If you run an Indian SaaS startup, two privacy laws probably apply to you. The Digital Personal Data Protection Act 2023 (DPDP) for your Indian users, and the General Data Protection Regulation (GDPR) for any EU users you process data on. Many founders assume one is just a translation of the other. They are not.
This is a side-by-side guide to where they overlap, where they diverge, and what an India-based SaaS company needs to do if it serves both audiences.
Quick Answer
DPDP is India’s first dedicated digital personal data law. GDPR is the EU’s broader personal data law. They share the consent and breach-notification spine but differ on scope (DPDP digital only), data subject rights (GDPR has more), enforcement (DPDP through the Data Protection Board of India, GDPR through national supervisory authorities), and penalty structure (DPDP up to INR 250 crore per violation, GDPR up to 4 percent of global turnover or EUR 20 million whichever is higher).
If you serve both Indian and EU users, you need a single privacy program that addresses both regimes explicitly. You do not get a free pass on either by complying with the other.
Side-by-Side Comparison
| Dimension | DPDP Act 2023 | GDPR |
|---|---|---|
| Scope | Digital personal data only | All personal data, digital and physical |
| Territorial reach | Processing of digital personal data of individuals in India, including from outside India | Processing personal data of individuals in the EU, regardless of where you are |
| Consent | Free, specific, informed, unconditional, unambiguous, with clear affirmative action | Same standard. GDPR adds explicit-consent requirement for sensitive categories |
| Children’s data | Verifiable parental consent for under 18. Behavioural tracking and targeted advertising prohibited for children | Verifiable parental consent for under 16 (member states can lower to 13). Restrictions on profiling |
| Data subject rights | Access, correction, erasure, grievance redressal, nomination | Access, rectification, erasure, restriction, portability, objection, automated decision rights |
| Breach notification | Notify the Data Protection Board of India and affected individuals (timeline to be specified by rules) | Notify supervisory authority within 72 hours. Notify affected individuals if high risk |
| Cross-border transfer | Allowed except to countries on a government-notified blacklist | Allowed only to adequate countries or via SCCs / BCRs / specific derogations |
| DPO requirement | Significant Data Fiduciary (SDF) must appoint a Data Protection Officer based in India | Required for public bodies, large-scale systematic monitoring, large-scale special category processing |
| Enforcement body | Data Protection Board of India (DPBI) | Supervisory authorities in each EU member state |
| Maximum penalty | INR 250 crore per violation | 4 percent of global annual turnover or EUR 20 million, whichever is higher |
| Right to be forgotten | Erasure right exists but limited to specific scenarios | Full right to erasure with broader applicability |
| Data portability | Not explicitly granted | Explicit right to receive data in structured, machine-readable format |
Where They Overlap
Both laws share a core philosophy that personal data belongs to the individual and processing requires lawful basis, transparency, and accountability. If you have already built GDPR processes, your DPDP work is meaningfully easier. The shared elements are:
Lawful basis for processing. Both require you to identify a legal basis before processing personal data. GDPR explicitly lists six bases (consent, contract, legal obligation, vital interests, public task, legitimate interests). DPDP focuses primarily on consent, with limited grounds for “legitimate uses” (employment, government function, breach response).
Notice obligations. Both require clear, plain-language privacy notices to data subjects before or at the time of collection. The required disclosures overlap significantly.
Consent quality. Both require consent to be free, specific, informed, and unambiguous. Pre-ticked boxes are not consent under either law.
Data minimisation and purpose limitation. Both require you to collect only what you need and use it only for the disclosed purpose.
Accountability. Both require demonstrable evidence that you are complying — policies, processes, training, breach logs, vendor contracts.
Breach notification. Both require you to notify regulators (and in some cases affected individuals) when a personal data breach occurs.
Data subject rights. Both grant individuals the right to access, correct, and erase their data.
If you already have a GDPR program, the bones of your DPDP program are in place. The work is mapping each existing control to its DPDP equivalent and adding the India-specific pieces.
Where They Diverge
This is where most Indian SaaS founders get caught off guard.
1. Scope is narrower under DPDP
DPDP applies only to digital personal data. GDPR applies to all personal data, including handwritten employee files, paper customer feedback forms, and physical visitor logs at your office. If your operations are entirely digital (most SaaS startups are), this difference rarely matters in practice. But if you have any non-digital processing, GDPR catches it and DPDP does not.
