As India's DPDP Act 2023 takes effect, many enterprises are asking: how does it compare to Europe's General Data Protection Regulation (GDPR)? For multinational companies operating in both jurisdictions, understanding the similarities and differences is critical for designing an efficient compliance programme that satisfies both laws simultaneously.
While the DPDP Act draws significant inspiration from the GDPR — both are rooted in rights-based data protection principles — there are meaningful differences in scope, legal bases, enforcement, and technical requirements that organisations must understand.
Both the GDPR (effective May 2018) and the DPDP Act (effective 2023) share the fundamental goal of protecting individuals' personal data and giving people control over how their information is used. Both create a framework of rights for data subjects/principals and obligations for organisations that process data.
However, India and the EU have taken different approaches to achieving this goal — influenced by their different legal traditions, regulatory environments, and stages of digital economy development.
| Aspect | DPDP Act 2023 (India) | GDPR (European Union) |
|---|---|---|
| Scope | Digital personal data only | All personal data — digital and non-digital |
| Territorial Reach | Processing in India + offering goods/services to Indians | Processing in EU + targeting EU individuals |
| Legal Bases for Processing | Consent + Legitimate Uses (7 categories) | Consent + 5 other lawful bases (legitimate interests, contract, legal obligation, vital interests, public task) |
| Legitimate Interests Basis | Not available as a standalone basis | Available — widely used by businesses |
| Data Protection Officer | Only for Significant Data Fiduciaries | Required for many organisations based on processing type |
| Data Protection Impact Assessments | Only for Significant Data Fiduciaries | Required for high-risk processing activities |
| Right to Data Portability | Not included | Included |
| Right to Object | Not explicitly included | Included |
| Right to Nomination | Included (unique to DPDP Act) | Not included |
| Children's Age Threshold | Below 18 years | Below 16 years (member states can lower to 13) |
| Cross-Border Transfers | Permitted unless restricted by government notification | Requires adequacy decision, SCCs, BCRs, or other safeguards |
| Penalties | Up to ₹250 crore per violation | Up to €20 million or 4% of global annual turnover |
| Supervisory Authority | Data Protection Board of India (to be constituted) | Independent Data Protection Authorities in each EU member state |
| Extraterritorial Application | Yes — for targeting Indian individuals | Yes — for targeting EU individuals |
Both laws require that consent be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consents, and vague language are invalid under both frameworks. Organisations must be able to demonstrate that valid consent was obtained.
Both laws prohibit collecting more data than necessary and restrict using data for purposes beyond those originally stated. An organisation that builds data lakes without specific purposes would violate both laws.
Both require appropriate technical and organisational security measures. While neither law prescribes specific technical controls, frameworks like ISO 27001 are widely accepted as evidence of compliance with the security obligations of both laws.
Both laws require notification in the event of a personal data breach — to the supervisory authority and to affected individuals. The GDPR specifies 72 hours for authority notification; the DPDP Act leaves specific timelines to the Rules.
Both laws give individuals meaningful rights over their data including the right to access, correct, and erase their data. The GDPR provides a broader set of rights (portability, objection, restriction of processing) that the DPDP Act does not currently match.
The GDPR applies to all personal data, including physical files, paper records, and CCTV footage, while the DPDP Act is limited to digital personal data. This means companies operating in India may need to apply GDPR-equivalent standards to non-digital data only when also subject to GDPR.
The GDPR's 'legitimate interests' basis allows organisations to process data without consent if their interests legitimately outweigh the individual's privacy interests. This is widely used for fraud prevention, direct marketing, and network security. The DPDP Act does not have this basis — meaning Indian Data Fiduciaries must rely on consent or one of the defined Legitimate Use categories. For companies moving from GDPR to DPDP compliance, this may require obtaining fresh consent for processing activities previously covered by legitimate interests.
The GDPR has a detailed adequacy framework requiring that transfers to non-EU countries only occur where adequate protections exist. The DPDP Act takes the opposite approach — transfers are permitted by default unless the government restricts specific countries. This is significantly more permissive than GDPR and makes India attractive for global data operations, though companies must still ensure their own contractual safeguards are in place.
GDPR penalties are calculated as a percentage of global annual turnover, meaning a large multinational can face penalties of hundreds of millions of euros. DPDP Act penalties are capped at fixed rupee amounts (up to ₹250 crore), which may be lower for very large companies but are still substantial for Indian businesses. Crucially, GDPR penalties apply per violation across multiple categories simultaneously — the cumulative potential exposure under GDPR is typically higher.
Whether your organisation needs standalone DPDP Act compliance or a dual DPDP/GDPR compliance programme, Vedtam's consulting team brings expertise in both Indian and international data protection frameworks. We help you design a unified compliance architecture that satisfies both laws efficiently — without duplicating effort.