DPDP Act vs GDPR: 12 Differences That Change Your Compliance Strategy
If your organisation already complies with the GDPR, you might assume that India's DPDP Act 2023 is covered. It is not. The two laws share a common ancestor — both protect individuals' personal data — but they differ in scope, enforcement, penalties, and fundamental approach.
Here are the 12 differences that matter most, and what each one means for your compliance programme.
The Side-by-Side Comparison
| Dimension | DPDP Act 2023 (India) | GDPR (EU) |
|---|---|---|
| Scope | Digital personal data only | All personal data (digital and non-digital) |
| Legal bases for processing | Consent + 9 legitimate uses | 6 legal bases (Art. 6) + special categories (Art. 9) |
| Consent standard | Free, specific, informed, unconditional, unambiguous | Freely given, specific, informed, unambiguous |
| Children's age threshold | Under 18 (no variation) | Under 16 (Member States may lower to 13) |
| Cross-border transfers | Negative list — allowed unless restricted | Adequacy model — blocked unless approved |
| Data Principal duties | Yes — obligations on individuals | No duties on data subjects |
| Maximum penalty | ₹250 crore (~€27M) per breach type | €20M or 4% global turnover (whichever higher) |
| Penalty structure | Fixed amounts per breach type | Revenue-linked (percentage of turnover) |
| DPO requirement | Significant Data Fiduciaries only | Public authorities + large-scale processors |
| Breach notification | Board + Data Principals: without delay | Supervisory authority: 72h, data subjects: without undue delay |
| Right to portability | Not included | Yes (Art. 20) |
| Regulator | Single national body (DPBI) | One per Member State + EDPB coordination |
Key Takeaway
GDPR compliance does not equal DPDP compliance. The DPDP Act has a narrower scope but higher age thresholds, a fundamentally different cross-border transfer model, and a penalty structure that does not scale with revenue. You need a separate compliance workstream for India.
Where the DPDP Act Is Narrower Than the GDPR
1. Digital Data Only
The GDPR applies to all personal data regardless of form — paper files, audio recordings, CCTV footage. The DPDP Act applies only to digital personal data, or data that was collected in non-digital form and subsequently digitised.
What this means: If your Indian operations involve purely paper-based records that are never digitised, the DPDP Act does not cover them. In practice, this exclusion is increasingly irrelevant as nearly all business processes generate digital records.
2. Fewer Legal Bases
The GDPR provides six legal bases for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests). The DPDP Act recognises only consent and certain legitimate uses listed in Section 7 — and notably, there is no general "legitimate interests" basis.
The absence of a "legitimate interests" basis is the single biggest operational difference. Processing that a European business justifies under GDPR Art. 6(1)(f) — fraud prevention, direct marketing, network security — has no equivalent justification under the DPDP Act. You must find consent or a Section 7 legitimate use, or you cannot process.
3. No Right to Data Portability
GDPR Article 20 gives individuals the right to receive their data in a structured, machine-readable format and transfer it to another controller. The DPDP Act does not include a portability right. Data Principals can access their data and request deletion, but they cannot demand a portable export.
4. No Right to Object to Processing
Under the GDPR, data subjects can object to processing based on legitimate interests or public interest (Art. 21), including the right to object to profiling. The DPDP Act has no equivalent standalone right. The Data Principal's remedy is to withdraw consent — which stops all processing, not selective processing.
Where the DPDP Act Is Stricter Than the GDPR
5. Children's Data: 18 vs 16
The GDPR sets the default age of consent at 16, and allows Member States to lower it to 13. The DPDP Act sets it at 18 with no variation. Any processing of data belonging to an individual under 18 requires verifiable parental consent.
What this means: EdTech platforms, social media companies, and gaming services that serve Indian users under 18 face significantly higher compliance burdens than in Europe. A 15-year-old can consent to data processing in most EU countries but cannot consent in India.
6. The "Unconditional" Consent Requirement
Both laws require consent to be free, specific, informed, and unambiguous. The DPDP Act adds a fifth condition: consent must be unconditional. This means you cannot make access to a service conditional on consent to unrelated data processing.
The GDPR addresses this through the "freely given" requirement and guidelines on bundling, but does not use the explicit word "unconditional." The DPDP Act makes it a statutory requirement.
7. Data Principals Have Duties
This is unique to the DPDP Act. Section 15 imposes obligations on individuals, including:
- Not filing false or frivolous complaints
- Not suppressing material information when exercising rights
- Not impersonating another Data Principal
- Ensuring that any information they provide is verifiably authentic
A Data Principal who breaches these duties faces a penalty of up to ₹10,000.
Why This Matters for Businesses
The Data Principal duties provision gives organisations a defence mechanism. If a complaint is found to be false or frivolous, the Board can penalise the complainant. This creates a more balanced enforcement dynamic than the GDPR, which places all enforcement pressure on data controllers.
