Migration

Running a GDPR tool for India?

Here's what you're still missing.

A GDPR platform will cover the parts of the DPDP Act that look like GDPR. The exposure is everywhere India's law is its own — the notice gate, the §7 sub-grounds, the 22 languages, the DPBI breach workflow, Consent Manager eligibility, and INR + residency. Here's exactly what you're still missing, and how to close it.

Run a Free Readiness Check DPDP-native vs GDPR-adapted →

The six gaps

What a GDPR tool leaves open under DPDP.

Each of these is a place where GDPR has no equivalent — or a materially different one — so a GDPR-first tool has nothing to map it onto.

Rule 3 notice gate

DPDP Rule 3 requires a standalone, multilingual, version-locked notice published before processing. GDPR's transparency obligation is satisfied differently, so the GDPR tool has no publish gate enforcing the six Rule 3 readiness checks.

§7 legitimate-use sub-grounds

DPDP's eight §7 sub-grounds allow processing without consent and must never appear in a notice or be consent-collected. A GDPR model maps them onto its lawful bases and risks recording consent that shouldn't exist.

22-language notices

Rule 3 notices must be available in English plus any of the 22 Eighth Schedule languages. A GDPR tool ships the EU language set; India's languages become a manual translation backlog and a compliance gap.

DPBI 72h breach workflow

§8(6) requires notification to the Data Protection Board within 72 hours with India-specific content. A GDPR breach module targets a different authority and template — the countdown discipline doesn't transfer.

Rule 4 Consent Manager eligibility

Consent Manager registration under Rule 4 is open only to India-incorporated entities meeting residency and interoperability obligations. A foreign-incorporated GDPR tool simply cannot participate.

INR + India residency

DPDP-sensitive deployments expect INR contracting and India-resident storage with no cross-border transfer. A GDPR tool defaults to EUR/USD and an EU region — both are gaps for an India-first compliance posture.

The migration path

Close the gaps without a risky cutover.

You don't rip out the GDPR tool on day one. You run Vishwaas alongside it, prove the evidence, then cut over once the DPDP surface is live.

Step 1

Parallel run

Stand up Vishwaas on ap-south-1 next to your existing tool. Import your processing activities, split §6 consent from §7 legitimate use, and start capturing hash-chained consent for India data principals — without disturbing the GDPR system.

Step 2

Close the six gaps

Publish Rule 3 notices in the Eighth Schedule languages, wire the DPBI 72-hour breach workflow, and prepare the Consent Manager interoperability posture. Each gap from above becomes a live workflow, validated against real data.

Step 3

Cutover

Once the DPDP surface is producing independently verifiable evidence and your DPR + breach workflows are running on it, retire the India scope from the GDPR tool. The GDPR platform keeps doing what it does well — for the EU.

Map your gaps in 20 minutes.

Bring your current GDPR tool and your India obligations. We'll show you exactly which of the six gaps apply and what the parallel run looks like for your estate.

Book a Migration Walkthrough Run the Readiness Gap Analyser →