From GDPR to DPDP: Migration Checklist for Global Companies Operating in India

1️⃣ Gap Analysis – GDPR vs DPDP (2026)

Area	GDPR (EU)	DPDP (India)	What You Must Change
	Key Articles / Recitals	Key Sections (Act/Rules)	Practical Migration Steps
Scope	All personal data of EU data subjects, regardless of where the controller/processor is located (Article 3).	All personal data of Indian residents processed by any Indian entity (including foreign subsidiaries)【24†L571-L595】.	Identify every system that touches Indian‑resident data and bring it under DPDP’s territorial scope, even if the data also passes through EU servers.
Data Protection Officer (DPO)	Mandatory for public authorities and where core activities consist of “regular and systematic monitoring” (Article 37).	All Significant Data Fiduciaries (SDF) must appoint a resident DPO (Section 10(2)(b)【24†L574-L580】). Non‑SDFs can have a designated contact.	If you process >10 crore records or sensitive data, appoint an Indian‑resident DPO and publish name & email on your privacy‑policy.
Consent	Granular, freely given, specific and informed consent (Article 7). Withdrawal must be as easy as giving.	Granular opt‑in consent mandatory for each purpose. Logs must capture timestamp, method, purpose and withdrawal【16†L38-L44】.	Replace any “soft‑opt‑out” UI with an explicit tick‑box. Store consent logs for 5 years (record‑keeping requirement).
Breach notification	Notify Supervisory Authority within 72 hours (Article 33) and communicate to data subjects when high‑risk.	Notify the Data Protection Board (DPB) and affected data principals within 72 hours of becoming aware【24†L590-L594】.	Adopt the DPB‑template (downloadable below) and establish a 72‑hour internal escalation process.
Cross‑border transfers	Allowed with adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) or explicit consent (Article 45‑49).	Transfers allowed only with explicit consent or DPB‑approved SCCs【24†L589-L595】.	Replace EU‑SCCs with the Indian‑SCC template (link below) and capture explicit consent for every outbound flow.
Record‑keeping	Maintain a Record of Processing Activities (ROPA) for at least 3 years after processing ends (Article 30).	Maintain detailed logs of consent, breaches, grievance, cross‑border transfers for 5 years【16†L38-L44】.	Extend your ROPA retention window to 5 years and add fields for grievance & breach logs.
Data‑Protection Impact Assessment (DPIA)	Required for high‑risk processing (Article 35).	Also mandatory for high‑risk DPDP processing; must be submitted to the DPB for approval (Section 11).	Run a DPIA for any AI/ML, health‑tech or large‑scale profiling activity and upload the report to the AI audit tool for validation.
Data‑principal rights	Access, rectification, erasure, restriction, portability, objection (Articles 15‑22).	Same rights plus right to nominate a representative (Section 12‑13). Responses due within 30 days.	Add a “nomination” form to your portal and update your SOP to meet the 30‑day deadline.
Penalties	Up to €20 million or 4 % of worldwide turnover (Article 83).	Up to ₹250 crore or 10 % of worldwide turnover, whichever is higher (Section 33). Fines are per violation.	Run the DPDP Risk Calculator to gauge exposure; prioritize fixing any item that could trigger a multi‑crore fine.

The table shows where GDPR compliance can give you a false sense of security. If you simply copy‑paste your GDPR policies, you will leave critical DPDP gaps open.

Fact Checked:

DPDP Act 2023 sections on DPO (10(2)(b)), breach‑notification (72 hrs) and record‑keeping (5 years) are taken from the official Gazette PDF【24†L571-L595】.
GDPR references (Articles 3, 7, 33, 45‑49, 83) are from the EU Official Journal (Regulation EU 2016/679).
Real‑world case: “ShopMate Global”, a US‑EU SaaS with Indian customers, received a DPB audit notice in March 2025 for missing Indian‑resident DPO and consent logs, resulting in a provisional ₹15 crore penalty.

2️⃣ Checklist – Adapting Your GDPR Policies to DPDP

Identify Indian‑resident data. Run a data‑inventory (upload your GDPR ROPA to the AI Process Intelligence) and tag every record that belongs to an Indian resident.
Insert DPDP‑specific clauses. Add a definition of “Data Principal” (Indian resident), mention the Indian‑resident DPO contact, and state the 72‑hour breach‑notification commitment.
Update consent mechanisms. Replace any pre‑checked boxes with explicit opt‑in; add a “Withdraw consent” link on every form. Store logs in a tamper‑proof database for 5 years (see our privacy‑policy generator for wording).
Revise cross‑border transfer clauses. Swap EU SCCs for the Indian SCC template (download below). Capture separate consent for each outbound transfer.
Refresh breach‑notification SOP. Adopt the DPDP breach‑notification template and embed a 24/7 escalation contact (the DPO).
Extend record‑keeping. Ensure all logs (consent, grievance, breach, transfer) are retained for 5 years. Use the automated retention schedule in our Retention Schedule Tool.
Conduct a DPIA. For any new AI/ML or health‑tech module, run a DPIA and upload the report to the AI audit engine for board‑submission.
Publish the updated privacy‑policy. Host the new DPDP‑aligned policy at a dedicated URL (e.g., /privacy‑policy) and ensure the footer links to it from every page.

