Introduction: GDPR Experience Is Valuable — But Not Sufficient
Many Indian multinational companies and subsidiaries of European/global firms have invested significantly in GDPR compliance. If your organisation processes EU data subjects' data, you have privacy notices, consent mechanisms, data subject rights workflows, and vendor management programmes in place.
That GDPR experience is genuinely valuable for DPDP Act compliance — the frameworks share philosophical DNA. But GDPR compliance is not DPDP compliance.
The two laws differ significantly in scope, obligations, technical requirements, and enforcement approach. This post maps the key differences across 10 dimensions and helps GDPR-experienced teams understand where their existing programmes transfer — and where they need to build new capabilities.
Dimension 1
Scope and Territorial Application
GDPR
- Organisations established in the EU (regardless of where processing occurs)
- Organisations outside the EU that offer goods/services to EU data subjects OR monitor their behaviour
- Covers all personal data including paper records
DPDP Act
- Processing of digital personal data within India
- Processing outside India where it relates to profiling or offering goods/services to Data Principals within India
- Covers digital data only — paper records excluded
Key difference: The DPDP Act applies to digital personal data only. Paper records, physical files, and non-digitised data are not covered (though once digitised, they fall under the Act). For most modern enterprises this is academic, but there are edge cases in healthcare, legal, and financial services where paper records remain significant.
Dimension 2
Legal Bases for Processing
GDPR — 6 lawful bases
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interests (widely used commercially)
DPDP Act — 2 grounds
- Consent — Section 6
- Legitimate Use — specific exemptions only (state functions, legal proceedings, medical emergency, employment, public interest, research)
Key difference: There is no broad "legitimate interests" balancing test under the DPDP Act. Processing activities which GDPR companies conduct under legitimate interests — marketing analytics, fraud detection profiling, certain personalisation — will typically require explicit consent under the DPDP Act. Review every processing activity using GDPR's legitimate interests basis; most will need to move to consent for India.
Dimension 3
Consent Standards
GDPR
Freely given, specific, informed, unambiguous. Clear affirmative act; no pre-ticked boxes. One of six bases — often avoided in favour of legitimate interests.
DPDP Act
Free, specific, informed, unconditional, and unambiguous. Bundled consents (multiple purposes in one click) are not valid. Primary ground for commercial processing.
Difference 1 — No alternative in commercial contexts: Without a broad legitimate interests basis, consent is the primary ground for commercial processing. Consent management infrastructure is far more central to DPDP compliance than it often is for GDPR.
Difference 2 — Non-repudiation: The DPDP Rules 2025 Rule 4 requires consent artifacts to be produced on demand, maintained for 7 years, and include the exact notice text shown at the time of consent. GDPR's consent documentation requirements, while similar in principle, did not catalyse the same standard for cryptographic proof. The DPBI will demand RFC 3161 TSA tokens and digital signatures — not just database records.
Difference 3 — Granularity: DPDP consent must be purpose-specific. A single "I agree to the privacy policy" cannot cover multiple processing purposes. Each purpose requires separate consent.
Dimension 4
Notice Requirements
GDPR (Articles 13 & 14)
- Controller identity, DPO contact
- Purposes and legal bases
- Legitimate interests
- Recipients, transfers, safeguards
- Retention periods
- Data subject rights
- No standalone format mandate
- No multilingual requirement
DPDP Act (Section 5 + Rule 3)
- Personal data to be collected
- Processing purposes
- How to exercise rights
- How to file a grievance
- How to withdraw consent
- Standalone format required — not embedded in T&Cs
- English + 1 Eighth Schedule language minimum
Difference 1 — Standalone format: DPDP Rules Rule 3(2) explicitly prohibits embedding the notice in Terms and Conditions. GDPR does not have this specific prohibition.
Difference 2 — Language mandate: DPDP requires notices in English AND at least one of the 22 Eighth Schedule languages. GDPR has no multilingual mandate — only intelligibility. This is a significant new operational requirement: authoring, maintaining, and quality-controlling notices in multiple Indian languages.
Difference 3 — Content focus: DPDP notices focus on enabling the data principal's rights (how to exercise, how to withdraw). GDPR notices emphasise corporate processing disclosure (legal bases, transfer mechanisms, retention schedules). Different information architecture — your GDPR notice templates cannot be used as-is.