2. Data subject rights are narrower under DPDP
GDPR gives individuals more granular rights:
- Data portability (receive your data in machine-readable format and transfer it to another controller) — DPDP does not explicitly grant this
- Restriction of processing (pause processing while a dispute is resolved) — DPDP does not have a direct equivalent
- Right to object to processing for direct marketing or based on legitimate interests — DPDP’s framework is narrower
- Rights related to automated decision-making and profiling — GDPR has explicit protections, DPDP does not
If you serve EU users, you must build infrastructure to honour these rights. If you serve only Indian users, you do not — but most SaaS startups serving any international audience will need them anyway.
3. Cross-border transfer rules
This is the most operationally consequential difference for SaaS.
GDPR restricts data transfer outside the EU/EEA. You need either:
- An adequacy decision (the destination country has been deemed adequate by the European Commission)
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
- A specific derogation (consent, contract necessity, etc.)
The post-Schrems II legal environment means even SCCs require a transfer impact assessment.
DPDP takes a different approach. Cross-border transfer of personal data is allowed by default, except to countries the Indian government notifies as restricted. As of this writing, the government has not published a restricted list. This means DPDP is more permissive on outbound transfers than GDPR.
But: this is a moving target. The DPDP rules (delegated legislation) are still being finalised, and the restricted-country list could change. Build your data architecture assuming you may need to localise certain processing in the future.
4. Children’s data
DPDP defines a child as anyone under 18. GDPR sets the default at under 16 (member states can lower to 13).
Both require verifiable parental consent for processing children’s data. DPDP additionally prohibits behavioural tracking and targeted advertising of children. If your SaaS has any analytics or personalisation that could affect users under 18, this matters.
5. Significant Data Fiduciary tier
DPDP introduces a tier called Significant Data Fiduciary (SDF) for entities the government notifies based on data volume, sensitivity, risk to electoral democracy, public order, or sovereignty. SDFs face stricter obligations:
- Mandatory appointment of a Data Protection Officer (DPO) based in India
- Mandatory Data Protection Impact Assessments (DPIAs)
- Mandatory periodic audits by an independent data auditor
GDPR has DPIA requirements and DPO requirements but they are triggered by activity (large-scale systematic monitoring, large-scale processing of special category data) rather than by government notification. The SDF tier is uniquely Indian.
If your SaaS handles HealthTech data (health records, genetic data) or FinTech data (payment, account information) or processes a large volume of Indian user data, you should plan for SDF designation.
6. Enforcement structure
GDPR is enforced by independent supervisory authorities in each EU member state. They have a track record of investigations, public findings, and large fines.
DPDP is enforced by the Data Protection Board of India (DPBI) — a single central body. The DPBI is newly formed and its enforcement track record is still being built. Expect uncertainty in early enforcement years.
7. Penalties
GDPR fines can reach 4 percent of global annual turnover or EUR 20 million, whichever is higher. For a Series B SaaS with global revenue of USD 50 million, that is potentially USD 2 million per violation.
DPDP caps at INR 250 crore per violation (roughly USD 30 million at current rates). The cap applies per violation, not as a turnover percentage. For a small startup, INR 250 crore is existential. For a large enterprise, the GDPR percentage-based fine is potentially larger.
The Cross-Border Data Transfer Trap
This is where most Indian SaaS startups get stuck. You probably have:
- Application data hosted on AWS / Azure / GCP regions outside India (default for many regions)
- Customer support tools (Zendesk, Intercom, Freshdesk) processing user data in US data centres
- Analytics tools (Mixpanel, Amplitude) with US/EU storage
- Email infrastructure (Resend, Postmark, SendGrid) transiting US servers
- Payment processors with global processing
- LLM API calls (OpenAI, Anthropic) with provider-determined data centre routing
Under GDPR, every one of these flows from EU users to non-EU servers triggers transfer rules. You need SCCs in place with each vendor and a transfer impact assessment for each flow.
Under DPDP today, none of these are explicitly restricted unless the destination country is on the (yet-unpublished) restricted list. But the rules around localisation could change, and SDF entities may face stricter localisation requirements.
Practical step: map your data flows now. Document which user populations (Indian, EU, other) generate which categories of personal data and which vendors / regions process each flow. You will need this map for both DPDP and GDPR audits, and you will need to update it whenever you add a vendor.
