COMPLIANCE CHALLENGES FOR INDIAN STARTUPS UNDER THE DPDP ACT, 2023

Shivalika Sharma [First Author]

Abstract

The implementation of the Digital Personal Data Protection (DPDP) Act, 2023, is a watershed event in India’s data privacy regulatory environment. While the Act attempts to improve data protection and accountability among digital platforms, its execution will present particular obstacles for Indian businesses. This article investigates the compliance challenges that these businesses confront, including financial, technological, and operational limits. The report gives a comprehensive assessment of how India’s innovation ecosystem must adjust to the growing legal environment by assessing the Act’s major provisions, comparing them to GDPR and previous Indian laws, and investigating real-life startup examples. The study finishes with actionable ideas for legislators and startup owners to balance privacy protection with commercial sustainability.

1. Introduction

Data has become a vital asset in today’s rapidly digitalized global economy, and safeguarding it is of utmost importance. With the passage of the Digital Personal Data Protection Act, 2023 (DPDP Act), India, with its quickly growing digital environment and start-up ecosystem, has made a major advancement in protecting personal data. With the establishment of a strong legal framework for the protection of personal data in the digital age, this law represents a revolutionary change. The DPDP Act presents a new reality for businesses, especially Indian start-ups that frequently have tight finances and quick expanding goals, even if its goal is to promote a safe and responsible data-driven economy.

1.1 Background of data privacy in India

The Information Technology Act, 2000 (IT Act) and its companion Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) largely regulated India’s data protection environment prior to the DPDP Act. Although these laws provide a basic foundation, they lacked the complete clauses required to control the gathering, use, and transfer of personal data in a corporate environment that is becoming more and more digital.

The Supreme Court’s historic decision in Justice K. S. Puttaswamy (Retd.) v. Union of India in 2017 marked a turning point. A constitutional bench firmly upheld the basic right to privacy, which is enshrined in Article 21 (Right to Life & Liberty) of the Indian Constitution. The creation of the country’s comprehensive data protection system was sparked by this ruling, which acted as the constitutional push. There were many drafts of the DPDP Act before the Digital Personal Data Protection Act, 2023—India’s first comprehensive data privacy law—was ultimately adopted on August 11, 2023.

1.2 Significance of data protection for start-ups

Comprehending and adhering to data privacy regulations is not just a legal need but also a strategic necessity for Indian entrepreneurs. By ensuring that a company complies with regulatory regulations, data security compliance helps start-ups avoid paying steep fines for non-compliance. Strong data protection has numerous important benefits in addition to preventing fines:

• Better and Enhanced Data Security: By putting cybersecurity measures like encryption and access restrictions into place, data is managed and safeguarded more effectively, reducing the risk of data breaches.
• Data Management and Operational Efficiency: By providing consistent data on a single platform, data security compliance technologies provide efficient data management, which improves accountability and decision-making.
• Competitive advantage: A vast majority of customers (94%) choose businesses that value data security and privacy. By focusing on data protection, companies may gain a competitive edge and draw in partners and consumers who are concerned about privacy.
• Savings: By averting costly data breaches and legal obligations, proactive data security compliance may prove to be a financially advantageous choice over time.
  Improved Customer Trust: Educating consumers about data practices and bolstering their confidence with data security compliance technologies may boost brand support and engagement.
• Aligning with International requirements: Adherence to India’s data privacy regulations also aids in bringing start-ups into line with international data protection requirements, which is essential for companies doing business abroad or interacting with clients from across the world.

1.3 Need for compliance under DPDP Act, 2023

A paradigm change in India’s data privacy regime is represented by the DPDP Act, 2023, which places a strong emphasis on business responsibility, user rights, and stringent regulatory supervision. It lays forth precise rules for the gathering, handling, and archiving of digital personal data, requiring accountability, data minimization, and informed consent. The Act extends its scope to include international companies that provide products or services to Indian consumers, and it applies to any digital personal data obtained in India, whether it was first collected digitally or subsequently digitized.

