On January 3, the central government’s ministry of electronics and IT released the draft Digital Personal Data Protection (DPDP) Rules 2025, which will be open to public feedback until next month. The draft DPDP rules aim to implement the DPDP Act 2023 to align with India’s commitment to safeguard digital personal data.
The key provisions include requirements to inform individuals about the personal data collected and its usage, consent, mandates for implementing reasonable security measures, and other measures to manage and protect digital data. Furthermore, a central sectoral committee will review and recommend data localisation for specific industries.
However, what does all this mean for Indian AI startups?
New Wave of Ethical Data Collection
With data collection being the foundation for AI models, the process will now come under the radar to ensure there is a fair and just way of collecting them while protecting them at the same time.
A number of Indian AI startups that work on voice and multilingualism source data from different avenues. For instance, Bengaluru-based Gnani.ai’s voice-first small language models are trained on millions of audio hours of proprietary datasets and billions of Indic language conversations.
“For Gnani AI, which specialises in collecting and processing voice datasets, this rule [DPDP] only reinforces what we already do. We ensure every dataset we work with is collected ethically, with user consent and full transparency,” Ganesh Gopalan, co-founder and CEO of Gnani.ai, told AIM.
“I’m sure most startups in the space will also adapt quickly, as the Act provides a clear framework that supports innovation while safeguarding privacy.”
Gopalan believes that the new rule will establish a consent-driven framework to enhance transparency and data ethics in India. He is also positive that rather than causing hindrance to data collection, the rule will promote the creation of improved systems for managing consent and data usage.
Companies such as Karya employ rural women to collect voice data and claim to follow an ethical process for the same – something they have been following from its inception.
Data Protection Needs Will Surge
Anshu Sharma, co-founder and CEO of Skyflow, a data privacy and security company that helps businesses manage and protect sensitive customer information, believes the DPDP rule will provide a framework that aligns with consumer protection.
“AI-driven startups will need to be built with a privacy-first mindset that includes fine-grained data access controls and advanced security safeguards including polymorphic data encryption, tokenisation, and masking to ensure sensitive data doesn’t leak into models,” Sharma told AIM.
He went on to explain how the DPDP mirrors elements of Europe’s GDPR, thereby bringing significant implications for technology companies relying on sharing data internationally. Rule 14 of the draft brings in strict data residency requirements regulating cross-border data transfers.
Increased Cost?
With focused security measures, startups should be prepared for additional costs.
Shlok Bhartiya, co-founder and CEO of AI-powered fashion search platform shoppin’, told AIM that the rules could result in additional compliance costs for businesses, but they have already been factored in as a necessary and non-negotiable cost for a secure user experience.
“AI startups will need to align with the DPDP Act’s requirements, which include but are not limited to obtaining explicit consent for data collection and processing. This could increase operational complexity and necessitate the development of robust consent management systems. If no exemptions are granted, startups will need to fully integrate these measures into their operations, potentially diverting resources from growth initiatives,” emphasised Tisha Bhambry, director analyst at Gartner.
Data Sovereignty Will Lead the Way
A crucial element of the DPDP rule applies to data sovereignty, where companies will be under strict control over personal data being stored and processed in India. Furthermore, companies looking to transfer this data to foreign governments and entities should comply with conditions set by the central government.
“AI startups relying on overseas cloud providers will need to reassess their data strategies based on which countries are mentioned in the restricted list. This may involve exploring partnerships with providers that have data centres in India or adopting hybrid cloud solutions,” said Bhambry, who acknowledged that this shift could involve additional costs.
However, the rule may possibly be a welcome move for local data centre players such as Yotta, Reliance and Tata, who are investing heavily in building data centres in India.
Gopalan doesn’t foresee this being an issue for startups, as most cloud providers are already equipped to support data sovereignty requirements. “This will ensure a seamless transition for companies and continue to foster innovation while adhering to the law.”
While the rules may sound stringent, Indian AI startups seem to be already geared for it and don’t look at this as impeding their progress.
The post What Do the Centre’s DPDP Rules Mean for Indian AI Startups? appeared first on Analytics India Magazine.
