DPDP Act vs GDPR — Key Differences Explained

If your organization already complies with the EU's General Data Protection Regulation (GDPR), you might assume that India's Digital Personal Data Protection Act 2023 is simply more of the same. While the two laws share foundational principles — consent, transparency, data subject rights — the differences are significant enough that GDPR compliance alone does not guarantee DPDP compliance.

This guide provides a detailed comparison to help businesses operating across both jurisdictions understand what additional steps may be required.

High-Level Comparison

| Aspect | DPDP Act 2023 | GDPR | |--------|---------------|------| | Jurisdiction | India | European Union / EEA | | Enacted | August 2023 | May 2018 | | Scope | Digital personal data only | All personal data (digital and non-digital) | | Legal Bases for Processing | Consent + Legitimate Uses | 6 legal bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) | | Data Protection Authority | Data Protection Board of India | Supervisory Authorities (one per EU member state) | | Maximum Penalty | INR 250 crore (~USD 30M) | EUR 20M or 4% of global annual turnover | | DPO Requirement | Only for Significant Data Fiduciaries | Required for certain controllers/processors | | Right to Data Portability | Not explicitly included | Yes | | Right to Object | Not explicitly included | Yes | | Automated Decision-Making | Not specifically addressed | Article 22 protections |

Scope and Applicability

DPDP Act

The DPDP Act applies only to digital personal data — data collected in digital form or data collected in non-digital form and subsequently digitized. It does not cover personal data that remains in paper or analog form throughout its lifecycle.

The Act applies to processing within India and to processing outside India if it relates to offering goods or services to individuals in India.

GDPR

The GDPR applies to all personal data regardless of format — digital, paper, audio recordings, CCTV footage. Its territorial scope covers processing by organizations established in the EU and processing of EU residents' data by organizations outside the EU.

Key Difference

The DPDP Act's limitation to digital personal data is a meaningful distinction. Organizations that process non-digital personal data in India may not be covered, whereas under GDPR, all forms of personal data are in scope. For most modern businesses, however, this distinction is largely academic as virtually all data processing is now digital.

Legal Bases for Processing

DPDP Act

The DPDP Act recognizes two primary grounds for lawful processing:

1. Consent (Section 6) — The primary basis, requiring free, specific, informed, unconditional, and unambiguous consent
2. Certain Legitimate Uses (Section 7) — Specific situations where consent is not required, including employment purposes, medical emergencies, and state functions

Notably absent is a general "legitimate interests" basis comparable to GDPR Article 6(1)(f).

GDPR

The GDPR provides six legal bases: consent, performance of a contract, legal obligation, vital interests, public task, and legitimate interests. The legitimate interests basis is widely used by businesses for activities like fraud prevention, direct marketing, and network security.

Key Difference

The absence of a broad legitimate interests ground under the DPDP Act means Indian businesses will rely more heavily on consent. This makes robust consent management even more critical for DPDP compliance than it already is under GDPR.

Consent Requirements

DPDP Act

• Must be free, specific, informed, unconditional, and unambiguous
• Must be given through a clear affirmative action
• Must be preceded by a notice in clear, plain language (Section 5)
• Can be given through a Consent Manager
• Must be as easy to withdraw as to give (Section 11)
• Consent for children requires verifiable parental consent (Section 9)

GDPR

• Must be freely given, specific, informed, and unambiguous
• Must be given through a clear affirmative action
• Must be as easy to withdraw as to give
• Children's consent requires parental authorization (age varies by member state, 13-16 years)
• Explicit consent required for special category data

Key Difference

The requirements are broadly similar, but the DPDP Act adds the "unconditional" qualifier — consent cannot be made a condition of accessing a service unless the personal data is necessary for that service. The DPDP Act also introduces the concept of a Consent Manager as a formal intermediary.

Data Principal / Data Subject Rights

DPDP Act Rights

• Right to Access information about processing (Section 12)
• Right to Correction and Erasure (Section 13)
• Right to Grievance Redressal (Section 14)
• Right to Nominate another person to exercise rights (Section 14)
• 30-day response deadline (Section 13(3))

GDPR Rights

• Right of Access (Article 15)
• Right to Rectification (Article 16)
• Right to Erasure (Article 17)
• Right to Restriction of Processing (Article 18)
• Right to Data Portability (Article 20)
• Right to Object (Article 21)
• Rights related to Automated Decision-Making (Article 22)
• Generally one-month response deadline (Article 12(3))

Key Difference

The GDPR provides a broader set of rights, including data portability, the right to object, and protections against automated decision-making. The DPDP Act is simpler with fewer rights, but introduces the unique Right to Nominate. The response timelines are comparable (30 days vs one month).

Cross-Border Data Transfers

DPDP Act

The DPDP Act takes a permissive approach: personal data may be transferred to any country except those specifically restricted by the Central Government through notification. As of now, no countries have been restricted, making cross-border transfers relatively straightforward.

GDPR

The GDPR takes the opposite approach: transfers outside the EEA are prohibited unless the destination country has an adequacy decision, or appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules) are in place.

Key Difference

The DPDP Act's blacklist approach is simpler than GDPR's whitelist approach. Businesses moving data out of India have fewer hoops to jump through, at least until the government notifies restricted countries.

Penalties and Enforcement

DPDP Act

• Penalties up to INR 250 crore for security failures causing breaches
• Enforced by the Data Protection Board of India (single national body)
• No provision for private lawsuits or class actions under the Act itself

GDPR

• Penalties up to EUR 20 million or 4% of global annual turnover (whichever is higher)
• Enforced by Supervisory Authorities in each EU member state
• Private right of action for compensation (Article 82)

Key Difference

GDPR penalties can be significantly higher for large enterprises due to the turnover-based calculation. However, the DPDP Act's fixed caps still represent severe amounts for most Indian businesses. The absence of private lawsuits under the DPDP Act means the Data Protection Board is the sole enforcement channel.

Compliance Implications for Multi-Jurisdiction Businesses

If your business operates in both India and the EU, you cannot simply extend your GDPR compliance program to cover the DPDP Act. Key areas requiring separate attention include:

• Consent mechanisms — You may need India-specific consent flows due to the narrower legal bases
• Privacy notices — Separate notices referencing DPDP Act provisions and the Data Protection Board
• Rights request workflows — The right categories and response mechanisms differ
• Record keeping — Different documentation requirements

DPDP Comply is built specifically for the Indian regulatory context while being compatible with broader global privacy programs. Get Started Free to add DPDP-specific compliance to your existing privacy infrastructure, or View Pricing for team plans.

The Bottom Line

GDPR and the DPDP Act are siblings, not twins. Organizations operating in India need purpose-built compliance tools that address the specific requirements of the DPDP Act — from its consent-heavy approach to its unique rights framework. Do not assume your GDPR program has you covered.

For a foundational understanding of the DPDP Act itself, start with our complete guide to the DPDP Act.