Key Takeaways
- GDPR governs EU personal data; DPDP Act 2023 governs Indian Data Principal personal data. Indian SaaS selling to both jurisdictions needs both.
- 70-80 percent overlap: data mapping, lawful basis, notices, data subject/principal rights, breach response, vendor management, security safeguards.
- Key differences: GDPR has explicit territorial scope (Article 3) and adequacy mechanism (Article 45); DPDP has narrower legitimate uses (Section 7) than GDPR.
- Cross-border transfer mechanism differs: GDPR uses SCCs + TIA per Schrems II; DPDP currently permits transfers except to government-notified restricted countries.
- Combined programme costs roughly 1.3-1.5x of either alone (not 2x). Codesecure typical INR 2.5L-5L for combined GDPR + DPDP for Indian SaaS.
Why Indian SaaS Companies End Up Doing Both
Indian SaaS companies serving global enterprise customers routinely need both GDPR and DPDP compliance. Three patterns drive this: (1) Indian SaaS originally selling to Indian customers expanding to EU, (2) Indian SaaS originally selling to US/EU now also selling to Indian enterprises, (3) global Indian SaaS where customer base is mixed from day one.
GDPR (Regulation (EU) 2016/679) governs processing of personal data of individuals in the EU. It applies extraterritorially via Article 3: Indian SaaS offering goods or services to EU residents, or monitoring EU residents' behaviour, falls in scope.
DPDP Act 2023 governs processing of digital personal data of Indian Data Principals. It applies extraterritorially: foreign companies processing Indian personal data are Data Fiduciaries under DPDP. Indian companies are obviously in scope.
Running both as separate programmes is wasteful. The frameworks overlap 70-80 percent on core requirements. A combined programme reuses risk assessment, policies, notices, rights workflows, breach playbooks, vendor management, security safeguards. Indian SaaS doing dual compliance typically pays 1.3-1.5x of one framework, not 2x.
Where GDPR and DPDP Overlap (70-80 Percent)
1. Personal Data Inventory and Mapping
GDPR Article 30 Record of Processing Activities (RoPA). DPDP equivalent through evidence-of-processing documentation. Build once: a unified personal data inventory covering all processing activities, with metadata fields tagged for GDPR-specific (lawful basis under Article 6, special category under Article 9, cross-border under Chapter V) and DPDP-specific (lawful basis under Section 6 or 7, SDF-relevant tagging) requirements.
2. Lawful Basis Analysis
GDPR Article 6 (six lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests) plus Article 9 (special category requires explicit additional grounds). DPDP Section 6 (consent) and Section 7 (legitimate uses, narrow list). Build once per processing purpose: identify the lawful basis under each framework. Document justifications. Note: DPDP legitimate uses are narrower than GDPR legitimate interests, so some processing legal under GDPR Article 6(f) may require consent under DPDP.
3. Notices to Data Subjects / Data Principals
GDPR Articles 13 (data collected directly) and 14 (data collected from third parties). DPDP Section 5 notice. Build once: a single notice template that satisfies both frameworks, with the additional information required by each. Most fields are identical; some are framework-specific (GDPR adequacy decision under Article 45; DPDP DPB complaint process). Indian languages required for DPDP per Draft Rules 2025.
4. Consent Capture and Withdrawal
GDPR Article 7 (consent must be freely given, specific, informed, unambiguous). DPDP Section 6 (similar). Build once: a consent capture flow that satisfies both. Retain evidence (timestamp, version of notice, source). Withdrawal must be as easy as giving consent.
5. Data Subject / Data Principal Rights
GDPR Articles 15-22 (access, rectification, erasure, restriction, portability, objection, automated decision-making). DPDP Sections 11-14 (access, correction, completion, updating, erasure, nominate, grievance). Build once: a single rights workflow with framework-specific timeline (GDPR: 30 days; DPDP: timelines per Rules) and additional rights (GDPR portability under Article 20 not yet in DPDP). Use a single portal or email address for all rights requests.
6. Breach Notification
GDPR Articles 33 (notification to supervisory authority within 72 hours) and 34 (notification to data subjects). DPDP Section 8(6) (notification to DPB and affected Data Principals; timeline per Rules, likely 72 hours). Build once: a single breach playbook with both notification templates. The 72-hour clock applies to both, so the same playbook satisfies both timing requirements.
7. Security Safeguards
GDPR Article 32 (appropriate technical and organisational measures). DPDP Section 8(5) (reasonable security safeguards). Build once: a single security control set aligned with ISO 27001 Annex A. Both frameworks reference 'appropriate' or 'reasonable' standards which align with the same control families.
8. Vendor and Processor Management
GDPR Article 28 (Data Processing Agreement requirements). DPDP equivalent processor obligations. Build once: a single DPA template that satisfies both frameworks. Vendor register. Sub-processor controls. Many vendors already provide GDPR-aligned DPAs; verify they also satisfy DPDP-specific requirements.
Need a Compliance Programme?
Codesecure runs HIPAA, GDPR, NIST CSF, DPDP, ISO 27001 and SOC 2 compliance programmes for Indian businesses. Fixed-fee engagements, named consultants, ISO/IEC 27001:2022 certified delivery, audit-ready evidence packs.
