India’s new data protection law is expected to attract investments of about ₹10,000 crore over the next three years as businesses allocate more resources toward privacy automation and services to comply with the norms, according to consulting firm EY India.

Two years after Parliament passed the Digital Personal Data Protection (DPDP) Act, the government on Friday notified the administrative rules that are required for putting the law into effect.

According to EY India, of the nearly ₹10,000 crore anticipated in investments, consent management—a crucial element of compliance—could represent about 10% as large enterprises embed consent systems into their digital infrastructure over the next 12 to 18 months.

Global vendors such as ServiceNow, IBM, OneTrust and TrustArc are already making moves to capture early market share in consent management-as-a-service.

ServiceNow said it is working with four of India’s top five banks. IBM’s access management platform, IBM Verify, is also emerging as a major contender in enterprise deployment.

Among startups, Atlanta-based OneTrust, a global leader in privacy and risk management, announced an expansion into Singapore earlier this year to serve as its APAC hub for markets, including India, Indonesia, Thailand and Malaysia. The nine-year-old firm, now valued at $4.5 billion, has a registered office in Bengaluru and recently entered co-sell partnerships with Deloitte and KPMG to strengthen its India operations.

Meanwhile, California-headquartered TrustArc is in the process of being acquired by Netherlands-based private equity firm Main Capital Partners, a move that will be pivotal for its India expansion, reports suggest.

“The DPDP will create a significant compliance ecosystem in India… with an estimated upwards of ₹10,000 crore opportunity over the next three years across privacy automation and compliance services,” Tiffy Isaac, partner, cybersecurity consulting, EY India, told ET.

“Consent management alone could represent 10% of this spend, which may, however, get subsidized, based on how the commercial model for registered consent manager pans out,” he said.

Email queries sent to IBM, OneTrust and TrustArc remained unanswered till as of press time.

According to the DPDP Act, a consent manager (CM) is a registered entity which operates a neutral, interoperable, privacy-enabled platform for users to give, review, withdraw or modify consent for data fiduciaries.

As per Data Protection Board’s norms, to qualify for registration as a consent manager, an applicant must be a company incorporated in India with a minimum net worth of ₹2 crore.

The IT ministry has selected six companies among Indian firms for its “Code for Consent” challenge . They are: Jio Platforms, Baldor Technologies (IDfy), VertexTech Labs (Redacto), Quagga Tech (Zoop), Concur and Aurelion Future Forge.

“Over the past year, many organisations had already initiated their DPDP programmes mapping data flows, refreshing privacy notices, and redesigning consent journeys,” said Sundareshwar Krishnamurthy, partner and cyber leader at PwC India.

“With the rules now formally in effect, these preparatory steps must evolve into operational, auditable compliance,” he said, adding that the market will see emergence of privacy-as-a-service platforms.

However, challenges remain. “Modernising legacy systems, ensuring multilingual and accessible consent flows, improving consumer awareness, and meeting the technical rigour expected of consent managers,” Krishnamurthy highlighted.

Ganesh Lakshminarayanan, GVP, sales and managing director, India and SAARC, ServiceNow, said, “We see DPDP accelerating the need for enterprise-grade consent and data-governance workflows.”

According to Lakshminarayanan, the next 12-18 months will see rapid acceleration in compliance, with large enterprises moving first, followed by mid-market adoption.

He said consent is no longer a one-time checkbox—it’s now an ongoing, auditable and revocable digital relationship with the customer.

“The biggest challenges we foresee are fragmented data systems, legacy processes and the need for end-to-end visibility across customer touchpoints,” he said, adding that companies are addressing this by shifting toward unified workflow platforms.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!