I sell internationally, do I also need to worry about GDPR on top of DPDP?
The short answer
Yes, if you have even one EU customer, GDPR applies extraterritorially regardless of where your business is registered, and DPDP compliance doesn't automatically satisfy it, since the two laws diverge on the lawful-basis framework, the 72-hour breach notification window, and the requirement to appoint an EU-based representative unless you qualify for an exemption. India doesn't currently have an EU 'adequacy' decision, so any EU customer data you pull back to India for processing technically needs a transfer safeguard like Standard Contractual Clauses. If EU/US sales are a small fraction of revenue, a GDPR-aware consent platform plus a lawyer-reviewed policy addendum is more proportionate than building a full parallel compliance program.
A quick summary to orient you. The real value is below: the resources worth your time, from people who've actually done it, not us.
Here are the resources
Hand-picked from around the web, each with a note on why it earns your time. India-specific ones carry a badge.
3 resources1 India-specific3 link-checked
Read
📄 Article
✓ Link checkedFreeAdvanced
Why we picked it
Specifically addresses the India angle of GDPR, extraterritorial reach, EU representative requirement, and cross-border transfer mechanics, rather than a generic GDPR overview that ignores where you're actually based.
Why we picked it
Written from an Indian ecommerce operations lens rather than a pure legal one, useful for thinking through what changes in your actual order-processing and CRM workflow, not just your policy document.
Why we picked it
A global law firm's action-step framing is useful precisely because it's written for businesses operating across multiple jurisdictions, a good structure if you're already juggling GDPR or US state laws alongside DPDP.