New Delhi, June 30 -- With less than a year to go before the Digital Personal Data Protection (DPDP) Act takes effect, startups are scrambling to understand what the law requires of them, leading to a rise in legal and compliance queries since the draft rules were notified in November last year. Experts say some founders wrongly assume smaller businesses are exempt and many are hazy on where there data actually is, even as they all grapple with data mapping, third-party processing and artificial intelligence (AI)-related privacy obligations.

The Act, which governs how organizations process individuals' digital personal data, must be complied with by 13 May 2027.

A major concern among startups is understanding whether the law applies to ...