The following are important clauses that start-ups must abide by:

• Consent-Based Processing: Data Principals (the people whose data is processed) must give their free, explicit, informed, unconditional, and unambiguous agreement by a clear affirmative action to Data Fiduciaries (the organizations handling personal data).
• Purpose Limitation and Data Minimization: Start-ups should only gather the bare minimum of personal data required, as personal data can only be handled for the purposes for which it was gathered.
• Security Measures: To prevent data breaches, businesses must put in place appropriate security measures including encryption, obfuscation, masking, and access restrictions.
• Data Principal Rights: The Act gives people the ability to view, amend, and delete their personal information as well as the ability to file a dispute.
• Breach Notification: Within 72 hours of learning of a data breach, data fiduciaries must alert the impacted data principals and the Data Protection Board (DP Board).
• Cross-Border Data transmission: Multinational corporations must carefully navigate this Act, which allows data transmission outside of India but only to nations that are not on a “negative list” that the government has not yet notified.
• Children’s Data Protection: Strict rules forbid monitoring or targeted advertising at minors and demand verified parental agreement for anybody under the age of 18.

Serious consequences, such as fines of up to ₹250 crore for data breaches and other infractions, may result from noncompliance with these rules.

1.4 Research objectives and scope

The purpose of this study is to examine the unique compliance issues that Indian start-ups encounter in light of the Digital Personal Data Protection Act of 2023. It will explore the subtleties of the Act’s requirements in relation to start-ups’ particular operating models and resource limitations. This paper’s purpose is restricted to analysing the immediate effects on Indian start-ups of the DPDP Act, 2023, and its proposed regulations, with an emphasis on important compliance areas and any ambiguities.

1.5 Hypothesis

The following research questions are the focus of this paper’s investigation:

1. What are the main financial and operational obstacles that Indian start-ups have in complying with the DPDP Act, 2023, specifically with regard to a lack of specialized legal skills and limited resources?
2. What effects do the uncertainties surrounding start-up exemptions and the designation of “Significant Data Fiduciaries” (SDFs) have on their capacity for innovation and compliance strategies?
3. What are the real-world challenges for start-ups in putting in place strong consent management systems and guaranteeing verifiable parental approval for children’s data in accordance with the provisions of the DPDP Act?
4. How do companies with developing technology infrastructures have difficulties meeting the standards for prompt data breach notifications and technical security safeguards?
5. What effects would the DPDP Act’s limitations on cross-border data transfers have on Indian start-ups that operate internationally or depend on foreign cloud services?
6. Legal framework

This section offers a thorough analysis of the Digital Personal Data Protection Act, 2023, stressing its salient features and contrasting it with earlier Indian data protection legislation as well as international norms.

2.1 Overview of the DPDP Act, 2023

India’s first comprehensive data privacy law is the Digital Personal Data Protection Act, 2023 (DPDP Act), which was passed on August 11, 2023. It creates a strong legal foundation for safeguarding personal information in the digital age, placing a strong emphasis on user rights, business responsibility, and stringent regulatory monitoring. The Act expressly does not control non-personal data or data that is still in non-digital form; rather, its purview is restricted to digital personal data, including data that is gathered offline or online and then converted to digital format for processing. All digital personal data acquired in India is covered by the DPDP Act, which also extends its jurisdiction to overseas companies who provide products or services to Indian citizens.