See Compliance Services →Where GDPR and DPDP Differ: What Needs Separate Workflows
Cross-Border Transfer Mechanism
GDPR Chapter V: adequacy decision (Article 45), Standard Contractual Clauses (Article 46), Binding Corporate Rules (Article 47), exception derogations (Article 49). India does not have GDPR adequacy. EU-to-India transfers therefore require SCCs (new 2021 SCCs) plus Transfer Impact Assessment (TIA) per Schrems II. DPDP Section 16 permits transfers to any country except those notified by central government as restricted. Currently no restricted list. DPDP cross-border is structurally simpler than GDPR.
Data Protection Officer Appointment
GDPR Article 37 mandates DPO appointment for: public authorities, large-scale regular and systematic monitoring of data subjects, large-scale processing of special categories. DPDP Section 10 mandates DPO appointment for Significant Data Fiduciaries (notification criteria pending). Different triggers: a DPO needed under GDPR may not be SDF under DPDP and vice versa. Indian SaaS serving large EU customer base often needs GDPR DPO before DPDP SDF designation.
Right to Data Portability
GDPR Article 20 gives data subjects the right to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller. DPDP currently does not have an explicit portability right (might appear in Rules). Build the portability capability anyway for GDPR; DPDP may add it later.
Automated Decision Making and Profiling
GDPR Article 22 gives data subjects the right not to be subject to decisions based solely on automated processing including profiling. DPDP does not have an explicit equivalent yet. Operate to GDPR standard if your processing falls in scope; document the human-in-the-loop where required.
Children's Data
GDPR Article 8: parental consent for children under 16 (member state can lower to 13). DPDP Section 9: parental consent for children under 18, additional special protections. DPDP threshold is higher; Indian SaaS operating with both EU and Indian children's data should align to DPDP 18 threshold for Indian users, GDPR-member-state threshold for EU users.
Codesecure Combined GDPR + DPDP Programme Structure
Typical Indian SaaS engagement: 12-16 weeks end to end for combined GDPR + DPDP programme. Codesecure pricing: INR 2.5L-5L depending on scope (EU and Indian customer volume, special category data presence, processor vs controller status, SDF likelihood).
Phase structure: weeks 1-3 unified data mapping and RoPA, weeks 4-6 lawful basis analysis and notice authoring, weeks 7-9 rights workflow and breach playbook, weeks 10-12 cross-border transfer mechanism (SCCs + TIA for GDPR) and DPO advisory, weeks 13-16 internal validation and operational readiness. Output: single integrated privacy programme satisfying both frameworks plus customer due diligence asks.
Frequently Asked Questions
Does our Indian SaaS need GDPR if we only have a few EU customers?
Yes if you process personal data of EU residents. GDPR applies extraterritorially via Article 3. There is no de minimis exemption based on customer count. Even one EU enterprise customer triggers GDPR for that customer's data. Most Indian SaaS targeting global enterprise customers eventually need GDPR; better to build it before the first EU customer signs.
Can we run GDPR alone and add DPDP later, or build both together?
Build both together. The frameworks overlap 70-80 percent on underlying work; running them separately duplicates the data mapping, notice authoring, rights workflow build, breach playbook. Codesecure runs combined programmes routinely. Cost premium of combined vs single: only 1.3-1.5x, not 2x.
What is the biggest GDPR + DPDP difference Indian SaaS underestimates?
Cross-border transfer mechanism. GDPR requires SCCs plus Transfer Impact Assessment for transfers to India (no adequacy decision). DPDP currently permits transfers except to government-notified restricted countries (no restricted list yet). Indian SaaS often skips the SCCs + TIA work for EU-to-India transfers because DPDP is simpler. EU customers in due diligence ask for SCCs explicitly; missing them blocks deals.
Do we need separate Data Protection Officers for GDPR and DPDP?
Possibly. GDPR Article 37 DPO triggers (large-scale monitoring, large-scale special category processing) differ from DPDP Section 10 SDF triggers (volume, sensitivity, risk to electoral democracy). Indian SaaS may need GDPR DPO without being SDF, or vice versa. One person can serve both roles if qualified. Codesecure offers outsourced DPO retainer (INR 30K-60K per quarter) that satisfies both frameworks where the same individual is appropriate.
Does ISO 27001 satisfy GDPR + DPDP security requirements?
Largely yes. ISO 27001 Annex A controls satisfy GDPR Article 32 'appropriate technical and organisational measures' and DPDP Section 8(5) 'reasonable security safeguards'. ISO 27701 (Privacy Information Management System, extending ISO 27001) adds privacy-specific controls. Indian SaaS running ISO 27001 + 27701 has the strongest combined security and privacy posture. Codesecure routinely runs ISO 27001 + 27701 + GDPR + DPDP as one integrated programme.
How long is a combined GDPR + DPDP programme implementation?
12-16 weeks for typical Indian SaaS. Pre-existing ISO 27001 ISMS shortens to 10-12 weeks. Larger organisations or those handling special category / sensitive data extend to 16-20 weeks. Codesecure provides fixed-fee engagement with named consultants and weekly milestone reviews.
Will the GDPR + DPDP programme satisfy EU enterprise customer due diligence?
Yes. EU enterprise procurement typically asks for: data mapping or RoPA evidence, lawful basis documentation, DPA template, breach notification procedure, DPO contact (if appointed), recent privacy audit or DPIA where applicable, cross-border transfer mechanism documentation. Codesecure programmes produce all of these as audit-ready evidence in the format EU procurement teams expect.
Run Combined GDPR + DPDP Compliance in 12-16 Weeks
Codesecure runs combined GDPR + DPDP Act 2023 programmes for Indian SaaS serving EU and Indian customers. Unified data mapping, notice, rights workflow, breach playbook. ISO/IEC 27001:2022 certified delivery.
