'The impact will be minimal and it will only increase compliance cost on consent, data flows, localisation timelines, internal audits, data mapping, and new tooling.'
Indian information technology service providers will have a short learning curve to adapt to India's digital landscape after the Digital Personal Data Protection (DPDP) Act was notified as they have already been following such regulations in other parts of the world, especially Europe, for the last few years, according to experts.
While compliance costs will surely go up, some estimate it to be in double digits, that is not expected to materially impact operations or dent margins because Indian companies have been gearing up for this for the last two years since the Act came into existence.
All firms have had enough time to beef up their systems and house cybersecurity professionals to ensure minimal breach.
The impact will be minimal because most of the companies, barring TCS, Infosys, Wipro, and Tech Mahindra, have minimum India-facing businesses and clients in the BFSI, telecom, healthcare, government, or business process outsourcing and customer relationship management (CRM) space.
The four companies, however, will have to set up their systems to be compliant.
TCS handles critical government projects such as passport issuance and post office modernisation programmes.
Infosys handles the goods and services tax (GST) portal.
Tech Mahindra is part of the IndiaAI Mission to develop sovereign large language models (LLM) with a trillion parameters, while LTIMindtree was recently awarded a contract of about $100 million by the income tax department for the PAN 2.0 project.
"DPDP 2025 impacts only IT services firms with exposure to the India market as they handle Indian citizens' personal data," said Gaurav Vasu, founder of UnearthInsights.
"The impact will be minimal and it will only increase compliance cost on consent, data flows, localisation timelines, internal audits, data mapping, and new tooling," added Vasu.
India business contributed 9 per cent to TCS' revenue for the second quarter ended September 30, while it was just 3 per cent for Infosys.
Some of the short-term challenges that these companies could face include procurement delays for banking, financial services, and insurance (BFSI), healthcare, and government-related programmes that may push new scope of work (SOW) by a couple of quarters.
Mini Gupta, EY India consulting partner, said these new rules give an opportunity for firms operating in India to not only ensure diligence for themselves but also for their third parties in their extended supply chain, very similar to climate goals of Scope 1, 2, and 3.
"If those vendors are smaller organisations and are non-compliant, they may claim bankruptcy if hit with massive back to back penalties.
"It is critical to do a thorough diligence going ahead in selecting the right third parties with right governance practices," she added.
With consent at the core of the rules, companies will also have to rethink how they use customer data to train internal AI models, including removing any training data where consent is not granted.
Jignesh Oza, a partner at Deloitte India, believed most of these companies largely know what is to be done.
"If you have a privacy compliant product, you go ahead and become a good differentiator.
"While the costs will go up, one needs to comply with the regulations too.
"That means better engineering practices, which are privacy compliant and focusing on nuances like privacy by design.
"This will mean your customers are compliant too and you will have better serviceability in the market."
Feature Presentation: Ashish Narsale/Rediff