Companies To Incur up to Rs 18 Cr One-Time Cost on DPDP compliance
Report finds major one-time and yearly costs as companies prepare for strict new data protection rules
Chennai: Companies will incur a one-time cost ranging between Rs 1 crore to Rs 18 crore, depending upon their size, for the compliance of Digital Personal Data Protection rules. Further, Rs 50 lakh to Rs 10 crore will have to be spent annually in the subsequent years.
The one-time cost before May 2027 for large enterprises will range between Rs 2.5 crore to Rs 18 crore, for mid-size enterprises it would range between Rs 1.5 crore to Rs 2.5 crore and for smaller companies it will be Rs 1 crore to Rs 1.5 crore, according to a report by King Stubb and Kasiva.
The cost includes the expenses towards complying with the rules related to data mapping and inventory, consent management infrastructure, Data Subject Access Request (DSAR) system development, security hardening, and Data Protection Officer hiring. The compliance requires a material, multi-year investment.
Fulfilling thousands of Data Subject Access Reports annually requires significant operational investment in identity verification, data retrieval and secure transmission. The failure to respond on time and accurately triggers penalties.
Security failure leading to data breach will invite a penalty of up to Rs 250 crore. Failure to provide breach notification to the Board and affected users within 72 hours will be a fined of up to Rs 200 crore. Failure to fulfill additional duties as a significant data fiduciary (SDF), such as appointing DP,O will be fined up to Rs 150 crore. Any other breach of the DPDP Act will invite a maximum fine of Rs 50 crore.
The DPDP rules became operational on November 14, 2025. Companies have an 18-month window to be fully compliant. The rules apply to all entities processing personal data of Indian citizens, regardless of where the entities are incorporated.
As far as cross-border data transfers are concerned, the government can unilaterally blacklist countries. SDFs have to ensure that AI/ML systems are fair and transparent without detailed regulatory guidance. Capturing granular, verifiable consent across web, mobile apps, APIs, and third-party vendors are technically complex.