2.2 Key provisions relevant to start-ups

• Consent mechanism: The legitimate processing principle, which is a pillar of the DPDP Act, essentially requires that Data Fiduciaries have the Data Principal’s consent. A clear affirmative action must be used to express free, explicit, informed, unconditional, and unambiguous consent. Data Fiduciaries must notify the Data Principal at the time of consent collection in English or any of the twenty-two languages listed in the Eighth Schedule to the Indian Constitution, outlining the information being collected and its intended use. Permission Managers, organizations registered with the Data Protection Board (DP Board), are introduced under the Act in a unique way. They are intended to serve as a single point of contact for Data Principals to provide, manage, evaluate, and revoke their permission through an easily available, interoperable and transparent platform. Startups must set up procedures to safely gather, handle, and record user consent in order to comply with these regulations. Nonetheless, there are significant discrepancies in the Act about the finality of permission, with examples implying that consent may be automatically expunged or partially rejected.
• Data Fiduciaries & Significant Data Fiduciaries: Any organization that chooses how and why to process personal data, including social media platforms, online marketplaces, and payment service providers, is considered a data fiduciary. These organizations are in charge of making sure that data processing guidelines are followed, getting clear and informed permission, and granting users’ rights to view, edit, and remove data. Significant Data Fiduciaries (SDFs) are entities recognized based on considerations such the volume and sensitivity of personal data handled and the possible harm to the rights of Data Principals. The Act introduces the idea of SDFs. Additional responsibilities for SDFs include the requirement to designate a Data Protection Officer (DPO) based in India, who acts as the main liaison for compliance and grievance resolution. Startups may be free from some regulations, but those that handle sensitive personal data or large-scale data operations may be classified as SDFs and be held to these extra compliance standards. Startups are uncertain since the proposed guidelines do not yet clearly define the exact requirements for SDF designation.
• Cross-border data transfers: The DPDP Act allows personal data to be sent outside of India, but only to nations that are not on a “negative list” that the Indian government has not yet declared.  This method emphasizes sovereignty in data governance by giving the government considerable control over global data flows.  This entails managing the ambiguity around the final “negative list” and making sure that national laws are followed by international corporations.
• Notification of data breaches: Data Fiduciaries have a crucial responsibility to report data breaches.  Within 72 hours of discovery, the Act requires that any data breaches be promptly reported to the impacted Data Principals and the Data Protection Board (DP Board). These disclosures, which must include the type, breadth, chronology, and impact of the breach as well as mitigating measures, must be prompt, unambiguous, and succinct, according to the draft regulations.
• Penalties and grievance resolution: The DPDP Act enforces severe sanctions for non-adherence, including fines for major violations amounting to ₹250 crore (about $30 million). Noncompliance with security measures, consent obligations, and responsibilities pertaining to children’s data may also result in penalties. The Act calls for the creation of an independent Data Protection Board of India, whose job it is to supervise the Act’s application and enforcement. This body is intended to serve as an online complaint resolution system, with the authority to look into complaints, keep an eye on compliance, order corrective action, and administer sanctions.
• Protection of Children’s Data: The DPDP Act has strict guidelines for safeguarding children’s data. Data fiduciaries are required to get verified parental approval before processing the data of persons under the age of 18, with the age of consent being established uniformly at 18. Additionally, the Act forbids tracking, monitoring, or targeting minors with tailored marketing, as well as processing that is likely to negatively impact a child’s wellbeing. Verifiable parental permission is not necessary in certain situations, such as when an EdTech company’s activities under a government contract are regarded as government service delivery or when the government educational institution serves as the Data Fiduciary.

2.3 Comparison between IT Act, 2000 and GDPR

India’s prior data protection law was significantly improved by the DPDP Act, which also makes parallels to international norms such as the GDPR.

