DPDP Act vs GDPR: Key Differences Indian Companies Must Know
Introduction
As India's DPDP Act 2023 takes effect, many enterprises are asking: how does it compare to Europe's General Data Protection Regulation (GDPR)? For multinational companies operating in both jurisdictions, understanding the similarities and differences is critical for designing an efficient compliance programme that satisfies both laws simultaneously.
While the DPDP Act draws significant inspiration from the GDPR — both are rooted in rights-based data protection principles — there are meaningful differences in scope, legal bases, enforcement, and technical requirements that organisations must understand.
Overview: Two Laws, One Goal
Both the GDPR (effective May 2018) and the DPDP Act (effective 2023) share the fundamental goal of protecting individuals' personal data and giving people control over how their information is used. Both create a framework of rights for data subjects/principals and obligations for organisations that process data.
However, India and the EU have taken different approaches to achieving this goal — influenced by their different legal traditions, regulatory environments, and stages of digital economy development.
Side-by-Side Comparison
| Aspect | DPDP Act 2023 (India) | GDPR (European Union) |
|---|---|---|
| Scope | Digital personal data only | All personal data — digital and non-digital |
| Territorial Reach | Processing in India + offering goods/services to Indians | Processing in EU + targeting EU individuals |
| Legal Bases for Processing | Consent + Legitimate Uses (7 categories) | Consent + 5 other lawful bases (legitimate interests, contract, legal obligation, vital interests, public task) |
| Legitimate Interests Basis | Not available as a standalone basis | Available — widely used by businesses |
| Data Protection Officer | Only for Significant Data Fiduciaries | Required for many organisations based on processing type |
| Data Protection Impact Assessments | Only for Significant Data Fiduciaries | Required for high-risk processing activities |
| Right to Data Portability | Not included | Included |
| Right to Object | Not explicitly included | Included |
| Right to Nomination | Included (unique to DPDP Act) | Not included |
| Children's Age Threshold | Below 18 years | Below 16 years (member states can lower to 13) |
| Cross-Border Transfers | Permitted unless restricted by government notification | Requires adequacy decision, SCCs, BCRs, or other safeguards |
| Penalties | Up to ₹250 crore per violation | Up to €20 million or 4% of global annual turnover |
| Supervisory Authority | Data Protection Board of India (to be constituted) | Independent Data Protection Authorities in each EU member state |
| Extraterritorial Application | Yes — for targeting Indian individuals | Yes — for targeting EU individuals |
Key Similarities
Consent Requirements
Both laws require that consent be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consents, and vague language are invalid under both frameworks. Organisations must be able to demonstrate that valid consent was obtained.
Data Minimisation and Purpose Limitation
Both laws prohibit collecting more data than necessary and restrict using data for purposes beyond those originally stated. An organisation that builds data lakes without specific purposes would violate both laws.
Security Obligations
Both require appropriate technical and organisational security measures. While neither law prescribes specific technical controls, frameworks like ISO 27001 are widely accepted as evidence of compliance with the security obligations of both laws.
Breach Notification
Both laws require notification in the event of a personal data breach — to the supervisory authority and to affected individuals. The GDPR specifies 72 hours for authority notification; the DPDP Act leaves specific timelines to the Rules.
Data Subject/Principal Rights
Both laws give individuals meaningful rights over their data including the right to access, correct, and erase their data. The GDPR provides a broader set of rights (portability, objection, restriction of processing) that the DPDP Act does not currently match.
Key Differences — What Indian Companies Must Note
1. Scope — Digital vs All Data
The GDPR applies to all personal data, including physical files, paper records, and CCTV footage, while the DPDP Act is limited to digital personal data. This means companies operating in India may need to apply GDPR-equivalent standards to non-digital data only when also subject to GDPR.
2. Legitimate Interests — Missing in DPDP Act
The GDPR's 'legitimate interests' basis allows organisations to process data without consent if their interests legitimately outweigh the individual's privacy interests. This is widely used for fraud prevention, direct marketing, and network security. The DPDP Act does not have this basis — meaning Indian Data Fiduciaries must rely on consent or one of the defined Legitimate Use categories. For companies moving from GDPR to DPDP compliance, this may require obtaining fresh consent for processing activities previously covered by legitimate interests.
3. Cross-Border Transfer Rules
The GDPR has a detailed adequacy framework requiring that transfers to non-EU countries only occur where adequate protections exist. The DPDP Act takes the opposite approach — transfers are permitted by default unless the government restricts specific countries. This is significantly more permissive than GDPR and makes India attractive for global data operations, though companies must still ensure their own contractual safeguards are in place.
4. Penalties — Structure Differs
GDPR penalties are calculated as a percentage of global annual turnover, meaning a large multinational can face penalties of hundreds of millions of euros. DPDP Act penalties are capped at fixed rupee amounts (up to ₹250 crore), which may be lower for very large companies but are still substantial for Indian businesses. Crucially, GDPR penalties apply per violation across multiple categories simultaneously — the cumulative potential exposure under GDPR is typically higher.
Dual Compliance — Strategy for Companies Operating in Both Jurisdictions
- Build your compliance programme around GDPR as the baseline — this covers the DPDP Act in most areas
- Add India-specific elements — DPDP Act breach notification procedures, Legitimate Use basis mapping, and children's data verification at age 18 (vs 16 for GDPR)
- Review consent mechanisms for India — ensure consent is obtained separately for Indian users where GDPR legitimate interests was used
- Implement DPDP-specific rights — particularly the Right to Nominate, which has no GDPR equivalent
- Monitor DPDP Rules as they are notified — they may introduce requirements that diverge from GDPR
How Vedtam Can Help
Whether your organisation needs standalone DPDP Act compliance or a dual DPDP/GDPR compliance programme, Vedtam's consulting team brings expertise in both Indian and international data protection frameworks. We help you design a unified compliance architecture that satisfies both laws efficiently — without duplicating effort.
Visit vedtam.com/consulting/dpdp-act-consulting-services/ or vedtam.com/consulting/gdpr-consulting-services/ for more details.
Need help with DPDP or GDPR compliance? Contact Vedtam: vedtam.com/contact/ | +91 98915 55588
Published by Vedtam Cybersecurity Team | Vedtam Tech Solutions, Ghaziabad, India
