India, Jan. 3 -- In 2026, Indian companies will be forced to ask a question that would have sounded absurd even a year ago: when does it make sense to delete perfectly usable data, on purpose? Not because the data is wrong. Not because it lacks value. But because keeping it may now cost more than letting it go. That is the quiet shift the Digital Personal Data Protection Act (DPDA) triggers this year. Privacy, for the first time, is no longer a debate about rights. It is a question of systems, cost and scale. This is because the rules are now settled and have moved into execution mode. So, in 2026, privacy will no longer be tested in courtrooms, but inside databases, software systems and supply chains that process personal data continuously, at volumes that leave little room for human oversight. Once privacy enters these systems, it stops being something that can be debated or corrected later. It must work. Every time. This shift explains why a new set of start-ups has begun to appear around privacy. According to Vinayak Godse, CEO of Data Security Council of India (DSCI), there are around 30 Indian start-ups today working specifically on privacy technologies. Their emergence, he says, is driven by clarity. Once companies know what is expected of them, demand moves towards tools. Most of these start-ups are dealing with the unavoidable mechanics of compliance. Godse says a majority are building systems for privacy management and governance-tools that help companies track consent, respond to user complaints, handle data requests and give senior management a clear view of where risk sits. None of this is theoretical. Once DPDP moves into enforcement, these tasks stop being occasional. They become continuous. And when they play out simultaneously across banking, healthcare, insurance, manufacturing and energy, it is inevitable that manual processes collapse. Then there are a smaller group of start-ups working on a harder problem. These firms are trying to make it possible to use data without exposing it. Godse points to technologies such as anonymisation, encryption and cryptographic methods that allow analysis or computation while masking personal identity. This is not about avoiding the law. It is about making large digital systems workable in a country where transactions run into billions and many of them still connect to public infrastructure. This is also where an old assumption begins to fail. For years, data was treated as a straightforward asset. The logic was simple. Collect more. Store more. Use more. DPDP breaks that logic. Data now carries responsibility. And responsibility carries cost. Every additional piece of personal data retained has to be justified, protected and accounted for. For a fast-moving digital economy, that can feel like friction. It can even feel like a slowdown. But by forcing companies to define purpose, obtain consent and justify processing, the law provides a clearer legal foundation for using data. What it removes is ambiguity. And at Indian scale, ambiguity is often more dangerous than constraint. The tension sharpens once artificial intelligence enters the system. Companies want AI to deliver efficiency and insight. The question is how much these systems need to know about the individual to do so. Godse points out that choices now matter. They determine whether AI systems amplify risk. Or absorb it. He explains the shift with a contrast most people instinctively recognise. Older IVR systems were blunt by design. "Press one for yes. Press two for no." No response, and the system exited. Disclosure by structure. Conversational AI works differently. It invites explanation. It sounds attentive. And it encourages people to speak freely, often beyond what a transaction requires. It draws disclosure out, at scale. This difference matters. When such systems operate across millions of interactions, and when AI agents begin interacting with other agents, privacy risks arise from design. Decisions about how much data is consumed, shared or retained stop being matters of compliance. They become architectural choices. This brings the focus back to India's distinctive position. Europe invested heavily in writing privacy into law. India invested in building digital systems. Aadhaar, UPI and the wider India Stack were not conceived as privacy projects. But they created interoperability at scale. Godse sees this as an opportunity. Scale has already been reached. The harder task is pairing it with credible privacy protection. If digital systems can be redesigned to deliver value without unnecessary exposure....