Compliance

DPDP Act vs GDPR for Indian SaaS Startups

DPDP Act 2023 vs GDPR for Indian SaaS startups. Where they overlap, where they diverge, and what to do if you serve both Indian and EU users.

AK
Ashok Kamat
Cybersecify
14 min read

DPDP Act 2023 and GDPR share the consent and breach-notification spine but differ on scope, rights, enforcement, and penalty structure. DPDP covers digital personal data only; GDPR covers all personal data including paper records. GDPR grants broader data subject rights (data portability, automated decision-making restrictions); DPDP is more prescriptive on consent format and children’s data. Penalties: DPDP caps at INR 250 crore per violation; GDPR caps at 4 percent of global annual turnover or EUR 20 million. Indian SaaS startups serving both Indian and EU users need a single privacy program addressing both regimes explicitly. Compliance with one does not exempt the other.

Key findings

  • Both regimes apply to most India SaaS serving any international audience. DPDP covers Indian Data Principals (extraterritorial reach via Section 3(b)). GDPR covers EU residents regardless of where you are based (Article 3(2)). Compliance with one does not exempt the other.
  • DPDP is NARROWER on scope and rights, BROADER on penalty per violation. Digital personal data only (DPDP) vs all personal data including paper (GDPR). Narrower Data Principal rights (DPDP) vs broader Data Subject rights including portability and automated-decision protections (GDPR). DPDP caps at INR 250 crore per violation; GDPR caps at 4 percent of global annual turnover or EUR 20 million whichever is higher.
  • Cross-border transfer rules are the most operationally consequential divergence. GDPR restricts EU-to-non-EU transfers via adequacy decisions, SCCs, BCRs, or specific derogations (Schrems II makes even SCCs require a transfer impact assessment). DPDP allows transfers by default except to government-notified restricted countries (no list published as of 2026), but the rules around localisation could change.
  • Significant Data Fiduciary (SDF) tier is uniquely Indian. Government-notified based on volume, sensitivity, risk to electoral democracy or public order. SDFs face DPO requirement (Indian-based), mandatory DPIAs, and periodic independent audits. GDPR has equivalent DPO and DPIA triggers but they are activity-based, not government-notified.
  • The compliance design that scales: build to the higher of the two standards per dimension. Data Subject rights to GDPR breadth, children’s age threshold to DPDP (18 not 16), breach notification timeline to GDPR (72 hours), consent format to DPDP prescriptiveness. Unified privacy program with one privacy policy explicitly naming both laws.
  • Common myth to dispel: B2B SaaS is NOT exempt from either law. Personal data of B2B customer employees (work emails, names, login activity, support tickets) is still personal data under both regimes.

Cybersecify is a founder-led Bengaluru-based security firm. We help AI-first and API-first SaaS startups build dual-compliance privacy programs: data flow mapping covering Indian + EU + other geos, unified privacy policy drafting, vendor DPA reviews with both DPDP and GDPR coverage, breach response runbooks practising DPBI and EU supervisory authority notifications. A redacted sample pentest report shows the technical-evidence side of both regimes (Section 8 reasonable security safeguards under DPDP, Article 32 security of processing under GDPR), paired with the policy and process artifacts auditors expect.

If you run an Indian SaaS startup, two privacy laws probably apply to you. The Digital Personal Data Protection Act 2023 (DPDP) for your Indian users, and the General Data Protection Regulation (GDPR) for any EU users you process data on. Many founders assume one is just a translation of the other. They are not.

This is a side-by-side guide to where they overlap, where they diverge, and what an India-based SaaS company needs to do if it serves both audiences.

Quick Answer

DPDP is India’s first dedicated digital personal data law. GDPR is the EU’s broader personal data law. They share the consent and breach-notification spine but differ on scope (DPDP digital only), data subject rights (GDPR has more), enforcement (DPDP through the Data Protection Board of India, GDPR through national supervisory authorities), and penalty structure (DPDP up to INR 250 crore per violation, GDPR up to 4 percent of global turnover or EUR 20 million whichever is higher).

If you serve both Indian and EU users, you need a single privacy program that addresses both regimes explicitly. You do not get a free pass on either by complying with the other.