• SPDI Rules of 2011 and the IT Act of 2000: The Information Technology Act, 2000 (IT Act) and its companion Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) largely regulated India’s data protection framework until 2023. Although they provide a basic framework, these were devoid of extensive provisions for the gathering, processing, and transfer of personal data in a digital setting. The DPDP Act expands on the SPDI Rules’ need for express written consent for sensitive data by requiring a thorough and unambiguous notification for all personal data acquisition. The DPDP Act requires universal breach notifications, in contrast to the IT Act and SPDI Rules, which did not require data owners to be notified in the case of a data breach.  While the DPDP Act requires Significant Data Fiduciaries to designate a Data Protection Officer (DPO) headquartered in India, the SPDI Rules only required the appointment of a grievance officer.  Additionally, children’s personal data was not particularly addressed by the IT Act or SPDI Rules; the strict rules of the DPDP Act now cover this gap.
• General Data Protection Regulation (GDPR): The GDPR and the DPDP Act both extend their authority beyond national borders, encompassing organizations that handle personal data inside their respective regions or provide products and services to their citizens.
• Scope: Their material scope is a crucial difference.  The DPDP Act specifically eliminates records that are only offline, but also restricts its reach to digital personal data, including offline data that is later converted to digital form.  GDPR, on the other hand, applies to all types of personal data, digital or not, as long as they are stored in an organized filing system.
• Definitions: GDPR divides data into “special categories” (such as health, religion, and biometrics) and general personal data, with the latter subject to stronger protections.  However, the DPDP Act does not distinguish between sensitive or critical categories; instead, it encompasses all personal data in the digital sphere, creating a uniform standard for all kinds of personal data.
• Consent: Although the definition of consent is quite similar in both statutes, it must be explicit, free, precise, and informed with clear affirmative actions. The phrase “unconditional” is added specifically in the DPDP Act to highlight user empowerment.
• Stakeholders: Under GDPR, organizations that handle data are divided into two categories: data controllers and data processors. Both are subject to direct obligations. Similar to the GDPR’s Data Controllers, the DPDP Act’s Data Fiduciaries are largely responsible for compliance, while Data Processors have less direct duties.
• Reasons for Processing: The GDPR provides a number of legal justifications for data processing, such as contractual need, public interest, and legitimate interests. The DPDP Act, on the other hand, mostly depends on permission, with a few exceptions for emergencies, legal compliance, and state activities.
• Special Qualities: Consent Managers, organizations that provide clear and effective consent processing, are a novel feature of the DPDP Act. GDPR does not have this functionality.
• Breach notification: GDPR mandates breach reporting based on a risk assessment; disclosure is only required if the breach is considered to pose a serious danger to people’s rights and liberties. However, regardless of how serious the breach is, the DPDP Act requires that all breaches be reported to the Data Protection Board and the impacted parties.
• Cross-Border Data Transfers: To control data transfers, GDPR employs binding company norms, standard contractual provisions, and adequacy rulings. The DPDP Act emphasizes sovereignty in data governance by taking a centralized approach and giving the Indian government the power to designate acceptable nations.
• Children’s Data Protection: Depending on national legislation, the GDPR provides a variable age barrier for parental permission, which can range from 13 to 16.  The DPDP Act, on the other hand, universally sets the consent age at 18 years old, requires parental supervision, and prohibits some tactics, such as targeting youngsters with advertisements.
• Penalties: Non-compliance carries severe penalties under both systems.  While the GDPR is notorious for its harsh penalties, with fines of up to €1.2 billion for big infractions, the DPDP Act may impose fines of up to ₹250 crore (about $30 million) for serious violations.
• Rights: Similar rights for persons, including as access, erasure, rectification, notification, and grievance redressal, are emphasized by both the DPDP Act and GDPR.  However, the GDPR provides a wider variety of individual rights, such as data portability and particular safeguards against.
• Challenges faced by Indian startups

Despite creating a cutting-edge data protection framework, the Digital Personal Data Protection Act, 2023 (DPDP Act) presents a number of noteworthy obstacles for Indian entrepreneurs. Start-ups’ lean operations, strong emphasis on quick development, and sometimes limited resources make compliance with this new law especially difficult.  The many difficulties that start-ups have in complying with the DPDP Act are explained in detail in this section.

3.1 Financial and resource constraints

Start-ups usually have limited resources and prioritize funding for the development of their main products and market expansion. Allocating enough resources and staff for data privacy compliance is extremely difficult due to this practical reality. There are significant expenses associated with achieving and sustaining compliance with the DPDP Act. These costs consist of creating and putting into place strong data privacy policies and processes, as well as making investments in safe data infrastructure, encryption software, access control systems, and data loss prevention (DLP) solutions. Additionally, start-ups might have to pay for the execution of Data Protection Impact Assessments (DPIAs) for high-risk processing operations, hiring cybersecurity and legal consulting firms for professional advice and audits, and possibly establishing and running Consent Managers or integrating with them. For businesses with little funding, these high costs may be a major hardship, taking vital funds away from vital business growth. The majority of Indian start-ups lack specific data privacy compliance teams and internal legal departments, in contrast to established enterprises. This absence raises the possibility of misunderstanding or non-compliance by requiring the use of outside legal advice, which may be expensive, or by shifting the compliance responsibility to non-specialized staff.

3.2 Technical barriers

Start-ups, which are frequently defined by developing and less developed IT infrastructures, have unique technical hurdles as a result of the DPDP Act’s requirements for complex technological protections and cautious data flow management. To stop breaches of personal data, the Act requires Data Fiduciaries to have “appropriate security controls” in place. This means that start-ups must have a strong technical infrastructure, which includes putting strong encryption in place for data in transit and at rest, putting strict access controls and authentication procedures in place, using pseudonymization and anonymization techniques when practical, and creating efficient incident response plans and tools for quick breach detection and containment. Many companies may not be able to afford the ongoing investment and specialized technical knowledge needed to build and maintain such complex security systems. Furthermore, the DPDP Act’s “negative list” approach to cross-border data transfers raises questions even if it does not specifically require data localization. If their selected data processing sites are on the bad list, start-ups who depend on foreign cloud service providers or conduct business abroad may encounter serious difficulties. Scalability and operational flexibility may be impacted if this calls for the expensive transfer of data to authorized jurisdictions or the utilization of local data centers.

