Data Privacy Compliance: DPDP, GDPR, Cross-Border

If your business collects, stores, processes, or otherwise handles the personal data of individuals in India, the DPDP Act applies to you. It also applies to businesses located outside India if they process personal data in connection with offering goods or services to individuals in India. The Act applies to personal data processed in digital form as well as personal data that is collected in non-digital form and subsequently digitised. In practical terms, if you have customers, employees, vendors, or users in India whose personal data you handle, the Act is likely to apply.

Personal data is any data about an individual who is identifiable by or in relation to that data. This includes obvious identifiers like names, email addresses, phone numbers, and identity document numbers, as well as data that can indirectly identify a person when combined with other information. It covers employee data, customer data, user data, and any other data relating to an identifiable individual. The DPDP Act does not apply to anonymised data, i.e., data from which the individual can no longer be identified.

A Data Fiduciary is the entity that determines the purpose and means of processing personal data. A Data Processor is the entity that processes personal data on behalf of a Data Fiduciary. In most cases, if you are collecting data from your customers or employees for your own purposes, you are the Data Fiduciary. If you are a service provider handling data on behalf of another company according to their instructions, you are a Data Processor. The distinction matters because the DPDP Act places primary obligations and accountability on the Data Fiduciary.

Consent under the DPDP Act must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. You must provide a notice to the individual in clear and plain language before or at the time of collecting their data, specifying what data you are collecting, the purpose of processing, and how they can exercise their rights. Consent must be obtained for each specified purpose and cannot be bundled. Individuals have the right to withdraw consent at any time, and you must make the withdrawal process as easy as the process for giving consent.

The DPDP Act prescribes significant financial penalties. These range up to Rs. 50 crore for failure to take reasonable security measures to prevent a data breach, up to Rs. 200 crore for non-compliance with obligations regarding children’s data, and up to Rs. 250 crore for breach of other provisions. The Data Protection Board of India is the adjudicatory body empowered to impose these penalties. The quantum of penalty in each case will depend on the nature, gravity, and duration of the breach, the type and volume of personal data affected, and the actions taken by the entity to mitigate the breach.

The EU GDPR applies to your Indian company if you offer goods or services to individuals in the EU (even if you do not have a physical presence there) or if you monitor the behaviour of individuals in the EU, for example through website analytics, tracking, or profiling. If your product has EU users, if your app is available in EU app stores, or if your website targets EU customers, the GDPR is likely to apply. Non-compliance can attract fines of up to 4% of annual global turnover or EUR 20 million, whichever is higher. We advise on assessing applicability and structuring compliance across both the DPDP Act and the GDPR simultaneously.

While both are comprehensive data protection frameworks, there are significant differences. The DPDP Act applies only to personal data processed in digital form (or digitised non-digital data), while the GDPR applies to all personal data regardless of form. The GDPR provides for a broader set of lawful bases for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests), while the DPDP Act currently relies primarily on consent and certain deemed consent situations. The GDPR includes specific provisions on data portability, the right to erasure, data protection impact assessments, and data protection officers that are more detailed than the current DPDP framework. The penalty structures also differ. We advise companies operating across both jurisdictions on building a unified compliance framework that satisfies both regimes.

Under the DPDP Act, a Data Fiduciary must notify the Data Protection Board of India and each affected individual of a personal data breach. The DPDP Rules prescribe the form, manner, and timelines for notification. Under the GDPR, notification to the supervisory authority must be made within 72 hours of becoming aware of the breach, and individuals must be notified without undue delay if the breach poses a high risk to their rights. Practically, you should have a data breach response plan in place before a breach occurs, including internal escalation procedures, forensic investigation protocols, notification templates, and communication strategies. We assist in both building breach response plans and managing actual breach incidents.