24 Months runway for DPDP is critical for Indian startup community

National : The government’s intention to reduce the timeline for implementing the Digital Personal Data Protection (DPDP) Act, 2023, poses a significant threat to startups that have meticulously built their business models in accordance with the original timeline. A last-minute change in the implementation schedule can cause severe disruptions and financial losses, particularly for startups that have invested heavily in compliance measures. This development comes at a critical time when micro, small, and medium enterprises (MSMEs) are already requesting compliance relief ahead of Budget 2026-27. The sudden shift in the DPDP Act timeline exacerbates the challenges faced by the startup community, potentially undermining their resilience and competitiveness in an already volatile economic landscape. Moreover, startups have secured substantial investments over the next 12 months, predicated on the assumption of a stable regulatory environment. Any abrupt changes could jeopardize these investments, leading to a cascade of negative impacts on innovation, job creation, and economic growth.

“As of the latest available data, Indian startups have secured significant investments over the next 12 months. According to industry reports and market analyses, the startup ecosystem in India is poised to attract over $20 billion in funding. This influx of capital is driven by both domestic and international investors who are increasingly recognizing the potential of Indian startups across various sectors, including technology, fintech, e-commerce, and healthcare. The funding is expected to support growth, innovation, and the scaling of business models, provided that a stable and predictable regulatory environment is maintained. Any sudden changes in critical regulations, such as the Digital Personal Data Protection (DPDP) Act, 2023, could disrupt these investment plans and hinder the progress of the startup community” said K Giri, Director General, Empower India.

“However, when implementation timelines are compressed, the cascading impact on small businesses must be acknowledged. These enterprises require adequate time to adapt systems, align processes, and understand how changes affect their visibility, reach, and operations.” He added that a phased and consultative approach, with structured feedback mechanisms, can help ensure smoother transitions and more effective compliance without disrupting smaller players in the ecosystem.”

During rapid implementation phases, larger firms understandably prioritise stabilising core compliance systems. While necessary, this operational focus can temporarily affect support timelines, onboarding processes, and feature rollouts that smaller dependent businesses rely on, creating unintended disruptions in business continuity. When timelines are accelerated, opportunities for iterative engagement, testing, feedback and co-development between firms and their smaller partners are also reduced, limiting collaborative solutions that would benefit the broader ecosystem.

The immediate implementation of Rule 23 and Rule 16 under the Digital Personal Data Protection (DPDP) Act could wreak havoc on innovation and scaling for Indian startups. Rule 23 allows the Central Government to demand information from Data Fiduciaries, potentially disrupting operations and causing compliance challenges. Rule 16’s exemption for research and statistical purposes, while beneficial, adds complexity. These abrupt changes create uncertainty, hindering startups’ ability to plan, invest, and scale effectively in a rapidly evolving market.