What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Role Guide•4 min read

DPDP for Founders & CEOs: Safeguard Innovation in India

Indian founders & CEOs: Understand your DPDP Act responsibilities. Learn about top compliance gaps, costs, and how MBS can help protect your growth.

Sushant Pasumarty18 May 2026

DPDP for Startup Founders & CEOs: Safeguarding Innovation & Growth in India

The Digital Personal Data Protection Act, 2023 (DPDP Act) impacts every Indian business handling personal data. For startup founders and CEOs, understanding your responsibilities is not just about compliance, it's about protecting your company's future, reputation, and market access.

Ignoring DPDP can lead to significant financial penalties, operational disruptions, and a loss of user trust. Proactive compliance ensures your innovation can thrive without legal setbacks. This page outlines what founders and CEOs need to know, common gaps, and how Meridian Bridge Strategy (MBS) helps mitigate risks.

What Startup Founders & CEOs Own in DPDP Compliance

As a founder or CEO, you are ultimately responsible for ensuring your organization's adherence to the DPDP Act. This includes setting the strategic direction for data governance, allocating resources, and fostering a culture of data protection. Your leadership is critical for successful implementation.

Strategic Oversight: You must approve data protection policies and ensure they align with business objectives while meeting legal requirements. This involves understanding your company's data footprint.
Resource Allocation: DPDP compliance requires investments in technology, training, and potentially external expertise. Your role is to secure these budgets.
Risk Management: You bear the ultimate accountability for data breaches and non-compliance, including potential financial penalties up to ₹500 Crores. Identifying and mitigating these risks falls under your purview.
Operational Integration: Data protection should be integrated into product development, marketing, HR, and all core business functions. This requires clear directives from the top.

Top 5 DPDP Gaps for Indian Startups

Many startups, despite their innovative nature, often overlook critical aspects of data protection. Addressing these common gaps early can save significant time and resources later.

Lack of Data Inventory: Many founders don't have a clear, documented understanding of what personal data they collect, where it's stored, and why. This fundamental step is often missed, making compliance impossible.
Consent Management Weaknesses: Obtaining valid, granular, and easily withdrawable consent is a cornerstone of DPDP. Startups frequently use generic consent forms or fail to provide transparent information about data use.
Third-Party Vendor Due Diligence: When you share personal data with vendors (e.g., cloud providers, marketing tools), you remain responsible. Many startups lack robust contracts or audits for their data processors.
Data Retention & Deletion Policies: Holding onto data longer than necessary or without a clear purpose creates risk. Many startups lack automated processes for data deletion or clear retention schedules.
Incident Response Plan Absence: A data breach is not a matter of 'if,' but 'when.' Many startups lack a defined, tested plan for identifying, containing, reporting, and recovering from data security incidents.

MBS Insight: A Data Inventory isn't just a compliance task; it's a strategic asset. Knowing your data helps optimize operations, reduce storage costs, and even identify new revenue streams.

Cost to Fix: MBS DPDP Services & Pricing

Meridian Bridge Strategy (MBS), founded by Sushant Pasumarty, offers structured DPDP services designed to meet varying organizational needs and budgets. Our tiered approach ensures you get the right level of support, from initial assessment to full implementation.

Tier	Includes	Price	Duration
Data Mapping	Map every personal data flow within your organization, identifying collection points, storage locations, and processing purposes.	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Combines comprehensive Data Mapping with a detailed Gap Analysis against DPDP requirements. Pinpoints exactly where you stand and what needs fixing.	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Includes the Readiness Audit, provides actionable Recommendations, and delivers a practical 90-day roadmap for implementation. Tailored for leadership to understand and execute.	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Covers everything in the Workshop, plus hands-on Implementation support, establishment of a Data Protection Officer (DPO) framework, and a Readiness Opinion letter. Comprehensive, end-to-end solution.	₹7L – ₹12L	3-6 months

These price ranges represent the typical investment for a startup or SME. Larger or more complex organizations may require custom quotes. Sushant Pasumarty personally oversees strategic engagements to ensure alignment with your business goals.

Vendor Questions for DPDP Compliance

When evaluating any DPDP service provider, ask these critical questions to ensure you're getting effective support:

What specific experience do you have with the Indian DPDP Act, not just global privacy laws?
Can you provide case studies or references from similar-sized Indian startups?
How do you ensure our existing tech stack and business processes are considered in your recommendations?
What deliverables can we expect at each stage, and how are progress and outcomes measured?
Beyond the initial engagement, what ongoing support or maintenance options do you offer?

Why Choose MBS for DPDP? Sushant Pasumarty and the MBS team bring practical, business-centric DPDP expertise. We focus on integrating compliance seamlessly into your operations, safeguarding your innovation without stifling growth. Our approach is designed for speed and clarity, crucial for startups.

Your Next Step to DPDP Readiness

Proactive DPDP compliance is an investment in your startup's future. It builds trust with your users, attracts better talent, and opens doors to new markets. Don't wait for a penalty notice or a breach to act.

Sushant Pasumarty, founder of Meridian Bridge Strategy, recommends starting with a DPDP Readiness Audit to quickly identify your critical gaps. This foundational step provides clarity and a clear path forward.

Explore our services or connect with Sushant Pasumarty directly to discuss your specific challenges. We help you turn compliance into a competitive advantage.

Frequently Asked Questions

Why should a startup founder prioritize DPDP compliance now?

Prioritizing DPDP compliance now protects your startup from significant fines (up to ₹500 Crores), reputational damage, and loss of user trust. It also ensures your business practices are legally sound as you scale, making you more attractive to investors and partners. Proactive compliance is cheaper than reactive damage control.

What is the biggest risk for startups under the DPDP Act?

The biggest risk for startups is often a lack of awareness and preparedness, leading to accidental non-compliance. This can manifest as inadequate consent mechanisms, poor data retention practices, or a complete absence of a data breach response plan. The financial penalties and loss of user trust can be catastrophic for a young company.

How long does it typically take for a startup to become DPDP compliant?

The timeline varies significantly based on your current data practices and the complexity of your operations. An initial Data Mapping can take 1-2 weeks, while a full compliance implementation and DPO setup could span 3-6 months. MBS offers services ranging from short-term audits to long-term consulting to match your needs and timeline.

Talk to Sushant About Your DPDP Needs

Book a 30-minute call to discuss your compliance requirements and get a clear next step.

Book a Call with Sushant →

Or estimate your cost first →