India’s IT services sector is gearing up for stricter data-collection and sharing norms under the Digital Personal Data Protection (DPDP) Rules, 2025. While bigger firms are largely ready for the 18-month compliance deadline, smaller providers may find it challenging, industry experts said.
Moreover, this is the first time IT and technology services companies will be legally bound to follow stringent data sharing and collection rules, impacting business operations, data flows and contract clauses involving third party vendors.
Released on November 14, several key implementations of the DPDP Rules were given an 18-month window that applies to rules governing cross-border data transfers, research and statistical exemptions.
“The newly established rules have streamlined the implementation process, and a period of 18 months has been provided to accommodate sector-specific challenges effectively. For those who are embarking on data privacy implementation for the first time, additional time may be necessary to ensure compliance,” Uma Thomas, Chief Risk Officer at Hexaware Technologies told Moneycontrol.
She added that while Hexaware does not expect any immediate business impact, the company still awaits for the details about the Data Protection Board establishment and powers & functions.
Happiest Minds finds the timeline “workable”, as the mid-tier IT firm has been well prepared and already taken some steps in this direction.
Vijay Bharti, Chief Information Security Officer at Happiest Minds Technologies said, “However, if you are starting fresh, this may be a little challenging to address within 18 months. Also, some aspects are still not clear, such as significant data fiduciaries classifications and “adequate security measures,” which can lead to different interpretations and add to the complexity.”
Bharti recommended smaller firms to allocate dedicated budgets, assign teams for detailed gap assessment, and set up realistic roadmaps for better success of DPDP Rules implementation.
“There is a significant lack of appreciation by many organizations for the investment required in skilled resources, the effort needed for technology upgrades, and the ongoing effort required for monitoring,” he added.
While the timelines seem attainable for larger enterprises, while mid-sized organizations may need to address vendor dependencies and legacy systems, concurred Jignesh Oza, Partner, Deloitte India.
“A staggered rollout offers flexibility, and with proper planning, readiness can improve across industries,” he said.
Business operation overhaul, legal challenges
According to Oza, the new rules will require businesses to rethink and overhaul data handling practices. Until now, there weren’t any legal restrictions on what data businesses could collect, making this a significant shift in business practices of IT firms that deal with clients in key regions such as North America, Europe and others.
This might get double whammy for IT companies when coupled with the ongoing Artificial Intelligence (AI) boom, whose foundation lies in collating and structuring data. The IT companies are predominantly developing company and industry-specific AI use cases on top of open-source AI models and that requires access to large company-level datasets.
“Organizations may struggle with mapping personal data across systems, enforcing strict minimization and retention limits, and the 72-hour breach-response processes. Legacy data and legacy systems to new consent standards will be particularly demanding,” Oza told Moneycontrol.
He added, “Personal data protection will have to become part of core operational discipline. This will increase compliance costs in the short term but significantly strengthen digital trust and governance.”
“The hardest challenges sit in the details,” said Abhishek Agarwal, President of The Judge Group. He emphasised that the data minimization demands that involve companies to justify every field they collect, becomes complicated when legacy systems store information “just in case.”
Also, cross-border transfers will now include another layer of contracts, audits, and encryption. “These hurdles aren’t impossible, but they require disciplined documentation, stronger internal coordination, and far more transparency across teams. Compliance becomes an ongoing process, not a one-time checklist,” he said.
Increased regulatory scrutiny
The IT services companies would now need to maintain separate breach notifications and retention requirements from other regulatory controls such as CERT-In, Indian IT act, IRDAI, RBI to name a few, Thomas said.
There will be a change in drafting contractual obligations clauses with the third parties or customers and independent contractors; who are processing Personally Identifiable Information (PII) outside the Indian region.
“Detailed Gap analysis has to be performed to understand the current practices of data collection, Breach notification timelines, retention limits (especially aligning data storage, archival and retention timelines as per consent) and cross border data transfer,” said Thomas/
Agarwal added that compared to regulations rolled out abruptly in other countries, the DPDP timelines feel measured.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