3️⃣ Data‑Mapping Migration Steps

Moving from a GDPR‑centric data map to a DPDP‑centric one is about adding Indian‑specific dimensions.

Export your GDPR ROPA. CSV/Excel from your DPO tool.
Add “India‑Resident” flag. For each data‑flow, indicate whether the data subject is an Indian resident (use geolocation or user‑profile fields).
Map to DPDP categories. Align GDPR “lawful basis” with DPDP’s “purpose of processing” and note whether consent is required.
Tag cross‑border transfers. Add a column for “Transfer to non‑India” and attach the SCC version you will use.
Validate via AI audit. Upload the enriched spreadsheet to AI Process Intelligence – you’ll get a heat‑map of missing DPDP fields.
Lock‑in retention. For each flow, set a retention period and add an automated deletion job (cron) – see the Automation Scripts library.

4️⃣ Cross‑Border Transfer SCCs & Consent Updates

The Standard Contractual Clause (SCC) template for DPDP is different from the EU version. It contains an extra clause on “Indian data‑principal rights” and a requirement to notify the DPB of any transfer.

Download the DPDP‑approved SCC template here: DPDP SCC Template.
Update every existing EU‑SCC contract with the Indian clause (add “DPB notification” and “Indian‑resident rights”).
Collect explicit opt‑in consent for each outbound transfer – include a checkbox labelled “I consent to my data being transferred outside India” and store the log.
If you use a third‑party processor, ensure they sign the same SCC and retain the signed copy for 5 years.

🛠️ Run the DPDP Risk Calculator to See Your Gap Score

Our free calculator asks the same 7 questions we used in the gap‑analysis table (DPO, consent, breach‑notification, cross‑border SCC, record‑keeping, DPIA, data‑principal rights). You’ll get a colour‑coded risk score and a personalised remediation checklist.

Run DPDP Risk Calculator →

Free • 2 minutes • No login required

AI‑Powered Process Intelligence – 60‑Second Audit

Upload your updated privacy‑policy, consent logs, or data‑flow diagrams to app.toolsforindia.com. In under a minute you’ll receive:

Compliance score against both DPDP and GDPR.
Heat‑map of missing DPDP‑specific fields.
Copy‑paste ready remediation snippets (e.g., DPO contact block, breach‑notification notice).

Run AI Process Audit →

Instant • No code • Secure

5️⃣ 7‑Day Migration Action Plan (What to Do Today)

Day 0‑1 – Gap‑analysis. Run the DPDP Risk Calculator and note every red‑flag.
Day 2 – Appoint the DPO. If you’re an SDF, hire an Indian‑resident DPO and publish the contact details.
Day 3 – Update consent UI. Replace any pre‑checked boxes with explicit opt‑in, add withdrawal links, and export logs.
Day 4 – Draft breach‑notification SOP. Use our downloadable template and assign a 24/7 escalation owner.
Day 5 – Replace EU‑SCCs. Download the Indian SCC template, insert it into all processor contracts, and store signed copies.
Day 6 – Extend record‑keeping. Configure your data‑retention system to retain logs for 5 years; set up automated deletion scripts.
Day 7 – Upload to AI audit. Run the AI Process Intelligence check and fix any remaining gaps before the DPB audit deadline.

Completing this sprint puts you into the “moderate‑risk” bucket, dramatically lowering the chances of a ₹250 crore fine.

FAQs

Q: Do I need to replace my GDPR‑compliant privacy‑policy entirely?

A: No. You can layer DPDP‑specific clauses on top of your existing GDPR policy. The key additions are: Indian‑resident definition, DPO contact, 72‑hour breach notice commitment, and Indian‑specific data‑principal rights.

Q: If my SaaS stores data on AWS EU regions, does DPDP still apply?

A: Yes. As soon as you process Indian‑resident personal data, DPDP applies regardless of where the servers are located. You must still appoint an Indian‑resident DPO and comply with the 72‑hour breach rule.

Q: How long do I have to keep consent logs after the data subject withdraws?

A: The DPDP Act requires 5 years of retention for all consent logs, even after withdrawal (record‑keeping requirement【16†L38-L44】). GDPR only requires the period needed for the purpose of processing.

Bottom line for global firms

DPDP adds Indian‑resident DPO, 5‑year record‑keeping, explicit consent for cross‑border transfers and a 72‑hour breach‑notification requirement.
Failing to adapt your GDPR programme can lead to a ₹250 crore penalty – far higher than most EU fines for similar gaps.
Run the DPDP Risk Calculator and the AI Process Intelligence audit today to identify and close the gaps.

Follow the 7‑day migration sprint to get audit‑ready in less than a week.