“No, you cannot reach out to a customer on your own and take consent on Whatsapp,” Gaurav Mehta told a client. 

“But my chatbot is already in my customer’s Whatsapp!” the client, a major carmaker, retorted, referring to interactive applications used to send reminders or promotions, or answer user queries. 

“Well, if the customer initiates the conversation, then it’s understandable,” Mehta explained. If the company does, it’s not. 

These are the kinds of distinctions Mehta now spends his days unpacking. He is the founder of Concur, a startup angling for a piece of the still infant but potentially lucrative market birthed by the Digital Personal Data Protection Act, 2023: compliance management. 

Since the law was operationalised in November, Mehta has become part translator, part systems architect, turning dense legalese of the new privacy regime into tech needs and organisational mandates.

At its core, the law redraws how companies are allowed to touch personal data. Any company collecting or storing user information must implement robust systems for taking and managing consent, ensuring it’s free, informed, specific, unconditional, and unambiguous. Users, in turn, can access, rectify, erase, and withdraw consent to the processing of their data. 

And companies—recast as “data fiduciaries”—are expected to build the machinery to make all of this work, including appointing consent managers and data-protection officers.

The deadline for full compliance is mid-2027, but the work has already begun. As enterprises start figuring out what compliance looks like in practice, many are pushing that uncertainty onto firms like Concur. It’s a pretty penny for such services—up to Rs 18 crore in the first 24 months for large enterprises, by one estimateDeccan ChronicleCompanies To Incur up to Rs 18 Cr One-Time Cost on DPDP compliance, and Rs 10 crore for every subsequent year—but the alternative is prohibitive: penalties for non-compliance can reach Rs 250 crore, and higher for children’s data. 

“Compliance is becoming more like finance,” said Raghuveer Kancherla, co-founder of Sprinto, a governance, risk, and compliance (GRCGovernance, Risk and Compliance companiesThese provide software and services to helping enterprises manage policies, risks and regulatory adherence) company.