DPDP Act vs GDPR: Key Differences for Global Companies
Both laws protect personal data. They differ in scope, consent models, penalty structures, and cross-border transfer rules. This is what multinational companies operating in India need to know.
Two Frameworks. Different Architectures.
The DPDP Act 2023 and the EU’s General Data Protection Regulation (GDPR) share a common objective: protecting individuals’ personal data. But they differ in structure, scope, and implementation requirements.
Companies operating across both jurisdictions cannot assume that GDPR compliance satisfies DPDP requirements. The two frameworks overlap in principle but diverge in operational detail.
Scope and Applicability
GDPR
Applies to any organisation processing personal data of individuals in the EU/EEA, regardless of where the organisation is located. Covers both automated and manual processing of personal data in filing systems.
DPDP Act
Applies to any person processing digital personal data within India, or processing digital personal data of individuals in India (even if the processing occurs outside India). The Act is limited to digital personal data only. Manual records and non-digitised data fall outside its scope.
| Dimension | GDPR | DPDP Act |
|---|---|---|
| Geographic scope | EU/EEA residents | Individuals in India |
| Data format | Digital + manual filing systems | Digital only |
| Organisation coverage | Any size | Any size |
| Extraterritorial reach | Yes | Yes |
Lawful Bases for Processing
GDPR
Provides six lawful bases: consent, contract, legal obligation, vital interests, public interest, and legitimate interests. Legitimate interests is widely used in commercial contexts and does not require explicit consent.
DPDP Act
Provides two primary bases: consent and “certain legitimate uses” defined in the Act. The DPDP Act does not include a general “legitimate interests” ground comparable to the GDPR.
The legitimate uses under the DPDP Act are narrowly defined:
- Voluntary provision of data by the Data Principal for a specified purpose
- State functions including delivery of benefits, issuance of permits, and legal obligations
- Medical emergencies
- Employment purposes
- Court orders
For most commercial processing, consent is the only available lawful basis under the DPDP Act. Businesses that rely on GDPR’s legitimate interests ground will need to obtain explicit consent for the same processing activities in India.
Consent Requirements
Both frameworks require consent to be freely given, specific, informed, and unambiguous. The key differences:
| Requirement | GDPR | DPDP Act |
|---|---|---|
| Consent form | Written or electronic | Clear affirmative action |
| Withdrawal ease | Must be as easy as giving | Must be as easy as giving |
| Children’s age threshold | 13-16 (varies by state) | 18 |
| Parental consent | Required below threshold | Verifiable parental consent required |
| Bundled consent | Generally prohibited | Explicitly prohibited |
The DPDP Act’s higher children’s age threshold (18 vs 13-16) creates significant compliance implications for businesses serving teenage users.
Data Principal / Data Subject Rights
Both frameworks grant individuals rights over their data, but with different scopes:
| Right | GDPR | DPDP Act |
|---|---|---|
| Access / Information | Yes | Yes |
| Correction | Yes | Yes |
| Erasure | Yes (right to be forgotten) | Yes |
| Data portability | Yes | No |
| Restriction of processing | Yes | No |
| Object to processing | Yes | No |
| Right not to be subject to automated decisions | Yes | No |
| Nomination (posthumous rights) | No | Yes |
| Grievance redressal | Supervisory authority complaint | Direct to Data Fiduciary, then Board |
The DPDP Act’s rights framework is narrower than the GDPR’s. It omits data portability, the right to restrict processing, and the right to object. However, it introduces the nomination right, which has no GDPR equivalent.
For a detailed analysis of Data Principal rights, see the dedicated article.
Penalty Structure
| Dimension | GDPR | DPDP Act |
|---|---|---|
| Maximum penalty | €20 million or 4% global turnover | ₹250 crore (~€27 million) |
| Penalty basis | Revenue-linked | Fixed maximum per violation |
| Penalty tiers | Two tiers based on violation type | Specific maximums per violation category |
The GDPR’s percentage-of-turnover model means penalties scale with company size. A €20 billion company faces potential fines of €800 million. The DPDP Act’s fixed maximum of ₹250 crore applies equally regardless of company size.
For detailed coverage, see DPDP penalties and enforcement.
Cross-Border Data Transfers
GDPR
Permits transfers to countries with “adequate” data protection (adequacy decisions), or through approved mechanisms: Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or derogations.
DPDP Act
Permits transfers to all countries except those specifically restricted by the Central Government through notification. As of the Act’s passage, no countries have been restricted. This is a “blacklist” approach (block specific countries) versus the GDPR’s “whitelist” approach (approve specific countries).
This makes cross-border transfers simpler under the DPDP Act in the short term. But the government retains broad authority to restrict transfers at any time, creating regulatory uncertainty.
Data Protection Officer
| Aspect | GDPR | DPDP Act |
|---|---|---|
| Appointment | Required for public bodies + high-risk processing | Required for Significant Data Fiduciaries only |
| Qualification | Must have expert knowledge | Must be based in India |
| Independence | Must be independent, report to highest management | Acts as point of contact for Board |
The DPDP Act’s DPO requirement is narrower, applying only to Significant Data Fiduciaries. Standard Data Fiduciaries are not required to appoint a DPO, though doing so voluntarily is recommended.
Breach Notification
Both frameworks mandate breach notification. The GDPR prescribes a 72-hour notification window. The DPDP Act requires “prompt” notification, with specific timelines to be defined through rules.
What This Means for Global Companies
If your company operates in both India and the EU:
- Do not assume GDPR compliance covers DPDP. The consent model differences alone require separate implementation.
- Review your lawful basis for processing. Legitimate interests claims valid under GDPR may require consent under DPDP.
- Adjust children’s data thresholds. The 18-year threshold in India is significantly higher than most GDPR implementations.
- Monitor India’s cross-border transfer notifications. The current permissive regime could change.
- Assess both frameworks independently. Use the free DPDP Gap Assessment to identify India-specific compliance gaps.