Side-by-Side Comparison

DimensionDPDP Act 2023GDPR
ScopeDigital personal data onlyAll personal data, digital and physical
Territorial reachProcessing of digital personal data of individuals in India, including from outside IndiaProcessing personal data of individuals in the EU, regardless of where you are
ConsentFree, specific, informed, unconditional, unambiguous, with clear affirmative actionSame standard. GDPR adds explicit-consent requirement for sensitive categories
Children’s dataVerifiable parental consent for under 18. Behavioural tracking and targeted advertising prohibited for childrenVerifiable parental consent for under 16 (member states can lower to 13). Restrictions on profiling
Data subject rightsAccess, correction, erasure, grievance redressal, nominationAccess, rectification, erasure, restriction, portability, objection, automated decision rights
Breach notificationNotify the Data Protection Board of India and affected individuals (timeline to be specified by rules)Notify supervisory authority within 72 hours. Notify affected individuals if high risk
Cross-border transferAllowed except to countries on a government-notified blacklistAllowed only to adequate countries or via SCCs / BCRs / specific derogations
DPO requirementSignificant Data Fiduciary (SDF) must appoint a Data Protection Officer based in IndiaRequired for public bodies, large-scale systematic monitoring, large-scale special category processing
Enforcement bodyData Protection Board of India (DPBI)Supervisory authorities in each EU member state
Maximum penaltyINR 250 crore per violation4 percent of global annual turnover or EUR 20 million, whichever is higher
Right to be forgottenErasure right exists but limited to specific scenariosFull right to erasure with broader applicability
Data portabilityNot explicitly grantedExplicit right to receive data in structured, machine-readable format

Where They Overlap

Both laws share a core philosophy that personal data belongs to the individual and processing requires lawful basis, transparency, and accountability. If you have already built GDPR processes, your DPDP work is meaningfully easier. The shared elements are:

Lawful basis for processing. Both require you to identify a legal basis before processing personal data. GDPR explicitly lists six bases (consent, contract, legal obligation, vital interests, public task, legitimate interests). DPDP focuses primarily on consent, with limited grounds for “legitimate uses” (employment, government function, breach response).

Notice obligations. Both require clear, plain-language privacy notices to data subjects before or at the time of collection. The required disclosures overlap significantly.

Consent quality. Both require consent to be free, specific, informed, and unambiguous. Pre-ticked boxes are not consent under either law.

Data minimisation and purpose limitation. Both require you to collect only what you need and use it only for the disclosed purpose.

Accountability. Both require demonstrable evidence that you are complying. This includes policies, processes, training, breach logs, and vendor contracts.

Breach notification. Both require you to notify regulators (and in some cases affected individuals) when a personal data breach occurs.

Data subject rights. Both grant individuals the right to access, correct, and erase their data.

If you already have a GDPR program, the bones of your DPDP program are in place. The work is mapping each existing control to its DPDP equivalent and adding the India-specific pieces.

Where They Diverge

This is where most Indian SaaS founders get caught off guard.

1. Scope is narrower under DPDP

DPDP applies only to digital personal data. GDPR applies to all personal data, including handwritten employee files, paper customer feedback forms, and physical visitor logs at your office. If your operations are entirely digital (most SaaS startups are), this difference rarely matters in practice. But if you have any non-digital processing, GDPR catches it and DPDP does not.

2. Data subject rights are narrower under DPDP

GDPR gives individuals more granular rights:

  • Data portability (receive your data in machine-readable format and transfer it to another controller). DPDP does not explicitly grant this
  • Restriction of processing (pause processing while a dispute is resolved). DPDP does not have a direct equivalent
  • Right to object to processing for direct marketing or based on legitimate interests. DPDP’s framework is narrower
  • Rights related to automated decision-making and profiling. GDPR has explicit protections, DPDP does not

If you serve EU users, you must build infrastructure to honour these rights. If you serve only Indian users, you do not. But most SaaS startups serving any international audience will need them anyway.

3. Cross-border transfer rules

This is the most operationally consequential difference for SaaS.

GDPR restricts data transfer outside the EU/EEA. You need either:

  • An adequacy decision (the destination country has been deemed adequate by the European Commission)
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (BCRs)
  • A specific derogation (consent, contract necessity, etc.)

The post-Schrems II legal environment means even SCCs require a transfer impact assessment.

DPDP takes a different approach. Cross-border transfer of personal data is allowed by default, except to countries the Indian government notifies as restricted. As of this writing, the government has not published a restricted list. This means DPDP is more permissive on outbound transfers than GDPR.

But: this is a moving target. The DPDP rules (delegated legislation) are still being finalised, and the restricted-country list could change. Build your data architecture assuming you may need to localise certain processing in the future.

4. Children’s data

DPDP defines a child as anyone under 18. GDPR sets the default at under 16 (member states can lower to 13).

