Decoding the new data laws: India’s recently implemented Digital Personal Data Protection (DPDP) Act has introduced stricter data-governance rules that will increase compliance and operation costs as businesses introduce structural changes to their systems, Meghna Bal, director at the Eysa Centre and a tech-policy expert, told EnterpriseAM.

(** Tap or click the headline above to read this story with all of the links to our background and outside sources.)

The framework tightens consent requirements, limits how long firms can retain customer information, and restricts the conditions under which personal data can be shared with third parties.

What’s changing? Businesses must clearly state data-use purposes upfront and delete customer information after three years of inactivity unless the data is needed to meet legal requirements. Users must be notified 48 hours before their data is erased. The rules also require firms to maintain detailed records and implement processes to support user requests for data access, correction, and erasure.

Compliance costs will squeeze small businesses: “The costs are going to be massive, and I don’t think companies realize just how much this legislation will cost,” Bal said, noting that the act was “framed with big companies in mind, with little concern for the ability of small firms to comply.” She added that small businesses may need temporary exemptions under Section 17(3) “to remain viable” during the transition.

And multinationals will feel pressure, too: Bal said multinational companies may face bottlenecks as compliance decisions “aren’t made locally” and require global coordination. She noted that the legislation’s failure to recognize contractual necessity creates challenges for sectors dependent on third-party data flows. “For telcos, even terminating a call on another network becomes unclear because the other operator won’t have consent from non-customers — it upends interconnection,” she said.

Compliance will require broad structural changes to how companies design user interfaces and the rebuilding of backend systems. “A data protection law impacts everything from internal data operations to external interfaces,” Bal told us, adding that companies need time to redesign systems “in ways that don’t increase user friction.”

It’s going to have a big impact on how companies advertise: With tighter limits on data sharing, companies will need to rely more on their own first-party datasets for behavioural targeting. Reduced consent-driven datasets may prompt companies to rethink marketing workflows and data-handling systems. “Shifting to first-party systems is not easy — smaller businesses compete today because they can leverage the targeted advertising capability of larger platforms,” Bal said. She added that using public datasets will also become harder since companies must verify whether the individual made the data public — “an impossible task under the current wording of the act.”

The timeline: The DPDP Act gives companies up to 18 months to get their houses in order on consent management, breach reporting, and deletion protocols. “The 18-month window is already compressed compared to the EU, Japan, and Brazil, all of which provided 24 months,” Bal said. The new law is more burdensome than in any of these jurisdictions because it requires consent as a basis for almost all data processing.

Firms will need to ensure they can trace data flows end-to-end to avoid incomplete or inaccurate deletions that could attract penalties.

IN CONTEXT: India’s new DPDP Act — the country’s first comprehensive digital privacy law — came into effect on 14 November. It requires explicit consent for collecting or processing personal data and grants users the right to access, correct, and erase their information. Companies must disclose why data is being collected, ensure secure processing, and report breaches within 72 hours. The law applies to all digital personal data in India, including overseas firms offering goods or services to users in the country.

Tags: