Privacy compliance has never been more complex โ or more consequential. A SaaS company headquartered in India, processing data of EU residents and selling into the US market, may find itself subject to the GDPR, India's DPDP Act, and ISO 27701 certification requirements simultaneously. The challenge is that each uses different language and imposes different obligations โ yet they share significant common ground. Understanding that overlap is what makes a multi-framework strategy efficient rather than duplicative.
The Three Frameworks โ At a Glance
| ISO 27701 | GDPR | India DPDP Act | |
|---|---|---|---|
| Type | International Standard (voluntary) | EU Regulation (legally binding) | Indian Legislation (legally binding) |
| Published | 2019 | 2018 (enforcement) | 2023 (rules pending) |
| Jurisdiction | Global (wherever adopted) | EU/EEA data subjects worldwide | Processing of Indian digital personal data |
| Enforced by | Certification body (auditor) | Data Protection Authorities | Data Protection Board of India |
| Max Penalty | Loss of certification | EUR 20M or 4% global turnover | INR 250 crore per instance |
| Purpose | Operational privacy management framework | Rights-based data protection law | Rights-based personal data protection law |
ISO 27701 tells you HOW to build and run a privacy programme. GDPR and DPDP tell you WHAT rights individuals have and what obligations you must meet under law. The standard and the regulations are complementary, not competing โ the standard is a vehicle for meeting the regulations requirements in an auditable, structured way.
Scope and Applicability โ Who Does Each Apply To?
- GDPR: Any organisation processing personal data of EU/EEA residents, regardless of where the organisation is based. No revenue threshold โ a Pune startup with a German customer is in scope.
- DPDP Act: Processing of digital personal data of individuals in India, whether inside or outside India. Also applies if you offer goods or services to Indian individuals from abroad. Extraterritorial reach, similar to GDPR.
- ISO 27701: Any organisation that processes PII, regardless of type, size, or nature. Adopted voluntarily โ not triggered by geography or nationality of data subjects.
If you are an Indian organisation serving EU customers and Indian consumers, both GDPR and DPDP apply to you simultaneously and independently. ISO 27701 gives you a single operational framework to satisfy both, with documented evidence for regulators and enterprise buyers in any jurisdiction.
Legal Basis for Processing โ Similar Intent, Different Architecture
- GDPR (Article 6): Six lawful bases โ consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Legitimate interests allows processing without consent but requires a balancing test.
- DPDP Act: Consent-first with a narrower list of "legitimate uses" โ employment, medical emergencies, legal proceedings, State functions. No broad "legitimate interests" balancing test equivalent to GDPR.
- ISO 27701: Framework-agnostic โ requires you to document the legal basis for each processing activity but does not specify which bases are valid. Adapts to whichever regulation governs your organisation.
Data Subject Rights โ Broadly Aligned, Specifically Different
| Right | GDPR | DPDP Act |
|---|---|---|
| Access | Full copy of data + processing info | Summary of data + identities of Fiduciaries shared with |
| Correction | Yes | Yes โ includes updating incomplete/misleading data |
| Erasure | Right to be Forgotten with defined exceptions | Right to Erasure when consent withdrawn or purpose fulfilled |
| Data Portability | Yes โ machine-readable format | Not explicitly defined in current Act text |
| Restriction of Processing | Yes | Not explicitly defined |
| Right to Object | Yes โ especially for marketing | Via consent withdrawal (no standalone right) |
| Grievance Redressal | Complaint to DPA | Explicit Grievance Officer requirement |
| Nomination | Not present | Yes โ unique to DPDP: nominate someone for post-death rights |
DPDP Act Section 14 allows Data Principals to nominate another individual to exercise their rights in case of death or incapacity. No equivalent exists in GDPR. Indian organisations must build this into their data subject rights request process.
Consent Management โ Where the Frameworks Diverge Most
- GDPR: Freely given, specific, informed, unambiguous. As easy to withdraw as to give. Pre-ticked boxes and bundled consent are invalid.
- DPDP Act: Goes further โ consent notice must be in the Data Principal preferred language. Consent Managers (Section 6(9)) are registered intermediaries through which individuals can manage consents across multiple organisations from a single platform.
- ISO 27701 (Clause 7.3): Requires mechanisms to obtain, record, and allow withdrawal of consent โ but defers to GDPR or DPDP for the specific standard. Your system must satisfy the more stringent of the applicable regulations.
Breach Notification โ Timelines and Thresholds
- GDPR: 72 hours to the supervisory authority. Notify individuals if high risk to their rights. Documented, non-negotiable.
- DPDP Act: Must notify the Data Protection Board and affected individuals โ but the specific timeline will be prescribed in forthcoming Rules. Build for 72 hours to be safe.
- ISO 27701: Requires documented incident response covering personal data breaches โ the timeline comes from the applicable regulation. The standard ensures operational capability to detect, assess, and notify within the required window.