Both require verifiable parental consent for processing children’s data. DPDP additionally prohibits behavioural tracking and targeted advertising of children. If your SaaS has any analytics or personalisation that could affect users under 18, this matters.

5. Significant Data Fiduciary tier

DPDP introduces a tier called Significant Data Fiduciary (SDF) for entities the government notifies based on data volume, sensitivity, risk to electoral democracy, public order, or sovereignty. SDFs face stricter obligations:

  • Mandatory appointment of a Data Protection Officer (DPO) based in India
  • Mandatory Data Protection Impact Assessments (DPIAs)
  • Mandatory periodic audits by an independent data auditor

GDPR has DPIA requirements and DPO requirements but they are triggered by activity (large-scale systematic monitoring, large-scale processing of special category data) rather than by government notification. The SDF tier is uniquely Indian.

If your SaaS handles HealthTech data (health records, genetic data) or FinTech data (payment, account information) or processes a large volume of Indian user data, you should plan for SDF designation.

6. Enforcement structure

GDPR is enforced by independent supervisory authorities in each EU member state. They have a track record of investigations, public findings, and large fines.

DPDP is enforced by the Data Protection Board of India (DPBI), a single central body. The DPBI is newly formed and its enforcement track record is still being built. Expect uncertainty in early enforcement years.

7. Penalties

GDPR fines can reach 4 percent of global annual turnover or EUR 20 million, whichever is higher. For a Series B SaaS with global revenue of USD 50 million, that is potentially USD 2 million per violation.

DPDP caps at INR 250 crore per violation (roughly USD 30 million at current rates). The cap applies per violation, not as a turnover percentage. For a small startup, INR 250 crore is existential. For a large enterprise, the GDPR percentage-based fine is potentially larger.

The Cross-Border Data Transfer Trap

This is where most Indian SaaS startups get stuck. You probably have:

  • Application data hosted on AWS / Azure / GCP regions outside India (default for many regions)
  • Customer support tools (Zendesk, Intercom, Freshdesk) processing user data in US data centres
  • Analytics tools (Mixpanel, Amplitude) with US/EU storage
  • Email infrastructure (Resend, Postmark, SendGrid) transiting US servers
  • Payment processors with global processing
  • LLM API calls (OpenAI, Anthropic) with provider-determined data centre routing

Under GDPR, every one of these flows from EU users to non-EU servers triggers transfer rules. You need SCCs in place with each vendor and a transfer impact assessment for each flow.

Under DPDP today, none of these are explicitly restricted unless the destination country is on the (yet-unpublished) restricted list. But the rules around localisation could change, and SDF entities may face stricter localisation requirements.

Practical step: map your data flows now. Document which user populations (Indian, EU, other) generate which categories of personal data and which vendors / regions process each flow. You will need this map for both DPDP and GDPR audits, and you will need to update it whenever you add a vendor.

What to Do If You Serve Both Audiences

This is the most common scenario for Indian SaaS startups (your Indian users are governed by DPDP, your international users include EU users governed by GDPR).

1. Build to the higher standard

For each control, identify which law has the stricter requirement and build to that. Examples:

  • Data subject rights: GDPR is broader. Build the GDPR-grade rights infrastructure (access, rectification, erasure, portability, restriction, objection). It satisfies DPDP automatically.
  • Children’s age threshold: DPDP is stricter (18 vs 16). Use 18 as your default unless you have a specific business reason to handle 16-17 year-olds differently for EU users.
  • Breach notification timeline: GDPR is faster (72 hours). Use 72 hours as your default for both regimes.

2. Maintain a unified privacy policy

Have one privacy policy that explicitly references both DPDP and GDPR. Disclose:

  • The legal basis for processing under each regime (DPDP consent + legitimate uses; GDPR’s six bases)
  • Data subject rights under each (the broader GDPR list satisfies DPDP)
  • Contact for the grievance officer (DPDP requirement) and the Data Protection Officer if applicable (GDPR + DPDP-SDF requirement)
  • Cross-border transfer mechanisms used (SCCs, adequacy decisions, India-to-non-India transfers)

If you have both DPDP-governed and GDPR-governed users, maintain consent records that distinguish which legal basis applies. When an Indian user requests a list of their data, you reference DPDP rights. When an EU user does the same, you reference GDPR. The processes can be unified, but the underlying legal basis must be tracked correctly.

