DPDP Act vs GDPR: Side-by-Side Comparison

Overview

India's Digital Personal Data Protection Act 2023 (DPDP Act) was signed into law in August 2023, making India the 10th largest economy to enact comprehensive data protection legislation. It draws inspiration from GDPR but takes a distinctly different approach in several important areas.

For Indian companies with European operations — or European companies with Indian users — understanding the differences is essential. Complying with one does not mean you comply with the other.

Scope and Applicability

GDPR scope: any processing of personal data of EU/EEA residents, in any format (digital or physical), by any organisation regardless of location. It also applies to non-EU organisations that offer goods/services to EU residents or monitor their behaviour.

DPDP Act scope: digital personal data of Indian residents, processed within India or outside India if processing relates to profiling or offering goods/services to Indian residents. It explicitly excludes personal data processed for personal or domestic purposes and certain government functions.

Key practical difference: GDPR covers paper records and offline personal data. DPDP Act covers only digital personal data. A company maintaining physical paper files with personal data must comply with GDPR but may be partially outside DPDP Act scope for those records.

Lawful Basis for Processing

GDPR requires one of six lawful bases for each processing activity: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. The legitimate interests basis requires a balancing test and is widely used by B2B companies.

DPDP Act uses a simpler model: consent (with specific requirements for notice and withdrawal) or 'legitimate uses' (a defined list including employment, state functions, medical purposes, and certain legal compliance scenarios). There is no general legitimate interests balancing test equivalent.

For B2B SaaS companies processing employee data: both frameworks require a clear basis. GDPR legitimate interests or contract performance is commonly used for B2B processing; DPDP Act's "legitimate use" covers employment and contractual processing explicitly.

Individual Rights

GDPR gives individuals: right of access, rectification, erasure ('right to be forgotten'), restriction of processing, data portability, object to processing, and rights related to automated decision-making. Each right has specific response timeframes (typically 30 days).

DPDP Act gives data principals: right to access (summary of data and processing purposes), right to correction and erasure, right to grievance redress, and right to nominate a nominee. It does not include a general right to data portability or a right to object to processing.

The DPDP Act's rights framework is meaningful but narrower than GDPR. For companies operating in both markets, designing your Data Subject Request (DSR) process to GDPR standards will generally exceed DPDP Act requirements — a practical approach for dual compliance.

Organisational Obligations

GDPR organisational obligations: maintain a Record of Processing Activities (ROPA), appoint a Data Protection Officer (DPO) in certain cases, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, implement privacy by design, and use Standard Contractual Clauses for international transfers.

DPDP Act obligations: notice before consent (in plain language), purpose limitation, data minimisation, reasonable security safeguards, breach notification to the Data Protection Board and affected individuals, and contractual requirements for data processors (Data Processors must comply with Data Fiduciary instructions).

Notable DPDP Act obligations not in GDPR: the Act allows the central government to classify certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) subject to additional obligations — including DPO appointment, DPIA, data audits, and restrictions on cross-border transfer.

Penalties and Enforcement

GDPR penalties: up to €20 million or 4 % of global annual turnover (whichever is higher) for the most serious violations. Supervisory authorities (DPAs) in each EU member state have enforcement powers including investigative and corrective powers.

DPDP Act penalties: up to ₹250 crore (approximately $30M USD) per instance of violation, with different penalty tiers for different types of violations. The Data Protection Board of India (DPBI) is the enforcement body — it has not yet commenced operations as of early 2026.

The DPDP Act's enforcement framework is still being established. Rules under the Act (including those specifying the DPBI's procedures) are pending notification. Companies should treat the Act as operative and build compliance now — enforcement will follow.

Running Dual Compliance

For Indian companies with EU users: build GDPR compliance as your primary framework (it is stricter and more established), then verify DPDP Act compliance as an additional layer. Most GDPR-compliant programmes will satisfy DPDP Act requirements with incremental additions (DPBI breach notification format, consent notice in Indian languages if required).

For European companies with Indian users: build DPDP Act compliance alongside your existing GDPR programme. Focus on consent management for Indian users, breach notification to the DPBI, and data minimisation requirements specific to the DPDP Act.

Common tool: AuditPath maps both DPDP Act obligations and SOC 2 controls from a single dashboard, allowing Indian SaaS companies to manage their global compliance posture without running two separate programmes.