Dimension 5
Data Subject / Principal Rights
GDPR
- Access — 1 month
- Rectification — 1 month
- Erasure — 1 month
- Restriction of processing
- Data portability (Article 20)
- Right to object (Article 21)
- Rights re: automated decisions
- Withdraw consent
DPDP Act
- Access (§11) — 90 days
- Correction & erasure (§12) — 90 days
- Grievance redressal (§13) — 30 days
- Nomination (§14) — uniquely Indian
- Withdraw consent — anytime, propagated immediately
- No data portability
- No right to object
Difference 1 — Longer timelines: DPDP allows 90 days (vs GDPR's 1 month) for access and correction/erasure. This is more generous for organisations.
Difference 2 — No data portability: GDPR's Article 20 right to receive data in machine-readable format for transfer has no DPDP equivalent.
Difference 3 — No right to object: Since DPDP lacks the legitimate interests basis, there is no corresponding right to object to processing on those grounds.
Difference 4 — Nomination (uniquely Indian): Section 14 allows Data Principals to nominate a person to exercise their data rights after death or incapacity. No GDPR equivalent. Organisations must build nomination registration and verification flows.
Difference 5 — Grievance deadline: GDPR has no specific deadline for handling complaints. The DPDP Act's 30-day grievance resolution deadline is more prescriptive and enforceable.
Dimension 6
Children's Data
GDPR
Age of digital consent: 16 (member states may lower to 13). Verifiable parental consent required for online services directed at children. Verification approach varies by member state.
DPDP Act
Age threshold: 18. Verifiable parental consent via government-recognised verification — DigiLocker or Aadhaar-based OTP. Explicit prohibition on tracking/behavioural advertising for children.
Key differences: Higher age threshold (18 vs 16) means more Indian users require parental consent. Verification is stricter — Aadhaar-based verification is specifically referenced. The behavioural advertising prohibition is explicit under DPDP (vs. implied under GDPR's fair processing principles).
Dimension 7
Data Breach Notification
GDPR
- 72 hours to notify the DPA
- Data subject notification for high-risk breaches only
- Low-risk breaches may not require notification
DPDP Act
- 72 hours to notify the DPBI
- Data principal notification "as soon as reasonably practicable" — no explicit risk threshold
- Broader notification obligation appears to apply
Key differences: The 72-hour deadline is shared — your GDPR breach response process transfers directly here. The key difference is the notification threshold: GDPR allows skipping notification for low-risk breaches; DPDP does not include an explicit equivalent threshold. Your breach categorisation criteria will need review.
Dimension 8
Enhanced Obligations for Large / High-Risk Processors
GDPR
- DPIAs triggered by processing characteristics (Article 35)
- DPO appointment triggered by processing type (public authorities, large-scale systematic, sensitive data)
- RoPA required for most organisations
- No formal designation system
DPDP Act
- DPIA and DPO triggered by DPBI's SDF designation
- SDFs also need: independent auditor, algorithm assessments
- No SDF = no mandatory DPIA or DPO (though still good practice)
- DPIA register producible for DPBI on request
Key difference: Under GDPR, DPIAs and DPO appointments are triggered by what you do. Under the DPDP Act, they are triggered by the DPBI's formal SDF designation. Organisations waiting for a designation notice before implementing DPIA processes may find themselves significantly behind. Start now.
Dimension 9
Penalties
GDPR
- Tier 1: €10M or 2% global turnover
- Tier 2 (consent, rights): €20M or 4% global turnover
- Meta: €1.2B · Amazon: €746M · WhatsApp: €225M
- Scales with global revenue — enormous for multinationals
DPDP Act
- Security safeguards: ₹250 crore
- Breach notification: ₹200 crore
- Children's data: ₹200 crore
- SDF obligations: ₹150 crore
- Other non-compliance: ₹50 crore
- Fixed caps — but multiplicable per violation
Key difference: GDPR penalties scale with global turnover — making exposure enormous for large multinationals. DPDP penalties are fixed caps (potentially more manageable in absolute terms), but the per-violation multiplier risk is real. A systematic consent failure affecting millions of users is not a single ₹250 crore penalty — the DPBI could theoretically pursue per-principal violations.
Dimension 10
Enforcement Mechanisms
GDPR
27 EU national Data Protection Authorities. One-stop-shop mechanism. Lead DPA handles cross-border cases. Data subjects can also bring civil claims. Inconsistent enforcement across member states.
DPDP Act
Single body: the Data Protection Board of India (DPBI). Data Principals file complaints directly with the DPBI. Consistent standard; individual complaint model likely to generate higher volumes of smaller cases.