Where They Take Fundamentally Different Approaches
8. Cross-Border Transfers: Negative List vs Adequacy
This is the most structurally different provision between the two laws.
The GDPR uses an adequacy model — cross-border transfers are blocked by default unless the destination country has an adequacy decision, or you use Standard Contractual Clauses, Binding Corporate Rules, or another approved mechanism.
The DPDP Act uses a negative list model — cross-border transfers are allowed by default to any country unless the Central Government specifically restricts transfers to that country by notification. No country has been restricted yet.
What this means: For now, transferring personal data out of India is straightforward — you can send it anywhere. This could change overnight if the government adds countries to the restricted list. Build your data architecture so that you can restrict flows to specific countries quickly.
9. Penalty Structure: Fixed vs Revenue-Linked
The GDPR's maximum penalty scales with revenue — 4% of global annual turnover or €20 million, whichever is higher. This means a company with €10 billion revenue faces a maximum penalty of €400 million.
The DPDP Act uses fixed maximums — the highest being ₹250 crore (~€27 million), regardless of the organisation's size. A small startup and a multinational both face the same cap.
The fixed penalty structure creates an asymmetry: the DPDP Act is proportionally harsher for smaller companies (₹250 crore could be existential for a mid-size business) and proportionally lighter for large multinationals (whose GDPR exposure could be billions). However, the Central Government can double all penalties by notification under Section 33(2).
10. Breach Notification: Similar Timelines, Different Scope
Both laws require breach notification. The GDPR requires notification to the supervisory authority within 72 hours and to data subjects "without undue delay" (only when the breach poses a high risk).
The DPDP Act requires notification to both the Board and affected Data Principals without delay, with a detailed incident report within 72 hours. The key difference: notification to Data Principals is mandatory for all breaches, not just high-risk ones. You cannot make an internal risk assessment and decide not to notify.
11. Regulatory Structure: One Body vs Many
The GDPR is enforced by independent supervisory authorities in each Member State, coordinated by the European Data Protection Board. This creates complexity when an organisation operates across multiple EU countries (lead supervisory authority, cross-border cooperation procedures).
The DPDP Act is enforced by a single body — the Data Protection Board of India. One regulator, one set of procedures, one appeals path (to TDSAT, then the Supreme Court). For organisations, this is simpler but also means there is no forum shopping.
12. DPO Requirement: Narrow vs Broad
The GDPR requires a Data Protection Officer for public authorities, organisations conducting large-scale systematic monitoring, and those processing special categories of data at scale. Many organisations appoint one even when not required.
The DPDP Act requires a DPO only for Significant Data Fiduciaries — organisations specifically designated by the Central Government based on data volume, sensitivity, or risk to individuals. Most companies will not be designated. If you are not an SDF, there is no legal requirement to appoint a DPO under the DPDP Act.
What This Means for Dual-Compliance Organisations
If your organisation operates in both India and the EU, here is the practical impact:
You Cannot Reuse Your GDPR Consent Flows
GDPR consent must be freely given, specific, informed, and unambiguous. DPDP consent must also be unconditional and the notice must be available in English and all 22 scheduled Indian languages. Your existing consent mechanism needs modification for India.
"Legitimate Interests" Processing Needs a New Legal Basis
Any processing you justify under GDPR legitimate interests must find a different legal basis under the DPDP Act — either explicit consent or one of the Section 7 legitimate uses. Audit these processing activities specifically.
Your Children's Data Age Gate Needs Updating
If your GDPR-compliant systems use 13 or 16 as the consent threshold, you need to implement an 18-year threshold for Indian users.
Cross-Border Transfer Mechanisms Are Simpler (for Now)
You do not need SCCs or BCRs for India-to-abroad transfers. But build in the ability to restrict flows to specific countries — the negative list is empty today but may not be tomorrow.
Breach Response Needs a Separate India Workflow
Your GDPR breach response process likely includes a risk assessment to determine whether data subject notification is required. Under the DPDP Act, notification to Data Principals is always mandatory. Build a parallel notification workflow for India.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score.
Check Your ReadinessThe Bottom Line
The DPDP Act and GDPR share the same goal — protecting individuals' personal data — but they take meaningfully different paths to get there. The DPDP Act is shorter, more prescriptive, and in some areas stricter (children's data, unconditional consent, mandatory Data Principal notification). In other areas, it is more permissive (cross-border transfers, narrower scope to digital data).
Treating GDPR compliance as sufficient for India will create gaps. Treating them as completely separate will create unnecessary duplication. The practical path is to identify the 12 differences above, build India-specific controls where the laws diverge, and reuse your GDPR infrastructure where they align.
For the full text of every DPDP Act section and rule explained in plain English, see our DPDP Act 2023 — Complete Guide.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score with actionable next steps.
Check Your DPDP Readiness