With data protection rules notified, startups must prepare for a pivotal transition

The next 12 to 18 months will be a decisive period for India’s digital startup ecosystem. After over eight years of debate and consultation, the Digital Personal Data Protection (DPDP) framework is finally entering the implementation phase. The government’s notifications of the Rules and transition timelines mean that businesses will have to align their operations more clearly with the user, i.e. adhere to data principal rights and clearly identify their responsibilities under the framework.

Among other things, the final rules are an attempt to balance user protections with flexibility to ensure more digital businesses are compliant. However, startups need to start mapping their obligations, allocate internal resources for compliance and identify areas that require external partnerships and government coordination. Since startups operate with lean teams, fast-evolving product cycles, and limited policy and regulatory bandwidth, we outline a few internal and external steps that can help navigate this transition.

1. Are you 'Data Fiduciary' or 'Data Processor'?

Under the DPDP Act 2023, data fiduciaries are those who determine the purpose and means of processing of personal data, and there can be more than one data fiduciary in a particular transaction. Data processors are third parties that act on behalf of the data fiduciary. Data fiduciaries assume primary responsibility under the DPDP framework and are directly accountable to users and the supervisory Data Protection Board.

Businesses must evaluate the circumstances and determine whether they are data fiduciaries or data processors. For each business, these determinations may differ from situation to situation and depend on the nature of interaction with the data principal. For example, the same company may be a data fiduciary when processing employee data and a data processor when providing backend hosting services on behalf of another business.

While data fiduciaries will have to navigate direct compliance under the DPDP framework, the operational realities for data processors will be impacted through bilateral service agreements that will adjust to the broader expectations of the regime.

2. Tracking thresholds for Significant Data Fiduciaries

Startups with rapid growth trajectories will need to closely track the formal thresholds the government sets for designating firms as Significant Data Fiduciaries (SDFs). While the exact criteria for SDF designation are yet to be published, the DPDP Act says that this will be done on the basis of the volume and sensitivity of personal data processed, the risk to the rights of users, and the risks to national security or public order.

SDFs will need to appoint a specific Data Protection Officer; undertake annual audits and data protection impact assessments; follow tighter safety expectations for algorithms; and potentially comply with restrictions on cross-border data transfers. It is important to highlight that since sensitivity is mentioned as a criterion, even smaller firms may come within the ambit. For example, a small health tracking or finance data-related startup may also qualify as an SDF.

3. Preparing for notice-and-consent expectations

Startups will have to adhere to the notice and consent provisions outlined in the Act and Rules. Notice must be given independently and in clear and plain language without being buried within long service agreements. This notice should outline the different categories of personal data that are being processed, and for each, it should state the purpose. The framework also requires clear opportunities for the user to withdraw their consent.

Startups will also have the choice of joining platforms maintained by registered consent managers, where users can easily review the consent given to various platforms and withdraw it. This may ease the user interaction process for startups.

Critically, the government has not issued standardised templates for notice and consent, and withdrawal or revocation of the same. This is a double-edged sword, since it gives greater flexibility to select models suited to a particular digital service, but it also creates greater responsibility for services to get it right and avoid regulatory scrutiny.

4. Rationalising parallel regulatory obligations

Startups in mature regulated markets will need to streamline parallel regulations covering similar subjects. For example, financial service firms will have to adhere to technical security standards set by regulators like the RBI and SEBI, and adhere to similar standards under the DPDP framework. Dual compliance may also arise vis-à-vis third-party consent management in the context of the RBI’s Account Aggregator framework and DPDP.

Data breach notification requirements will subsist in parallel to cyber incident reporting obligations to CERT-In under the Information Technology Act. Businesses will have to prepare for such overlaps and proactively engage with regulatory authorities to navigate excessive duplication. It will be important to invest in internal and external processes to navigate these requirements that become a mainstay of future digital markets.

5. Responsibly servicing minors and PwDs

Startups will have to reimagine processes to service under-18 minors. The Act and Rules require verifiable parental consent, where the technical protocols for parental verification will have to be conceived from the ground up. The Rules expect most digital businesses to leverage tokens that are generated from government-approved systems. We expect more clarity to come from the DPI ecosystem in the next few months on these workflows. This might be an area where startups may need to engage with policymakers to ensure that VPC systems are seamless and do not inadvertently lead to user friction.

The new Rules also propose conditions where startups must obtain verifiable guardian consent for PwDs who require support in taking legally binding decisions. This is another area to seek clarification from the government.

6. Transparent and timely grievance redressal

The DPDP Rules also set out that businesses must transparently disclose the contact details of persons who are responsible for grievance redressal. Additionally, queries relating to the rights of data principals (on accuracy, correctness, erasure, etc.) must be resolved within 90 days. This requires budgeting, hiring and training for this position.

Conclusion

The overarching message for startups is simple: early investment in compliance is not a cost—it is insurance. Planning ahead will enable companies to integrate DPDP requirements into product design rather than retrofitting them under pressure. Equally important is early dialogue. Regular engagement with MeitY, sectoral regulators, and other key stakeholders can help clarify grey areas, reduce uncertainty, and shape a more startup-sensitive interpretation of the Rules.

The startup community should also closely watch how the government chooses to exercise its exemption powers under Sections 17(3) and 17(5) of the DPDP Act 2023 for early-stage firms. Smart, targeted exemptions could support innovation without weakening user rights.

If implemented with purpose and foresight, India’s transition to the DPDP regime can be smooth and minimally disruptive. More importantly, it can help strengthen user trust—an asset that is essential for the continued growth of the digital economy.

Aparajita Bharti is the Founding Partner, and Sidharth Deb is the Associate Director at TQH (The Quantum Hub) Consulting, a leading public policy research and advisory firm.