Regulations hub
From India's DPDP Act to the EU AI Act — we explain what each framework requires, who it applies to, how the regulations interconnect, and exactly how Padmaura Digital Trust helps your organisation comply.
India's landmark data protection legislation — the first comprehensive law governing the processing of digital personal data in India. It applies to any organisation that processes the personal data of Indian residents, whether the organisation is based in India or overseas.
Personal data may only be processed for a lawful purpose — either with the Data Principal's consent or for specified legitimate uses. Consent must be free, specific, informed, and unconditional. Organisations must appoint or integrate a registered Consent Manager where consent is the basis.
Data may only be used for the purpose for which consent was obtained or the legitimate use was specified. Only the data necessary for that purpose may be collected and processed — no excessive collection, no repurposing without fresh consent.
Every individual (Data Principal) has the right to access a summary of their personal data, the right to correct or erase inaccurate or unnecessary data, the right to grievance redressal, and the right to nominate another person to exercise rights in the event of death or incapacity.
Data Fiduciaries must implement reasonable security safeguards to prevent personal data breaches. In the event of a breach, the Data Protection Board of India and affected Data Principals must be notified in the prescribed manner and within the prescribed timelines.
Every Data Fiduciary must establish a grievance redressal mechanism with a designated contact for Data Principals to raise complaints. Grievances must be acknowledged and resolved within the timelines prescribed by the Central Government. Unresolved grievances can be escalated to the Data Protection Board.
Organisations designated by the Central Government as Significant Data Fiduciaries face enhanced obligations — including periodic Data Protection Impact Assessments, independent Data Audits, appointment of a Data Protection Officer reporting to the board, and an Algorithmic Accountability Assessment.
The DPDP Act applies to the processing of digital personal data in India, and to processing outside India if it involves personal data of Indian residents offered goods or services in India. This means the Act is extraterritorial — an organisation based overseas processing Indian citizens' data is in scope.
The world's first comprehensive legal framework for artificial intelligence — establishing risk-based rules for AI systems placed on the EU market. It applies to any provider or deployer of AI systems used in the EU, regardless of where they are headquartered.
AI systems that pose an unacceptable risk to safety, livelihoods, and rights are banned outright. This includes social scoring by governments, real-time biometric identification in public spaces (with narrow exceptions), and AI systems that exploit vulnerabilities to manipulate behaviour.
AI systems in critical sectors (healthcare, education, employment, critical infrastructure, law enforcement, migration, justice) face strict requirements: risk management systems, technical documentation, data governance, human oversight mechanisms, accuracy and robustness standards, and conformity assessment before market placement.
AI systems that interact with humans (chatbots, deepfakes, emotion recognition) must disclose that users are interacting with AI. Content generated by AI must be marked as such. These obligations are lighter but legally binding.
Most AI systems (spam filters, AI-enabled games, inventory management) fall here and face no mandatory requirements, though compliance with voluntary codes of practice is encouraged.
Detailed technical documentation must be prepared before market placement and kept up to date — covering system purpose, design logic, data used, capabilities and limitations, accuracy metrics, and intended deployment context.
High-risk AI systems must be designed and developed to allow effective oversight by humans. Operators must be able to monitor operations, intervene, interrupt, or override the system. Oversight mechanisms must be documented and implemented — not merely stated in policy.
A continuous risk management system must be established, implemented, documented, and maintained throughout the AI system lifecycle — identifying and analysing known and reasonably foreseeable risks, evaluating risks under intended use and reasonably foreseeable misuse.
Before placing a high-risk AI system on the EU market, providers must conduct a conformity assessment — either self-assessment or third-party, depending on the use case. A declaration of conformity must be drawn up and a CE marking affixed. Providers must also register in the EU AI database.
The EU's comprehensive data protection law — the gold standard for privacy regulation globally. It applies to any organisation that processes the personal data of EU residents, regardless of where the organisation is based. For Indian organisations with EU clients, customers, or employees, GDPR compliance is mandatory.
Personal data must be processed lawfully (on one of six lawful bases), fairly, and in a transparent manner. Data subjects must be informed about how their data is used through clear, accessible privacy notices.
Data collected for specified, explicit, and legitimate purposes must not be further processed in a manner incompatible with those purposes. Repurposing data requires a fresh lawful basis or a compatibility assessment.
Only data that is adequate, relevant, and limited to what is necessary should be collected. Data must be kept accurate and up to date. Personal data should not be retained for longer than necessary for the stated purpose — requiring a clear, documented retention schedule.
Data must be processed with appropriate technical and organisational security measures. Organisations must demonstrate compliance proactively — maintaining records of processing activities, conducting DPIAs for high-risk processing, and implementing privacy by design and default.
