time periods. DPDP Rules 2025 text
- Rule 8: Time period for specified purpose to be deemed as no longer being served. DPDP Rules 2025 text
- Rule 13: Additional obligations of Significant Data Fiduciary. DPDP Rules 2025 text
- Rule 3: Notice given by Data Fiduciary to Data Principal. DPDP Rules 2025 text
- Rule 6: Reasonable security safeguards. DPDP Rules 2025 text
- Rule 14: Rights of Data Principals. DPDP Rules 2025 text
- Rule 20: Functioning of Board as digital office. DPDP Rules 2025 text
Last updated: 16 July 2026.