3.3 Lack of awareness

A key difficulty derives from a widespread lack of understanding of the complexities of data privacy regulation, particularly among start-up founders and early-stage teams. Start-up founders are often domain specialists in their respective professions, such as technology, business development, or marketing, but they may have inadequate knowledge of complicated legal frameworks such as data protection legislation. This information gap may result in an underestimating of compliance risks and requirements during the early phases of product development. Furthermore, the Act’s fundamental ideas of “consent” and “data minimization” are commonly misinterpreted. Start-ups may mistakenly feel that a simple “I agree to terms and conditions” button is sufficient for consent, or that collecting more data is always useful for future analytics, without fully comprehending the “free, specific, informed, unconditional, and unambiguous” character of valid permission, or the idea of collecting only data “necessary for the purpose.”  This misconception can result in over-collection of data and improper consent methods, exposing organizations to compliance violations.

3.4 Operational burden

Implementing the DPDP Act’s objectives necessitates considerable modifications to everyday operating operations, increasing the administrative and regulatory load on businesses.  While not all companies must immediately employ a Data Protection Officer (DPO), the Act establishes the idea of Significant Data Fiduciaries (SDFs), who must appoint a DPO domiciled in India.  As companies grow and handle higher amounts or more sensitive data, they may be labeled as SDFs, forcing them to immediately identify and onboard a competent DPO.  This profession requires a specialized skill set and pays a high wage, further straining resources.  Furthermore, startups must create extensive, intelligible privacy policies that explicitly define data collecting, processing, and storage procedures. They must also create user-friendly ways for Data Principals to exercise their rights, such as the ability to access, update, erase data, or withdraw consent. This includes re-engineering user interfaces, backend systems, and internal procedures, which can result in a significant operational overhaul.

3.5 Sector specific concerns

Certain sectors have unique compliance issues under the DPDP Act owing to the type and sensitivity of the data they manage. Fintech businesses, for example, handle highly sensitive financial information. Compliance entails strict security measures, strong permission for financial activities, and cautious management of KYC (Know Your Customer) data, making them great targets for cyberattacks and necessitating perfect data integrity and confidentiality. EdTech platforms routinely collect data from children (under the age of 18), which is subject to strict requirements under the DPDP Act, such as necessary verifiable parental consent and prohibitions on tracking, monitoring, or targeted advertising to minors. This significantly damages business models that rely on customization through behavioural monitoring or displaying adverts to minors, with the difficulties in providing trustworthy parental verification being a key operational challenge. Similarly, HealthTech organizations deal with extremely sensitive health and medical information. While not designated as “sensitive” under DPDP (unlike GDPR), this data requires the greatest degree of protection and permission. This industry has particularly complicated issues with patient data privacy, interoperability while guaranteeing security, and potential exchange with third-party service providers.

3.6 Uncertainty in regulatory interpretation

 As a new piece of law, the DPDP Act still has several areas that require clarification, resulting in ambiguity in regulatory interpretation. The Act establishes a framework, but numerous operational elements and particular implementation recommendations are likely to be developed by later regulations and notices. The lack of explicit criteria for factors such as defined “appropriate security controls,” thresholds for SDF classification, and detailed consent management methods forces companies to navigate a grey area. As the Data Protection Board begins operations, jurisprudence will develop, requiring start-ups to stay nimble and adapt to new interpretations and precedents, which can be difficult for businesses with minimal legal resources.

Understanding the theoretical obstacles is critical, but looking at how real Indian entrepreneurs are managing the DPDP Act offers practical insights. While the Act is new and public enforcement measures are still being developed, the preparation efforts and ongoing obstacles experienced by key stakeholders provide useful insights.

4.1 Compliance Efforts of Leading Indian Startups

Major Indian startups, particularly those working in data-intensive industries, have begun to reconsider their data handling policies in preparation of the DPDP Act’s full implementation.