4. Plan for SDF designation in advance

If your SaaS has any of these characteristics, prepare for SDF status:

  • Health data (HealthTech)
  • Financial transactions or account data (FinTech)
  • Telecom subscriber data
  • Children’s data at scale
  • Cross-border data processing at meaningful volume

SDF designation requires a DPO based in India, mandatory DPIAs, and periodic independent audits. Building this now is cheaper than retrofitting after notification.

5. Vendor risk for both regimes

Every vendor that processes personal data on your behalf needs:

  • A Data Processing Agreement (DPA) under GDPR, with SCCs if they are outside the EU
  • A processing agreement under DPDP, naming you as the Data Fiduciary and them as the Data Processor

Most major SaaS vendors offer GDPR-compliant DPAs. DPDP-specific vendor contracts are still emerging. Check with your legal counsel if your standard DPA is sufficient or needs DPDP addenda.

Common Myths

“DPDP doesn’t apply to us because we are B2B.” False. The personal data of your B2B customer’s employees (work emails, names, login activity) is still personal data under DPDP.

“GDPR doesn’t apply because we don’t have EU customers.” Possibly true, but if any of your users access your service from the EU, even temporarily, GDPR may apply. Check your access logs.

“We are a small startup, we are exempt.” False. Both DPDP and GDPR apply to small entities. There are no startup exemptions, only proportional obligations.

“We can comply with both by writing a privacy policy.” A policy is necessary but not sufficient. Both laws require operational evidence including consent management, vendor contracts, breach response procedures, training, and incident logs. The policy is the public face of an underlying program.

“DPDP rules are not finalised yet, so we don’t need to comply.” Wrong. The Act is law. The delegated rules are still being finalised, but the substantive obligations apply now. Waiting for rules is not a compliance strategy.

Practical Five-Step Checklist

For an Indian SaaS startup serving Indian and EU users, prioritise in this order:

1. Map your data flows. Document what personal data you collect, from whom (Indian users / EU users / other), where it is stored (region by region), which vendors process it, and what each is used for.

2. Update your privacy policy. Make it dual-compliance: DPDP and GDPR explicitly named, all disclosures from both regimes included.

3. Build the consent management infrastructure. Free, specific, informed, unambiguous consent for both regimes. Granular consent (per purpose) and easy withdrawal. Track which user is governed by which legal basis.

4. Set up data subject rights handling. A defined process for access, rectification, erasure, portability (GDPR), and grievance (DPDP). Response within statutory timelines.

5. Vendor and breach response. DPAs with all processors, breach detection and notification procedures, periodic tabletop exercises. Practice notifying the DPBI and GDPR supervisory authorities in your incident response runbook.

For deeper coverage of DPDP specifically, see our DPDP Act 2026 checklist and the post-breach playbook for DPDP.

If you want help mapping your data flows, drafting unified policies, or running an internal audit before formal compliance review, see our audit and compliance services or contact us for a scoping discussion.

External authoritative references:

Frequently Asked Questions

Does an Indian SaaS startup need to comply with both DPDP and GDPR?

If you process personal data of EU residents, yes. GDPR applies regardless of where your company is based. If you process personal data of Indian residents (and most Indian SaaS does), DPDP applies. Most Indian SaaS startups serving any international customers end up needing both.

Is DPDP just GDPR for India?

No. DPDP shares some core principles with GDPR (consent, purpose limitation, breach notification, data subject rights) but is narrower in scope (only digital personal data, not all personal data) and has different enforcement mechanics. The penalties are also calibrated differently. DPDP caps at INR 250 crore per violation, GDPR caps at 4 percent of global annual turnover or EUR 20 million.

Which is stricter, DPDP or GDPR?

Depends on the dimension. GDPR is broader (covers all personal data, including paper records) and gives data subjects more granular rights (data portability, the right to be forgotten in stronger form, automated decision-making restrictions). DPDP is more prescriptive on consent format, has stricter children's data rules, and gives the government broader rulemaking powers through the Data Protection Board of India. They are not directly rankable as stricter or looser overall.

What if I am a B2B SaaS? Do these laws still apply?

Yes. Both DPDP and GDPR apply to processing of personal data of natural persons regardless of whether you sell to businesses or consumers. The personal data of your B2B customer's employees (their work emails, names, login activity, support tickets) is still personal data under both laws.

Can I use a single privacy policy for both DPDP and GDPR compliance?

You can have one document, but it must explicitly address both regimes. The DPDP-required disclosures (purpose of processing, contact for grievance officer, withdrawal of consent mechanism) and GDPR-required disclosures (legal basis for processing, data subject rights, transfer mechanisms) overlap but are not identical. A unified policy that names both laws and addresses each one's specific requirements works.

