DPDP Act vs GDPR: Key Differences for Indian Companies
A detailed comparison of India's DPDP Act 2023 and the EU's GDPR — lawful bases, DPO requirements, breach notification, penalties, and what GDPR-compliant companies must do differently.
- GDPR has six lawful bases; DPDP Act has two — consent and limited legitimate uses. No legitimate interests basis exists under DPDP.
- GDPR requires DPOs for high-risk processing regardless of entity classification; DPDP Act requires DPOs only for Significant Data Fiduciaries.
- GDPR has adequacy decisions and SCCs for cross-border transfers; DPDP Act has only a government whitelist.
- GDPR penalties are up to 4% of global annual turnover; DPDP Act penalties are fixed caps up to ₹250 crore.
- GDPR-compliant companies are a strong starting point but cannot assume DPDP compliance without specific gap analysis.
In this guide
Scope and Territorial Application
Both GDPR and the DPDP Act have extraterritorial reach. GDPR applies to any controller or processor that offers goods or services to EU residents, or that monitors their behaviour. DPDP Act applies to any Data Fiduciary that processes digital personal data in India or processes data in connection with offering goods or services to Indian residents.
Key difference: GDPR applies to both controllers and processors directly. The DPDP Act primarily obligates Data Fiduciaries (controllers) — processors are regulated almost exclusively through contract. This means a GDPR-regulated processor moving into the Indian market has fewer direct statutory obligations under DPDP Act, but their Indian Data Fiduciary customers will impose equivalent obligations contractually.
GDPR has no equivalent to the DPDP Act's distinction between all Data Fiduciaries and Significant Data Fiduciaries. GDPR applies uniformly to all controllers (with some derogations for small organisations), while DPDP Act creates a two-tier structure with additional obligations only for classified SDFs.
Lawful Bases: The Critical Difference
GDPR provides six lawful bases: (1) consent; (2) contract performance; (3) legal obligation; (4) vital interests; (5) public task; and (6) legitimate interests. This flexibility allows most commercial processing to have a lawful basis without requiring explicit consent — contract covers service delivery, legitimate interests covers fraud prevention and analytics.
DPDP Act provides two: consent (Section 6) and limited legitimate uses (Section 7). Section 7 legitimate uses cover state functions, court orders, medical emergencies, employment (subject to Rules), and some verification purposes. Contract performance is not a named basis — processing necessary for service delivery that would be covered by GDPR's Article 6(1)(b) requires either consent or a Section 7 legitimate use under DPDP Act.
This difference is the single most operationally significant distinction for Indian companies. Activities routinely carried out without explicit consent under GDPR — analytics, fraud screening, customer support, operational processing — require consent under DPDP Act or must be squeezed into a Section 7 category. Companies must audit every processing activity and obtain consent where previously they relied on contract or legitimate interests.
Data Subject/Principal Rights Compared
Both regimes give individuals the right to access their data, correct it, and request erasure. But GDPR goes further: it adds the right to data portability (receiving data in a machine-readable format for transfer to another controller), the right to object to processing (including direct marketing and legitimate interests processing), and the right not to be subject to automated decision-making with legal effects.
The DPDP Act does not have explicit data portability or right to object provisions. Its rights framework covers access (Section 11), correction and erasure (Section 12), grievance redressal (Section 13), and the novel nominee rights (Section 14). The absence of a right to object is consistent with the absence of legitimate interests as a lawful basis — there is nothing to object to if processing must be based on consent which can be withdrawn.
GDPR's automated decision-making right (Article 22) is not replicated in the DPDP Act — there is no explicit right not to be subject to profiling or algorithmic decision-making. The DPDP Act's children's data prohibition on profiling (Section 9(3)) partially addresses this for under-18 users, but adults have no equivalent right in the statute (the Rules may address this for SDFs).
