If your organisation operates in both India and Europe — or processes data of individuals in either jurisdiction — you need to understand how India's DPDP Act compares to the EU's GDPR. While the two share foundational principles, they differ significantly in scope, enforcement, and operational requirements.
At a Glance: DPDP Act vs GDPR
| Dimension | DPDP Act (India) | GDPR (EU) |
|---|---|---|
| Effective Date | Enacted August 2023; rules under finalisation | Effective 25 May 2018 |
| Scope | Digital personal data processed in India or relating to offering goods/services to individuals in India | Personal data of EU/EEA residents, regardless of where processing occurs |
| Data Covered | Digital personal data only (excludes offline/non-digitised data) | All personal data — digital and non-digital |
| Enforcement Body | Data Protection Board of India (DPBI) | Supervisory Authorities in each EU member state |
Scope and Applicability
The GDPR has a deliberately broad scope: it applies to any organisation worldwide that processes personal data of EU/EEA residents. The DPDP Act, by contrast, is narrower in two important ways. First, it only covers digital personal data — so paper records and offline data are excluded unless they are subsequently digitised. Second, it applies to processing within India or where goods/services are offered to individuals in India, making its extraterritorial reach more focused than GDPR's.
Consent Requirements
| Aspect | DPDP Act | GDPR |
|---|---|---|
| Lawful Bases | Consent and "certain legitimate uses" (e.g., voluntarily provided data, state functions, employment, medical emergencies) | Six lawful bases including consent, legitimate interest, contractual necessity, legal obligation, vital interests, and public task |
| Consent Standard | Free, specific, informed, unconditional, unambiguous, with clear affirmative action | Freely given, specific, informed, unambiguous indication of wishes |
| Withdrawal | Right to withdraw at any time; must be as easy as giving consent | Right to withdraw at any time; must be as easy as giving consent |
| Consent Manager | Introduces a formal "Consent Manager" role — a registered intermediary for managing consent across fiduciaries | No equivalent concept; consent is managed directly between controller and data subject |
A notable difference: GDPR provides six lawful bases for processing, with "legitimate interest" being heavily used by organisations. The DPDP Act does not include a general legitimate interest basis; instead, it defines specific "certain legitimate uses" that are narrower in scope.
Data Subject / Data Principal Rights
| Right | DPDP Act | GDPR |
|---|---|---|
| Right of Access | Summary of personal data and processing activities | Full copy of personal data and detailed processing information |
| Right to Correction | Yes | Yes (Right to Rectification) |
| Right to Erasure | Yes | Yes (Right to be Forgotten) |
| Right to Portability | Not included | Yes — data in structured, machine-readable format |
| Right to Restrict Processing | Not included | Yes |
| Right to Object | Not included | Yes — including right to object to automated decision-making |
| Right to Nominate | Yes — can nominate a person to exercise rights in case of death or incapacity | Not included |
| Grievance Redressal | Explicit right to grievance redressal from the Data Fiduciary | Right to lodge a complaint with a Supervisory Authority |
The GDPR provides a broader set of individual rights, including data portability and the right to object. The DPDP Act is simpler but introduces a unique "Right to Nominate" that GDPR does not have.
Breach Notification
| Aspect | DPDP Act | GDPR |
|---|---|---|
| Notify Authority | Required — notify Data Protection Board of India | Required — notify Supervisory Authority within 72 hours |
| Notify Individuals | Required — notify each affected Data Principal | Required only if breach results in high risk to rights and freedoms |
| Timeline | "Without undue delay" — specific timeline to be prescribed in rules | 72 hours for authority; "without undue delay" for individuals |
A key difference: under the DPDP Act, notification to affected individuals is mandatory for every breach, whereas GDPR only requires individual notification when there is a high risk. This makes the DPDP Act stricter in this regard.
Cross-Border Data Transfers
The two regimes take fundamentally different approaches to cross-border transfers:
- DPDP Act: Uses a "negative list" approach — data can be transferred to any country except those explicitly restricted by the Central Government. This is simpler and more permissive by default.
- GDPR: Uses an "adequacy" approach — data can only be transferred freely to countries deemed adequate by the European Commission. For all other countries, organisations must implement Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other approved mechanisms.
Penalties Compared
| Aspect | DPDP Act | GDPR |
|---|---|---|
| Maximum Penalty | ₹250 crore (~€28 million) per instance | €20 million or 4% of global annual turnover, whichever is higher |
| Calculation | Fixed maximum amounts per type of violation | Percentage of global turnover — scales with company size |
| Criminal Liability | No — purely civil/administrative | No at EU level, but member states may impose criminal penalties |
DPO Requirements
Under the DPDP Act, only Significant Data Fiduciaries (SDFs) are required to appoint a Data Protection Officer, and the DPO must be based in India. Under GDPR, a DPO is required for public authorities, organisations involved in large-scale systematic monitoring, and organisations processing special categories of data at scale — with no geographic residency requirement.
Key Takeaways for Multi-Jurisdictional Organisations
- GDPR compliance does not equal DPDP compliance. While there is significant overlap, the DPDP Act has unique requirements — such as the Consent Manager concept, mandatory breach notification to all affected individuals, and the nomination right — that GDPR does not cover.
- Build a unified compliance framework. Rather than treating each regulation in isolation, create a single privacy programme that maps controls to both GDPR and DPDP Act requirements simultaneously.
- Choose tools that support multiple regulations. A platform like DataCrux.ai is designed to handle DPDP Act, GDPR, and other regulations from a single interface — reducing duplication and operational overhead.
- Don't assume the DPDP Act is "lighter" than GDPR. In some areas — like breach notification and children's data — the DPDP Act is actually stricter. Treat it with the same rigour.