Key difference: The DPBI's individual complaint model (vs. GDPR's DPA investigation model) means enforcement will be case-by-case and evidence-driven at scale. Every consent record you cannot produce will be a liability. The DPBI's single-regulator structure should provide clearer precedent over time than GDPR's 27-DPA inconsistency.
Summary Comparison Table
The full 20-dimension comparison at a glance. Rows highlighted in red indicate areas where your GDPR programme cannot transfer directly.
| Dimension | GDPR | DPDP Act |
|---|---|---|
| Scope | EU-established + global targeting | India digital data + global India targeting |
| Covers paper records? | Yes | No (digital only) |
| Legal bases | 6 (incl. legitimate interests) | 2 (consent + specific exemptions) |
| Consent standard | Freely given, specific, informed, unambiguous | Free, specific, informed, unconditional, unambiguous |
| Consent proof standard | Documentation of consent | Non-repudiable artifact (hash chain + RSA + TSA) |
| Notice format | No standalone requirement | Standalone — not bundled in T&Cs |
| Notice language | Intelligibility only | English + 1 Eighth Schedule language minimum |
| Rights timeline | 1 month | 90 days (more generous) |
| Data portability | Yes (Article 20) | No equivalent |
| Right to object | Yes (legitimate interests) | No equivalent |
| Nomination right | No | Yes — Section 14 |
| Children age threshold | 16 (13–16 by member state) | 18 |
| Age verification | Varies by member state | Aadhaar / DigiLocker referenced |
| Breach deadline | 72 hours to DPA | 72 hours to DPBI |
| Breach risk threshold | High-risk threshold applies | No explicit threshold |
| DPO requirement | Processing-characteristic based | SDF-designation based |
| DPIA requirement | Processing-characteristic based | SDF-designation based |
| Max penalty | 4% of global turnover (Tier 2) | ₹250 crore per violation |
| Enforcement body | 27 national DPAs | Single DPBI |
| Complaint model | Supervisory authority investigation | Individual Data Principal complaints |
What GDPR-Compliant Organisations Must Do Differently for DPDP
Must Build New — Cannot Transfer from GDPR
1. Standalone multilingual notices in English + Indian languages. Your GDPR notices cannot be adapted — different format, different content architecture, different language requirements.
2. Non-repudiable consent records — SHA-256 hash chain + RSA-2048 signature + RFC 3161 TSA token on every consent event. GDPR does not require this level of cryptographic proof.
3. Nomination registration and workflow — the Section 14 right to nominate a person to exercise data rights has no GDPR equivalent. Build nomination capture, verification, and execution flows.
4. Consent propagation logging per Rule 4(5) — tracking downstream system notification with delivery confirmation. GDPR does not prescribe this level of propagation documentation.
5. Legitimate interests reclassification — identify every processing activity running on GDPR's legitimate interests basis and reclassify for India: consent, specific Section 7 exemption, or discontinue.
Can Reuse — With Adaptation
1. Consent management mechanisms — adapt for DPDP's unconditional/non-bundled standard and the non-repudiation requirements
2. Rights request workflows — categories broadly similar; adjust timelines (90 days vs 1 month), identity verification methods, and erasure orchestration
3. Breach response playbook — 72-hour deadline is identical; revise notification scope and principal notification threshold
4. Vendor DPA programme — DPA templates need India-specific provisions; propagation log requirements; erasure orchestration
5. DPO function — if you have a GDPR DPO, they can serve as India DPO; note they must be based in India if you are designated as an SDF
Conclusion: Parallel Compliance Is Achievable with the Right Architecture
Organisations that have invested in GDPR compliance have a significant head start on DPDP. The privacy-by-design mindset, rights management processes, and vendor oversight framework all transfer.
But DPDP has three requirements that GDPR-compliant programmes typically lack: multilingual notice delivery in Indian languages, cryptographically non-repudiable consent records, and real-time consent propagation logging. These are not incremental upgrades to existing infrastructure — they require new capabilities.
The organisations that will achieve efficient dual-framework compliance are those that build a single privacy operations platform handling both GDPR and DPDP requirements — with India-specific features built alongside GDPR capabilities, not as an afterthought.
This blog post is for informational purposes only and does not constitute legal advice. Engage qualified legal and compliance counsel for specific regulatory guidance. © 2026 Cross Identity / IdentityPlus Pvt. Ltd. All rights reserved.
About Vishwaas AI
India's DPDP Act compliance platform — purpose-built with the three capabilities GDPR programmes lack: multilingual notice delivery in 22 Indian languages, cryptographic non-repudiation on every consent record, and real-time propagation logging to every downstream system.