What to Do If You Serve Both Audiences
This is the most common scenario for Indian SaaS startups (your Indian users are governed by DPDP, your international users include EU users governed by GDPR).
1. Build to the higher standard
For each control, identify which law has the stricter requirement and build to that. Examples:
- Data subject rights: GDPR is broader. Build the GDPR-grade rights infrastructure (access, rectification, erasure, portability, restriction, objection). It satisfies DPDP automatically.
- Children’s age threshold: DPDP is stricter (18 vs 16). Use 18 as your default unless you have a specific business reason to handle 16-17 year-olds differently for EU users.
- Breach notification timeline: GDPR is faster (72 hours). Use 72 hours as your default for both regimes.
2. Maintain a unified privacy policy
Have one privacy policy that explicitly references both DPDP and GDPR. Disclose:
- The legal basis for processing under each regime (DPDP consent + legitimate uses; GDPR’s six bases)
- Data subject rights under each (the broader GDPR list satisfies DPDP)
- Contact for the grievance officer (DPDP requirement) and the Data Protection Officer if applicable (GDPR + DPDP-SDF requirement)
- Cross-border transfer mechanisms used (SCCs, adequacy decisions, India-to-non-India transfers)
3. Keep separate consent records
If you have both DPDP-governed and GDPR-governed users, maintain consent records that distinguish which legal basis applies. When an Indian user requests a list of their data, you reference DPDP rights. When an EU user does the same, you reference GDPR. The processes can be unified, but the underlying legal basis must be tracked correctly.
4. Plan for SDF designation in advance
If your SaaS has any of these characteristics, prepare for SDF status:
- Health data (HealthTech)
- Financial transactions or account data (FinTech)
- Telecom subscriber data
- Children’s data at scale
- Cross-border data processing at meaningful volume
SDF designation requires a DPO based in India, mandatory DPIAs, and periodic independent audits. Building this now is cheaper than retrofitting after notification.
5. Vendor risk for both regimes
Every vendor that processes personal data on your behalf needs:
- A Data Processing Agreement (DPA) under GDPR — with SCCs if they are outside the EU
- A processing agreement under DPDP — naming you as the Data Fiduciary and them as the Data Processor
Most major SaaS vendors offer GDPR-compliant DPAs. DPDP-specific vendor contracts are still emerging. Check with your legal counsel if your standard DPA is sufficient or needs DPDP addenda.
Common Myths
“DPDP doesn’t apply to us because we are B2B.” False. The personal data of your B2B customer’s employees (work emails, names, login activity) is still personal data under DPDP.
“GDPR doesn’t apply because we don’t have EU customers.” Possibly true — but if any of your users access your service from the EU, even temporarily, GDPR may apply. Check your access logs.
“We are a small startup, we are exempt.” False. Both DPDP and GDPR apply to small entities. There are no startup exemptions, only proportional obligations.
“We can comply with both by writing a privacy policy.” A policy is necessary but not sufficient. Both laws require operational evidence — consent management, vendor contracts, breach response procedures, training, incident logs. The policy is the public face of an underlying program.
“DPDP rules are not finalised yet, so we don’t need to comply.” Wrong. The Act is law. The delegated rules are still being finalised, but the substantive obligations apply now. Waiting for rules is not a compliance strategy.
Practical Five-Step Checklist
For an Indian SaaS startup serving Indian and EU users, prioritise in this order:
1. Map your data flows. Document what personal data you collect, from whom (Indian users / EU users / other), where it is stored (region by region), which vendors process it, and what each is used for.
2. Update your privacy policy. Make it dual-compliance: DPDP and GDPR explicitly named, all disclosures from both regimes included.
3. Build the consent management infrastructure. Free, specific, informed, unambiguous consent for both regimes. Granular consent (per purpose) and easy withdrawal. Track which user is governed by which legal basis.
4. Set up data subject rights handling. A defined process for access, rectification, erasure, portability (GDPR), and grievance (DPDP). Response within statutory timelines.
5. Vendor and breach response. DPAs with all processors, breach detection and notification procedures, periodic tabletop exercises. Practice notifying the DPBI and GDPR supervisory authorities in your incident response runbook.
For deeper coverage of DPDP specifically, see our DPDP Act 2026 checklist and the post-breach playbook for DPDP.
If you want help mapping your data flows, drafting unified policies, or running an internal audit before formal compliance review, see our audit and compliance services or contact us for a scoping discussion.