A few years ago, a privacy question in a term sheet meeting would have drawn blank looks. Today, founders are walking into due diligence rooms and being asked, in plain terms, whether their company complies with India’s data protection law. The question is no longer theoretical, and a vague answer is starting to cost money in valuation, in deal timelines, and occasionally in the deal itself.
The shift has a clear cause. India now has a rapidly evolving fully operational data protection regime, and investors have realised that a startup’s handling of personal data is no longer a soft compliance footnote. It is a quantifiable liability that sits on the balance sheet, can trigger penalties large enough to wipe out a funding round, and can surface as an indemnity claim long after the cheque has cleared. For any company raising capital, understanding why this question is being asked is the first step to answering it well.
What Changed in the Law
The Digital Personal Data Protection Act, 2023, set the foundation for India’s data protection framework., Greater operational clarity emerged with the notification of the Digital Personal Data Protection Rules, 2025 by the Ministry of Electronics and Information Technology through Gazette notification G.S.R. 846(E), which set out the procedural and compliance architecture for implementation of the regime. but it sat largely dormant until the operating rules arrived. That changed on 13 November 2025, when the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025, through Gazette notification G.S.R. 846(E).
The Rules are intended to operationalize several aspects of the framework. The Rules switched the framework on. They set out how consent must be obtained, how privacy notices must be drafted, how data breaches must be reported, how user rights must be honoured, and what security a company must maintain. The rules also fixed the runway: organizations have roughly eighteen months, with full compliance required by 13 May 2027. Some obligations, such as those concerning the Data Protection Board, apply earlier. This phased structure is precisely why investors are raising the issue now rather than waiting. A company raising a round in 2026 will, in most cases, still be holding that investment well past the compliance deadline, so the diligence is forward-looking by design.
Why a Penalty Becomes a Valuation Problem
The reason investors care is financial, not philosophical. The penalties under the DPDP Act are severe and, importantly, are not capped against a company’s revenue.
Failure to implement reasonable security safeguards that results in a personal data breach can attract a penalty of up to 250 crore rupees under the Act, with the broader penalty band running from 50 crore rupees upwards depending on the violation. There is no materiality threshold that protects a small company, and proportionality offers comfort but not immunity. A startup processing large volumes of sensitive personal data student or health data faces the same maximum exposure as a large corporation. For an investor running the numbers, an undisclosed compliance gap is a contingent liability that has to be priced into the valuation or covered by an indemnity from the founders, which is one of the most heavily negotiated points in any definitive agreement.
The penalties also flow to the Consolidated Fund of India rather than to affected users, which means a breach does not buy peace through victim compensation. The exposure is to the State, and it is the company that carries it.
The Incidents That Made Investors Pay Attention
Abstract risk rarely moves behaviour. Real losses do.
In August 2024, a companyStar Health and Allied Insurance suffered a data breach that exposed the records of more than thirty million individuals, including health data, identity numbers and policy details, which were later found circulating through automated bots until investigators with court support shut them down. The incident highlighted the prospect of significant regulatory, financial and reputational consequences under India’s evolving data protection framework. The company has faced the prospect of penalties measured in hundreds of crores once the regime bites. Around the same period, another company reportedly suffered a cyberthe WazirX crypto exchange incident thatreportedly resulted in substantial financial losses wiped out close to 1,960 crore rupees in value and triggered industry-wide alarm about security gaps. These episodes turned data protection from a checklist item into a boardroom and investor concern, because they showed how quickly a security failure converts into financial and reputational damage. Investors backing companies that hold large volumes of personal data have absorbed that lesson, and the diligence questionnaire now reflects it.
What Investors Actually Look For
Founders often assume the diligence is about a single privacy policy on the website. It is broader and more practical than that.
Diligence teams want to see that the company processes personal data on a lawful basis. Under Section 7 of the Act, the grounds for processing without consent are limited a closed list, unlike the more flexible legitimate-interest basis under European law, so most Indian startups must rely on properly obtained consent. Reviewers look for clear, itemized privacy notices; a working consent mechanism, defined data retention periods, and the ability to honour user rights such as access and erasure. They also check the grievance machinery, because Rule 14(3) of the DPDP Rules, 2025 requires every data fiduciary to run a grievance redressal system that responds within a defined period not exceeding ninety days, and to publish that timeline. They examine breach readiness, since the Rules require notification within prescribed strict timelines. They examine vendor contracts, because Section 8 of the Act makes the company, as data fiduciary, primarily accountable even when a third-party processor handles the data. A startup that can produce this evidence quickly signals operational maturity. One that cannot do so signals risk, and risk slows deals.
How to Be Ready Before the Question Comes
The companies that handle this well treat compliance as preparation, not paperwork assembled the night before a data room opens.
A sensible starting point is a data map: knowing what personal data the company collects, where it sits, who can access it, and how long it is kept. From there, the priorities are a compliant consent flow, plain-language notices, a published grievance redressal mechanism that meets the ninety-day response window, a documented breach response plan with assigned responsibilities, security measures such as encryption and access controls, and contracts that pass clear obligations down to vendors. Companies likely to be classified as Significant Data Fiduciaries, based on the volume and sensitivity of data they handle, carry heavier duties, including periodic data protection impact assessments and audits. Building these foundations early is far cheaper than retrofitting them under deadline pressure, and it converts a defensive answer into a credible one.
Compliance as a Deal Advantage
Here is the part many founders miss. Strong data governance is no longer only a way to avoid losing value. It has become a way to add it.
The same controls that satisfy a regulator also satisfy an enterprise customer’s procurement team and an investor’s risk committee. A company that can demonstrate privacy maturity wins enterprise contracts faster, closes funding rounds with fewer holdbacks, and presents a cleaner risk profile at exit. As investors and large customers increasingly demand privacy-first practices, early movers gain a genuine edge over peers who delay. The transition period presents companies with an opportunity to build robust compliance systems before enforcement expectations mature further. The eighteen-month runway is generous enough to build properly and short enough that procrastination is a real risk.
For founders preparing to raise, the message is straightforward. The DPDP question is now a standard part of diligence, the penalties behind it are large enough to matter, and the work required to answer it well is achievable with the time the law has provided. Treating it as a strategic asset rather than a compliance chore is what separates the companies that sail through diligence from those that stall in it. At Bridgehead Law, the corporate and startup advisory practice works with founders to build that readiness before an investor ever asks, so that the answer is already in the room.
Disclaimer: This article is intended for general informational purposes only and does not constitute legal advice. Readers should obtain specific legal advice based on their particular facts, sectoral obligations, and evolving regulatory requirements.