Cross-Border Data Transfers โ Fundamentally Different Approaches
- GDPR: Restrictive, adequacy-based. Transfers only to countries with adequacy decisions, or with safeguards (SCCs, BCRs). Requires Transfer Impact Assessments.
- DPDP Act: Permissive โ transfers allowed to any country except those specifically blacklisted by the Central Government. The inverse of GDPR model. This is one of the most significant structural differences.
- ISO 27701 (Clause 7.5): Requires you to document all cross-border transfers and apply safeguards per the applicable regulation. For GDPR: SCCs. For DPDP: check against the restricted country list once published.
The Core Overlap โ Where All Three Align
| Requirement | ISO 27701 | GDPR | DPDP Act |
|---|---|---|---|
| Lawful basis for processing | โ Document & enforce | โ Required (6 bases) | โ Required (consent + uses) |
| Record of Processing Activities | โ RoPA required | โ Article 30 | โ Implied by accountability |
| Data subject rights | โ Operational process | โ 6 defined rights | โ 5+ rights incl. Nomination |
| Consent management | โ Mechanism required | โ Defined standards | โ Stricter notice requirements |
| Data minimisation | โ Control required | โ Article 5(1)(c) | โ Section 6(2) |
| Purpose limitation | โ Control required | โ Article 5(1)(b) | โ Section 6(2) |
| Breach notification | โ IR process required | โ 72 hours to DPA | โ Timeline TBD in rules |
| Security measures for PII | โ Technical & org controls | โ Article 32 | โ Section 8(5) |
| Vendor / processor obligations | โ DPA requirements | โ Article 28 | โ Contractual required |
| Privacy by design | โ Clause 8 controls | โ Article 25 | โ Implied under accountability |
Key Divergences โ What You Must Manage Separately
- Cross-border transfer mechanisms: GDPR requires adequacy or SCCs. DPDP uses a blacklist model. Your transfer procedures need to handle both.
- Consent language and notice: DPDP requires multilingual consent notices. GDPR requires plain language but no specific language mandate. Your consent management system needs language preferences for DPDP.
- Significant Data Fiduciary obligations: DPDP SDF designation creates obligations (India-based DPO, data audits, DPIAs) with no direct GDPR equivalent for most organisations.
- Right of Nomination: Unique to DPDP. Requires a specific intake and verification workflow.
- Children data thresholds: GDPR requires parental consent under 16 (states can lower to 13). DPDP requires verifiable parental consent under 18 and prohibits behavioural tracking.
Building a Unified Compliance Strategy
The most efficient approach: use ISO 27701 as the operational backbone and manage regulation-specific requirements as extensions:
- Implement ISO 27701 as your privacy management framework โ a certified, auditable foundation that satisfies the operational requirements of both GDPR and DPDP.
- Maintain regulation-specific annexes to your RoPA that tag each processing activity with the applicable regulation and specific legal basis under each.
- Build your data subject rights process to handle the superset of rights across both regulations, including DPDP Nomination right.
- Run parallel consent notice templates โ one GDPR-compliant, one DPDP-compliant (with language preferences).
- Maintain separate transfer documentation for GDPR (SCCs, Transfer Impact Assessments) and DPDP (cross-border register checked against the restricted list).
- Track your DPDP Significant Data Fiduciary status. If designated, activate additional controls as a defined workstream within your PIMS.
ISO 27701, GDPR, and DPDP are not competing frameworks โ they are complementary layers. Invest in the ISO 27701 foundation first. It is the most efficient path to demonstrating privacy maturity across all three simultaneously.
Frequently Asked Questions
No. ISO 27701 certification demonstrates that you have a structured, auditable privacy management system. GDPR compliance is a legal determination that depends on how you actually process data. However, ISO 27701 provides the strongest available third-party evidence of GDPR compliance readiness โ regulators treat a certified PIMS as a significant factor in compliance assessments.
Yes, to a significant extent. The core overlap is substantial โ lawful basis, data subject rights, consent management, breach notification, data minimisation, and purpose limitation are requirements across all three. The divergences (cross-border transfer mechanisms, consent language, Nomination right, SDF obligations) must be managed as targeted extensions, not separate programmes.
Structurally, the biggest difference is in cross-border data transfers. GDPR uses an adequacy-based model where transfers are restricted by default and require positive approval. DPDP uses a blacklist model where transfers are permitted by default unless the destination country is specifically restricted. This is the inverse of each other and has significant implications for global data flows.
If you process data of both EU and Indian individuals, you are subject to both GDPR and DPDP โ these are not optional. ISO 27701 is voluntary but provides the operational framework that makes complying with both regulations efficient. Most organisations subject to both regulations find that ISO 27701 pays for itself through reduced duplication.
The DPDP Act Section 14 allows Data Principals to nominate another individual to exercise their data rights in the event of death or incapacity. There is no equivalent in GDPR. Indian organisations must build a specific nomination intake, verification, and activation workflow into their data subject rights process. This is one of the most commonly overlooked DPDP-specific requirements.