Indian companies will spend ₹20,000cr to comply with DPDP rules

Indian companies will spend ₹20,000cr to comply with DPDP rules

Indian businesses are tipped to spend nearly ₹20,000 crore in the first year of complying with the Digital Personal Data Protection (DPDP) Act.

The estimate comes from consulting firms after the notification of rules under this Act in November.

The 18-month countdown for institutions to align their business processes with privacy measures and associated costs has begun.

Costs to depend on Data Protection Board's establishment

Sachin Tayal, Managing Director at Protiviti Member Firm for India, said the first-year compliance cost will also depend on how quickly the Data Protection Board is set up and its members' strictness.

To put things in perspective, European firms spent around $1 billion while US Fortune 500 companies spent $7.8 billion for GDPR compliance in 2018, according to an IAPP-EY report.

Long-term compliance costs projected at ₹50,000-₹60,000cr

Greyhound Research estimates that Indian companies will spend a total of ₹50,000-₹60,000 crore on DPDP compliance over the next 2-3 years.

This includes one-time readiness costs and permanent increases in security, data governance, and breach-response operations.

For small and medium firms, initial costs are expected to range between ₹1-2 crore and ₹6-8 crore respectively.

Large companies' compliance costs could go up to ₹18cr

For companies with revenue over ₹2,500 crore, Tayal estimates a compliance cost of ₹6-8 crore.

However, Sanchit Vir Gogia from Greyhound Research suggests a higher range for large companies at ₹10-18 crore if compliance is done properly.

He emphasized that DPDP cost is structural and covers data discovery and classification across live systems, backups, and shadow environments among others.

Initial investments to focus on consent management, cybersecurity

The initial investments by companies will mainly go toward consent management, strengthening cybersecurity posture, vendor data audits, and breach response frameworks.

Tayal estimates the cost of implementing compliance tools to be between ₹1.5-5 crore for companies.

He also said that half of these investments will be recurring annual costs while the other half would be one-time costs.

Compliance costs influenced by organization size, data type

The size of investments is also influenced by the organization's size, type of personal data it handles, and its industry vertical.

Akshaya Suresh from JSA Advocates & Solicitors (JSA) said restrictions on data transfer will require investments to host data in Indian data centers.

There could also be costs involved in moving data to India if it's hosted in a region later blacklisted by the government.

DPDP Act imposes hefty penalties for violations

The DPDP Act imposes penalties ranging from ₹50-250 crore depending on the nature of violations. Gogia said enterprises are over-investing early to avoid the asymmetric risk of a breach or compliance failure.