Experts have cautioned that compressing compliance timelines under India’s Digital Personal Data Protection (DPDP) Rules could strain businesses and weaken investor confidence, particularly in the startup ecosystem. The concerns were raised during a media briefing hosted by InGovern Research Services. While industry stakeholders broadly welcomed the intent to strengthen data privacy, speakers warned that advancing implementation timelines from the originally proposed 18 months to 12 months — and in some cases immediate enforcement — could impose disproportionate operational and financial burdens. They stressed that DPDP compliance requires deep changes in technology architecture, governance systems and internal processes, not just paperwork.
Shriram Subramanian said mandatory data and log retention, combined with shortened timelines, could derail large enterprises and prove unmanageable for young companies. Legal experts echoed the concern, with Shreya Suri noting that startups and MSMEs lack adequate awareness, expertise and infrastructure to meet complex obligations at short notice.
Investors also flagged uncertainty around penalties and the designation of Significant Data Fiduciaries. Angel investor Lloyd Mathias said rising compliance costs and unclear enforcement could affect funding decisions and slow innovation. In Kolkata, which hosts a growing base of IT services firms, fintech startups and MSMEs, industry observers say compressed DPDP timelines could have an outsized impact. Many smaller enterprises in the city are still formalising digital systems and compliance frameworks. Sudden enforcement may force businesses to divert capital from expansion and hiring toward legal and data-security costs, potentially slowing digital adoption and investment momentum in eastern India.