• Paytm (Fintech): As a major participant in digital payments and financial services, Paytm manages a large amount of personal and financial data. Paytm’s DPDP compliance involves:
• Enhanced Consent Mechanisms: A shift toward more specific and explicit consent for different data processing activities, notably financial transactions and value-added services. This necessitates redesigning user interfaces and backend systems to capture and maintain permission efficiently, ensuring it is “free, specific, informed, unconditional, and unambiguous.”
• Robust Data Security: Due to its position in financial transactions, Paytm already has stringent security requirements. However, the DPDP Act emphasizes “reasonable security safeguards” To comply with the Act and avoid penalties (up to ₹250 crore for data breaches), encryption, access restrictions, fraud detection systems, and breach response methods must be reviewed and improved on a regular basis.
• Significant Data Fiduciary (SDF) Obligation: Paytm is likely to be certified as an SDF because to its size and the sensitive nature of the data it processes. Additional responsibilities include hiring a Data Protection Officer (DPO) in India, conducting Data Protection Impact Assessments (DPIAs), and executing regular data audits.
• Razorpay (fintech/payment gateway): Razorpay, a payment gateway and business banking platform, handles sensitive financial data for a wide range of businesses and their clients. Its compliance path reflects some of Paytm’s issues, with an emphasis on its middleman function:
• Data Fiduciary vs. Data Processor Clarification: Razorpay must explicitly explain its function (Data Fiduciary or Data Processor) for various data flows.  When functioning as a Data Fiduciary, it is necessary to guarantee direct compliance with consent, security, and data principle rights.  When operating as a Data Processor for other firms, it must have strong contractual arrangements that comply with DPDP regulations, ensuring that the Data Fiduciary’s instructions are followed and that data is securely safeguarded.
• Cross border data transfer: Razorpay provides cross-border data transfer services to businesses throughout the world.  While the DPDP Act permits cross-border data transfers to recognized jurisdictions, the uncertainty surrounding the “negative list” necessitates careful monitoring and potential changes to data storage and processing locations to enable seamless international operations while not breaching the Act.
• Grievance Redressal: As an intermediary between companies and consumers, Razorpay must provide effective channels for data principals to exercise their rights, such as data access, correction, and deletion requests, as well as resolve grievances properly.
• Practo (HealthTech): Practo, a major digital healthcare platform, handles very sensitive health data, making DPDP compliance especially important and challenging.
• Explicit and Granular Consent for Health Data: Practo shall seek explicit and informed consent before collecting, keeping, or processing sensitive health records.  This necessitates explicit communication with patients about how their health information will be utilized, shared (e.g., with doctors and laboratories), and kept.  The consent process should be simple to comprehend and provide for particular permissions rather than wide blanket approval.
• Children’s Data Protection: Because many users may be parents arranging appointments for their children, Practo must get verified parental agreement before processing data of kids (under 18).  The Act’s limits on tracking, monitoring, and targeted advertising to minors have a direct influence on how Practo may tailor services and communicate with younger consumers.
• Data Security and Confidentiality: Protecting extremely sensitive health information from breaches is critical.  Practo must invest in sophisticated encryption, access restrictions, and strong cybersecurity measures to protect patient confidentiality and meet the Act’s security requirements.  Any data breach affecting health records would have serious legal and trust-related ramifications.

4.2 How different sectors are affected

The case studies demonstrate that the DPDP Act has a substantial influence across industries, which is largely determined by the kind and volume of data processed, as well as the manner of user contact.

• Fintech: Fintech is the most scrutinized sector because to the amount and sensitivity of financial data (e.g., transaction history, bank details, KYC papers). Managing explicit permission for diverse financial services, guaranteeing strong security against cyber threats, handling cross-border financial data transfers, and satisfying the severe requirements of a potential Significant Data Fiduciary are all challenges. It is also necessary to establish explicit responsibility structures between financial institutions and technology partners (for example, payment aggregators).
• EdTech: The key problem here is the processing of children’s data. The Act’s stringent criteria for verified parental consent and the ban on behavioural monitoring and targeted advertising for minors profoundly changes business models that rely on customized learning via data analytics or advertising income from younger consumers. EdTech platforms must redesign their data collecting and usage policies in order to comply with these specific rules, which might be operationally challenging.
• HealthTech: This industry handles the most sensitive type of personal data—health information. The DPDP Act, although not specifically defining “sensitive personal data” like GDPR does, nonetheless requires the utmost level of care. HealthTech startups face difficulties in obtaining granular consent for medical data, ensuring absolute confidentiality and security, managing data sharing with healthcare providers, and possibly navigating the complexities of data retention and erasure for medical records, which may have longer statutory retention periods.

