The rollout of India’s Digital Personal Data Protection (DPDP) Rules is expected to significantly increase enterprise technology spending, with firms likely to incur 10–30% higher IT and compliance costs over the next 12–18 months. The new law mandates a complete re-engineering of how organisations collect, process, store and govern personal data across their systems.
According to Murali Rao, Partner and Leader – Cybersecurity Consulting at EY India, companies now have clear, enforceable guidelines on data handling, which will require substantial upgrades to existing infrastructure. “The phased rollout gives organisations time to embed privacy into operations, but the obligations are fixed and will inevitably push up costs—not only on technology, but also on legal, governance and operational fronts,” he told FE.
Enterprises will need to invest in new tools for consent management, data discovery, breach reporting, encryption, retention controls, and secure third-party data sharing. Many will also be required to overhaul legacy systems, adopt privacy-by-design frameworks, and appoint dedicated data protection teams.
Additionally, organisations must implement stronger monitoring, audit trails, and record-keeping mechanisms to meet compliance standards. Experts say that for companies with fragmented data architectures or heavy reliance on customer data, the cost impact may be even higher.
While the transition will be demanding, industry analysts believe DPDP will drive long-term benefits by strengthening consumer trust, improving data hygiene, and bringing Indian digital ecosystems closer to global privacy norms.
