What’s the story
Indian businesses are projected to spend nearly ₹20,000 crore in their first year to comply with the Digital Personal Data Protection (DPDP) Act. This sizable estimate comes from consulting firms after the notification of rules under this Act in November, signaling a new regulatory environment for data handling and privacy in the country. The countdown of 18 months for institutions to align their business processes with enhanced privacy measures has officially commenced, and the financial implications are substantial.
Costs to depend on Data Protection Board’s establishment
The initial compliance costs will heavily depend on how swiftly the Data Protection Board is set up, as well as the strictness of its members. For context, European firms spent around $1 billion while US Fortune 500 companies forked out $7.8 billion for GDPR compliance in 2018, according to an IAPP-EY report. This comparison serves to underscore the potentially high stakes for Indian enterprises.
Long-term compliance costs projected at ₹50,000-₹60,000cr
Greyhound Research estimates that Indian companies will collectively spend a staggering ₹50,000-₹60,000 crore on DPDP compliance over the next 2-3 years. These expenses will encompass one-time initial investments as well as ongoing costs connected to security upgrades, data governance, and breach-response frameworks. For small and medium-sized enterprises (SMEs), the initial financial outlay is expected to be between ₹1-2 crore for small firms and ₹6-8 crore for medium-sized firms.
Large companies’ compliance costs could go up to ₹18cr
For larger companies, particularly those with revenue exceeding ₹2,500 crore, Tayal projects compliance costs to start at ₹6-8 crore. However, Sanchit Vir Gogia from Greyhound Research suggests that a more realistic estimate for proper compliance encapsulating all aspects could range from ₹10-18 crore. The DPDP Act compliance is inherently structural, covering data discovery, classification across live systems, backups, and shadow environments, making these expenses necessary.
Initial investments to focus on consent management, cybersecurity
The initial investments made by organizations will primarily target consent management systems, fortifying their cybersecurity postures, conducting vendor data audits, and establishing breach response frameworks. Tayal has noted that costs for implementing compliance tools could fall between ₹1.5-5 crore for companies, and roughly half of these investments will be recurring annual costs while the other half will be one-time expenses.
Compliance costs influenced by organization size, data type
A variety of factors influence the size of these investments, including the organization’s size, the types of personal data it handles, and its respective industry vertical. For many companies, restrictions on data transfers will necessitate substantial investments to host data in Indian data centers. Additionally, companies could face costs related to migrating data if it’s presently hosted in regions that are later blacklisted by government regulations.
DPDP Act imposes hefty penalties for violations
The DPDP Act comes with stringent penalties for violations, ranging from ₹50-250 crore based on the severity of the infraction. Gogia noted that enterprises are likely to over-invest early in the compliance process to mitigate the asymmetric risks associated with a breach or a failure to comply with the new regulations, highlighting the weight of these financial commitments.