4.3 Recent enforcement actions or warnings

As of May 2025, the Digital Personal Data Protection Act, 2023, was still in its early stages of implementation, with the Data Protection Board of India (DPBI) not yet completely established and active. As a result, there have been no significant public enforcement actions or fines imposed under the DPDP Act itself.

However, the period leading up to the Act’s full enforcement has seen:

• Increased Regulatory Scrutiny: Regulators, especially the Reserve Bank of India (RBI) for financial companies, have become more concerned about data governance and cybersecurity. While not directly related to DPDP, moves such as the RBI’s limitations on Paytm Payments Bank (due to supervisory concerns and IT audit difficulties, not DPDP breaches) send a strong message to the industry about the significance of solid compliance and data management standards. These proceedings, while predating DPDP regulation, highlight the heightened regulatory environment that entrepreneurs must manage.
• Issuance of draft rules and public consultations: The Ministry of Electronics and Information Technology (MeitY) has issued Draft Digital Personal Data Protection Rules, 2025, for public feedback. These guidelines are intended to offer operational clarification on a variety of Act provisions, including consent managers, data breach notifications, and SDF designation levels. The ongoing conversations suggest a period of regulatory refinement rather than active enforcement.
• Industry Advisories and Compliance Preparedness: Law firms, consulting agencies, and industry associations have actively issued advisories and held seminars to assist businesses, particularly startups, in preparing for DPDP compliance. These activities include completing gap assessments, revising privacy rules, developing consent management systems, and improving data security. The present emphasis is on proactive compliance and preparation rather than reactive responses to enforcement.

In summary, while formal enforcement proceedings under the DPDP Act have yet to begin, the regulatory landscape is fast changing, requiring Indian entrepreneurs to prioritize data privacy and security more than ever before. The experiences of key businesses like as Paytm, Razorpay, and Practo demonstrate the broad and severe compliance problems that exist across several industries.

• Suggestions and way forward

Given these hurdles, a diverse strategy is required to assist Indian entrepreneurs in complying with the DPDP Act while preserving their development potential.

First, the government should provide sector-specific compliance toolkits to companies. These toolkits may include sample privacy policies, permission forms, data audit templates, and checklists. A streamlined registration process for smaller firms under the compliance framework might help them move.

Second, awareness-raising and capacity-building programs must be implemented nationwide. These may include free or subsidized webinars, startup bootcamps, online certificates, and cooperation with incubators. Industry groups like NASSCOM and TiE can play an important role here.

Third, a tiered compliance system based on the size and type of the company might be implemented. For example, companies below a certain revenue or data volume criteria may be excused from hiring DPOs or performing yearly audits.

Fourth, public-private collaborations might help to develop privacy-enhancing technologies (PETs) customized to startups. These solutions can automate compliance tasks like consent management and breach detection.

Finally, the DPDP Board should consider establishing a Startup Grievance Cell to address compliance issues and provide consulting help to new businesses.

The Digital Personal Data Protection Act of 2023 is a significant step in recognizing and enforcing Indian citizens’ data privacy rights. However, the execution presents significant problems for Indian companies. From budgetary limits and operational challenges to sector-specific complications and legal uncertainty, the road to compliance is difficult. However, with the correct legislative interventions, technical assistance, and collaborative efforts, these difficulties are solvable. Startups that consider privacy as a trust-building feature rather than a legal burden will have a greater chance of success in a data-conscious society.

References/ Bibliography

1. Digital Personal Data Protection Act, 2023 (India)
2. General Data Protection Regulation (EU), 2016/679
3. Information Technology Act, 2000
4. MeitY Guidelines and Policy Documents
5. News18, “Startups fear compliance burden under India’s new data protection law”, Aug 2024
6. NASSCOM Reports on Startup Ecosystem
7. LiveLaw, “What Startups Must Know About DPDP Act, 2023”, Sept 2024
8. Indian Express, “Healthtech & DPDP Act: What Startups Need to Do”, Oct 2024