Breach Notification: Similarities and Differences
Both frameworks require notification of data breaches within 72 hours — GDPR under Article 33, DPDP Act under Section 8(6) and Draft Rules. Both require notification to both the supervisory authority/Board and affected individuals. Both require documentation of breaches including low-risk incidents.
Key difference: GDPR includes a risk threshold — notification to individuals is required only when the breach is "likely to result in a high risk to the rights and freedoms of natural persons." Low-risk breaches require Board notification but not individual notification. The DPDP Act has no explicit risk threshold — Section 8(6) requires notification for every breach. This is a heavier obligation under DPDP Act.
GDPR's Article 34 exceptions (notification not required where data was encrypted, or where measures have been taken to ensure high risk is unlikely to materialise) do not have equivalents in the DPDP Act as currently enacted. The Rules may introduce risk-based thresholds, but until they do, assume every breach is notifiable.
Data Protection Officer Requirements
GDPR requires a DPO for: (a) public authorities; (b) controllers or processors whose core activities involve regular and systematic monitoring of data subjects at large scale; and (c) controllers or processors whose core activities involve large-scale processing of special categories of data. This activity-based test captures many private companies.
DPDP Act requires a DPO only for Significant Data Fiduciaries — a government-designated classification. Non-SDF companies, even if they process large volumes of sensitive data, are not required to appoint a DPO. This is a narrower obligation, but SDF classification may cast a wide net.
GDPR's DPO independence requirements are more detailed: specific conflict of interest provisions, protection against dismissal or penalty for performing duties, direct access to highest management. The DPDP Act's DPO governance framework is less prescriptive — the Rules may add detail. Companies appointing DPOs under the DPDP Act should voluntarily adopt GDPR-equivalent governance standards as best practice.
Cross-Border Transfer Mechanisms
GDPR provides multiple transfer mechanisms: adequacy decisions (for countries with adequate protection, e.g., UK, Japan, South Korea); Standard Contractual Clauses (SCCs) for transfers to non-adequate countries; Binding Corporate Rules (BCRs) for intra-group transfers; and derogations for specific situations. This toolbox gives controllers significant flexibility to enable lawful transfers.
DPDP Act provides one mechanism: a government whitelist of permitted countries. No SCCs, no adequacy assessments, no BCRs. If the destination country is not on the whitelist, the transfer is not permitted — full stop. This is a far more restrictive and less flexible framework than GDPR's.
For companies that are both GDPR-compliant (with SCCs in place for transfers to India from Europe) and DPDP Act-subject (transferring data from India to non-whitelisted countries), the asymmetry is significant. GDPR allows data into India from Europe via SCCs; DPDP Act may prohibit Indian data going to Europe or the US if they are not on the whitelist.
Penalty Structures Compared
GDPR penalties are percentage-based: up to 4% of global annual turnover or €20 million, whichever is higher, for the most serious violations. For a large tech company with €50 billion revenue, a 4% penalty is €2 billion. GDPR's turnover-based model creates penalties proportionate to the company's scale.
DPDP Act penalties are fixed caps: the maximum penalty is ₹250 crore (approximately USD 30 million) regardless of the company's revenue. For a startup or mid-size company, ₹250 crore is potentially existential. For a large tech company with thousands of crores in revenue, ₹250 crore may be a manageable line item — significantly less deterrent than GDPR.
The fixed-cap structure means the DPDP Act is relatively more deterrent for small companies and less deterrent for large ones compared to GDPR. This has been criticised in industry consultations; the Rules or future amendments may introduce a turnover-linked component. Until then, ₹250 crore is the ceiling, and the Board has discretion to impose any amount up to it.
Frequently Asked Questions
If our company is GDPR-compliant, what additional steps are needed for DPDP Act compliance?
Which law is more strict — GDPR or DPDP Act?
Can we use a single privacy notice for GDPR and DPDP Act compliance?
We have EU-to-India data flows covered by SCCs. Do those SCCs satisfy DPDP Act requirements?
Is there a future possibility of an EU-India adequacy decision for DPDP Act?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free