ISO 27701 maps directly to GDPR Articles 5–49
ISO 27701 was designed to operationalise GDPR (and other privacy laws) into an auditable, certifiable management system. Every PIMS engagement Padmaura Digital Trust delivers produces GDPR-ready documentation as standard — your Records of Processing Activities, Data Processing Agreements, Privacy Notices, DPIA templates, and breach response procedures are all GDPR-compliant upon delivery. ISO 27701 certification is internationally recognised as the strongest demonstrable evidence of GDPR accountability.
The world's first internationally recognised, certifiable standard for AI governance. ISO 42001 provides a structured framework for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS) — applicable to any organisation that develops, deploys, or uses AI.
ISO 42001 follows the High Level Structure used by ISO 27001 and ISO 9001 — covering organisational context, leadership and commitment, planning, support (resources, competence, awareness), operations, performance evaluation, and continual improvement. Organisations already certified to other ISO standards will find the structure familiar.
38 AI-specific controls covering nine governance areas: policies related to AI, internal organisation, resources for AI systems, assessing AI systems' impact, AI system lifecycle, data for AI systems, information for interested parties about AI systems, use of AI systems by affected parties, and third-party and customer relationships.
ISO 42001 requires a formal assessment of the potential impacts of AI systems on individuals and society. This is both a management system requirement and a control — producing documented evidence that impact has been considered, assessed, and managed at every stage of the AI lifecycle.
ISO 42001 controls map directly to EU AI Act requirements for high-risk AI systems — including risk management, technical documentation, human oversight, data governance, and accuracy standards. Achieving ISO 42001 certification is widely recognised as the most structured path to demonstrating EU AI Act compliance.
The international standard for Privacy Information Management Systems (PIMS) — an extension to ISO 27001 that provides a certifiable privacy governance framework. ISO 27701 maps directly to GDPR and aligns with the DPDP Act, making it the most efficient path to multi-framework privacy compliance.
ISO 27701 extends the ISO 27001 Information Security Management System with privacy-specific requirements and controls. Organisations must hold (or implement alongside) ISO 27001 certification to achieve ISO 27701 certification. If you already have ISO 27001, your PIMS implementation is significantly accelerated.
Controls for organisations acting as Data Controllers — covering conditions for collection and processing, obligations to data subjects (rights fulfilment), privacy by design and default, data sharing and transfers, and privacy impact assessments. Maps directly to GDPR controller obligations.
Controls for organisations acting as Data Processors — covering conditions for processing, processing agreements, obligations to Data Controllers, data subject rights support, and sub-processor management. Directly addresses GDPR Article 28 processor requirements and DPDP Act processor obligations.
ISO 27701 provides an explicit mapping to GDPR requirements — each Annex A and B control is cross-referenced to the relevant GDPR articles. This means ISO 27701 certification is internationally recognised as evidence of GDPR accountability — a powerful tool in regulator engagements and client due diligence.
One PIMS implementation — three frameworks satisfied
Understanding how the frameworks intersect is as important as understanding each one individually. The most efficient compliance programmes address multiple regulations through a single integrated engagement.
The EU AI Act defines what high-risk AI systems must achieve. ISO 42001 provides the certifiable management system that demonstrates how. Every AIMS engagement Padmaura Digital Trust delivers maps ISO 42001 controls to EU AI Act obligations — producing both a certified management system and documented EU AI Act alignment.
ISO 27701 was designed specifically to operationalise GDPR into an auditable management system. Achieving ISO 27701 certification is internationally recognised as evidence of GDPR accountability — and every PIMS engagement delivers GDPR-ready documentation as standard, with no additional effort required.
The DPDP Act establishes obligations but does not prescribe how to operationalise them. ISO 27701 provides the practical framework — data mapping, consent management, rights fulfilment processes, and breach response procedures — that makes DPDP compliance auditable, sustainable, and demonstrable to regulators.
Both frameworks are built on consent, purpose limitation, data minimisation, and individual rights. Organisations with both Indian and EU operations can achieve dual compliance efficiently through a single ISO 27701 PIMS implementation — one documented programme that satisfies both regulators.
An AI system that processes the personal data of Indian residents while operating in the EU market must comply with both the DPDP Act (for the Indian data) and the EU AI Act (for the EU market access). Our integrated AIMS + PIMS engagements address both simultaneously.
AI systems consume personal data. Governing AI without governing privacy — or vice versa — leaves critical gaps. Padmaura Digital Trust's integrated AIMS + PIMS engagements deliver both standards together: one team, one documentation suite, one certification programme — at 30–40% lower cost than sequential implementations.
Quick self-assessment
Answer five questions — we'll map your regulatory obligations and suggest a starting point.
Get expert guidance
A 30-minute scoping call with Padmaura Digital Trust maps every regulation that applies to your organisation, explains how they intersect, and gives you a clear, practical roadmap. No obligation, no jargon.