DPDP Rules: Compliance Stress Test for India's MSMEs and Startups

• India's new DPDP Rules pose significant compliance challenges for MSMEs and startups, despite a phased 18-month implementation.
• Penalties for violations can reach Rs 250 crore, forcing businesses to prioritize privacy in product design, vendor management, and security.
• Smaller entities face the same obligations as large corporations, with no exemptions, requiring substantial investment in implementation and restructuring.
• Key operational demands include explicit consent, purpose limitation, 72-hour breach reporting, and 90-day grievance responses.
• MSMEs lack dedicated privacy teams and rely on legacy systems, making technical requirements like encryption and activity logs a major hurdle.