Which compliance should an India SaaS prioritise first, DPDP or GDPR?

Depends on your customer geography mix. If your active and likely-next-quarter customer base is mostly Indian, prioritise DPDP first: faster to operationalise, no SCCs to negotiate, no transfer impact assessments, no national supervisory authority interactions. If you have or expect EU customers in the next 6 months, build to GDPR from day one because GDPR is generally the higher bar; building to GDPR satisfies most of DPDP automatically. The wrong move is to delay one regime hoping the other gets you covered; the two regimes overlap on the spine (consent, breach notification, vendor DPAs) but diverge on rights, transfer rules, and DPO triggers, so neither subsumes the other. For most India SaaS serving both, build a single unified program addressing both regimes explicitly. See our [SOC 2 vs ISO 27001 vs DPDP sequencing guide](/blog/soc2-iso27001-dpdp-which-compliance-first/) for the broader compliance roadmap context.

What is the GDPR penalty cap?

4 percent of global annual turnover or EUR 20 million, whichever is higher, per Article 83(5) of the GDPR. The higher of the two means large multinationals face turnover-percentage penalties (which can run to billions for a global tech firm), while smaller entities face the EUR 20 million ceiling. Article 83(4) sets a lower tier of 2 percent of global annual turnover or EUR 10 million, whichever is higher, for less severe categories of violation (records, controller obligations, designation of representative). National supervisory authorities consider 11 enumerated aggravating and mitigating factors in setting the actual fine, including nature gravity and duration, intentional or negligent character, mitigation actions, cooperation. For an Indian Series B SaaS with USD 50 million global revenue and a serious Article 5 or Article 6 violation, the calculated fine could approach USD 2 million per violation.

Do I need DPDP compliance if I only have EU users?

Probably not, but read the question carefully. DPDP Section 3(b) gives the Act extraterritorial reach for processing in connection with offering goods or services to Data Principals in India. If you have zero Indian users, no Indian employee data, no Indian vendor contacts being processed by your systems, and no marketing to Indian audiences, DPDP does not apply. The moment any of those changes (an Indian engineer joins, an Indian SaaS becomes your vendor and shares user data with you, you start a marketing campaign targeting India), DPDP applicability triggers. Many EU-only SaaS startups end up with DPDP applicability through the hiring or vendor route rather than through customer acquisition. Audit your actual data flows; do not assume your stated customer geography is the same as your processed-data geography.

Does GDPR apply if my company is India-based with no EU office?

Yes, if you process personal data of individuals in the EU in connection with offering goods or services to them or monitoring their behaviour, per Article 3(2). Office location is irrelevant to applicability. An India-registered SaaS with EU customers must comply with GDPR; this includes appointing an EU representative under Article 27 if the processing is not occasional and involves large-scale processing of special category data or could result in risk to data subject rights. Most India SaaS serving any EU customers fail to appoint an Article 27 representative and would be in technical non-compliance on this single point even with otherwise clean processing. Coverage is also triggered by behaviour monitoring (analytics, profiling, tracking pixels) targeting EU residents, not just by transactional customer relationships.

What is the cross-border data transfer trap most Indian SaaS startups fall into?

The trap is assuming default cloud configurations are compliant. Most Indian SaaS startups host application data on AWS / Azure / GCP regions outside India (Singapore, Frankfurt, US-East are common defaults), use customer support tools (Zendesk, Intercom, Freshdesk) processing user data in US data centres, run analytics (Mixpanel, Amplitude) with US or EU storage, route email through US-based providers (Resend, Postmark, SendGrid), and call LLM APIs (OpenAI, Anthropic) with provider-determined data centre routing. Every one of these flows from EU users to non-EU servers triggers GDPR transfer rules: SCCs in place with each vendor, transfer impact assessment per flow, and post-Schrems II validation that destination country surveillance laws do not undermine the SCC protections. Under DPDP today these are not explicitly restricted but could be if the destination country gets notified as restricted. The practical step is to map your data flows now: which user populations (Indian / EU / other) generate which categories of personal data and which vendors and regions process each flow. You will need this map for both DPDP and GDPR audits, and you will need to update it whenever you add a vendor.

Got a question or counter-take?

Email contact@cybersecify.com, WhatsApp +91 9986 998 333, or DM Ashok Kamat on LinkedIn.

Share this article
DPDP ActGDPRcompliancedata protectionIndiaEUSaaS