General Data Protection Regulation

The General Data Protection Regulation (GDPR) is the European Union's flagship privacy law, in force since 25 May 2018. For Indian businesses with even a single EU customer or website visitor, GDPR is not optional — it has extraterritorial reach. In 2026, with India's own Digital Personal Data Protection Act, 2023 (DPDP) now operational, Indian organisations must navigate both regimes side by side. This guide is your starting point on GDPR essentials.

Who does GDPR apply to?

• Any organisation processing personal data of individuals in the EU, regardless of where the organisation is located.
• Any controller or processor with an establishment in the EU.
• Indian SaaS, e-commerce, IT services, BPOs, and freelancers serving EU clients — all fall in scope.
• Even an Indian blog or app that intentionally targets EU users (in their language, accepting Euro payment, etc.) attracts GDPR.

Six lawful bases for processing

1. Consent — freely given, specific, informed, and unambiguous.
2. Contract — necessary to perform a contract with the data subject.
3. Legal obligation — required by EU or member state law.
4. Vital interests — to protect life of an individual.
5. Public task — performance of a task in public interest by an authority.
6. Legitimate interest — pursued by the controller, balanced against the data subject's rights.

Core data subject rights

• Right to be informed about the collection and use of personal data.
• Right of access — copy of personal data and processing details.
• Right to rectification of inaccurate data.
• Right to erasure (the 'right to be forgotten').
• Right to restrict processing.
• Right to data portability — receive data in a machine-readable format.
• Right to object to processing including direct marketing.
• Rights related to automated decision-making and profiling.

Key compliance obligations

Controllers must maintain records of processing activities, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, appoint a Data Protection Officer where mandated, implement appropriate technical and organisational measures, and notify the supervisory authority of personal data breaches within 72 hours. Cross-border data transfers from the EU require either an adequacy decision (India does not currently have one), Standard Contractual Clauses (SCCs), or Binding Corporate Rules.

Penalties for non-compliance

GDPR imposes a two-tier penalty system: up to €10 million or 2% of global annual turnover (whichever is higher) for less serious violations, and up to €20 million or 4% of global annual turnover for severe violations. Regulators across the EU have issued multi-million Euro fines to large tech companies and the trend is now reaching mid-sized businesses, including non-EU exporters.

GDPR vs India's DPDP Act, 2023

• Both apply extraterritorially when processing residents' data — EU residents for GDPR, Indian Data Principals for DPDP.
• GDPR has six lawful bases; DPDP largely uses 'consent' and 'legitimate uses' (a narrower list than EU's legitimate interests).
• DPDP fines go up to ₹250 crore per instance, broadly comparable to GDPR severity.
• Many GDPR controls — purpose limitation, data minimisation, breach notification — map closely to DPDP and can be implemented as a unified privacy programme.

Practical roadmap for Indian businesses

1. Map data flows — what personal data is collected, from where, processed where, stored where.
2. Update privacy notices in clear, plain language with all GDPR-prescribed information.
3. Implement cookie consent banners that respect prior consent and rejection.
4. Sign Data Processing Agreements with all sub-processors.
5. Set up incident response with 72-hour breach notification capability.

Building a GDPR-DPDP unified privacy programme

Indian businesses that serve both EU and Indian customers should not run two parallel privacy programmes — that is expensive and fragile. Instead, design a unified programme keyed to the stricter of the two requirements at each touchpoint. Use GDPR's six lawful bases as the framework, with India's narrower legitimate-use list mapped where applicable. Standardise consent UX, retention schedules, and data subject request workflows. Maintain one Record of Processing Activities (ROPA) covering all jurisdictions, with country-tagged data flows. Run DPIAs for high-risk projects under GDPR Article 35 — these double as the assessment expected by India's DPDP rules. For cross-border transfers from the EU, use Standard Contractual Clauses; for transfers out of India under DPDP, follow the negative-list framework once notified. Train staff once with role-based modules. Appoint a single Privacy Lead (DPO equivalent) reporting to the senior leadership. This unified approach saves cost, reduces inconsistency, and presents a coherent privacy posture to regulators and customers worldwide.

Conclusion

GDPR in 2026 is no longer just an EU concern — it is a baseline for global privacy practice, and India's DPDP Act borrows heavily from its architecture. Indian businesses serving EU users or building global products should build privacy by design and by default into every product release. A clean GDPR programme also fast-tracks DPDP compliance — twin benefits from one effort.