DPDP compliance costs for Indian startups: what to budget before 13 May 2027
Summary. Full compliance with India's Digital Personal Data Protection Act is due on 13 May 2027. That is the date consent, notice, security safeguards, breach intimation and data-principal rights all become enforceable, and it is roughly 10 months away. The DPDP Rules 2025 were notified on 13 November 2025 and land in three phases: the Data Protection Board of India stood up immediately, penalties and Consent Manager registration begin on 13 November 2026, and everything else bites on 13 May 2027. The penalty schedule is not proportionate to your size: up to ₹250 crore for failing reasonable security safeguards, ₹200 crore for failing to notify a breach, and ₹150 crore for missing Significant Data Fiduciary obligations. There is no revenue or headcount exemption. The cost gap is where founders get hurt. Vendors routinely quote ₹15 lakh to ₹2 crore for DPDPA compliance, while a startup under 10,000 users can be substantively compliant for under ₹50,000 a year. India's privacy and data governance market is worth roughly $1 billion to $1.5 billion today, per IDfy founder Ashok Hariharan speaking to Inc42 in April 2026, and a lot of that revenue depends on you not reading the rules yourself.









