If your business already complies with GDPR — or if you're trying to understand DPDP by reference to GDPR — you need to know where the two laws align and, more importantly, where they diverge. This guide covers the critical differences.
High-Level Comparison
Both laws share the same foundational philosophy: individuals have rights over their personal data, and businesses have obligations. But the implementation differs substantially.
1. Legal Basis for Processing
GDPR: Recognizes six legal bases for processing personal data — consent, contract, legal obligation, vital interests, public task, and legitimate interests. Most businesses rely on "legitimate interests" as their primary basis, which doesn't require explicit consent.
DPDP Act: Recognizes only two legal bases — consent and "legitimate uses" (Section 7). Legitimate uses are narrowly defined: employment, state functions, healthcare emergencies, and a small number of other specific situations. For most commercial processing, you need explicit consent. There is no broad "legitimate interests" basis comparable to GDPR.
Impact for businesses: If you're GDPR-compliant using legitimate interests as your legal basis for marketing or analytics, that approach won't work under DPDP. You'll need explicit consent from Indian customers for most processing activities.
2. Penalty Structure
GDPR: Tiered penalties of up to €10 million or 2% of global annual turnover (whichever is higher) for lower-tier violations, and up to €20 million or 4% of global annual turnover for higher-tier violations. Turnover-based — larger companies face larger fines.
DPDP Act: Fixed rupee amounts per violation category — ₹50 Crore, ₹200 Crore, or ₹250 Crore depending on the type of violation. Not turnover-based — the same maximum applies regardless of company size.
Impact: For large multinationals, GDPR penalties can be far larger (Meta's €1.2 billion fine, for example). But for a small Indian SMB, a proportional DPDP penalty of even ₹10-20 lakh would be devastating.
3. Data Protection Officer (DPO)
GDPR: Required for public authorities, businesses processing sensitive data at large scale, or businesses engaged in large-scale systematic monitoring.
DPDP Act: Only required for "Significant Data Fiduciaries" designated by the government. Most SMBs will not be required to appoint a DPO.
4. Data Localisation
GDPR: Data can flow freely within the EU/EEA. Transfers outside require adequate safeguards (adequacy decision, Standard Contractual Clauses, etc.).
DPDP Act: The Act empowers the government to restrict cross-border data transfers to specific countries via notification. No such notification has been issued yet. Until it is, cross-border transfers are technically permitted — but watch this space.
5. Sensitive Personal Data
GDPR: Defines "special categories" of sensitive data (health, racial/ethnic origin, political opinions, religious beliefs, biometric data, etc.) with stricter processing rules including explicit consent and legitimate grounds.
DPDP Act: Does not define a separate "sensitive personal data" category. The government can designate certain types of data or certain Fiduciaries as subject to stricter requirements, but no such notification has been issued yet. Health and financial data will likely be notified as requiring additional protections.
6. Children's Data
GDPR: Parental consent required for children under 16 (member states can lower to 13). No blanket prohibition on targeting advertising to children.
DPDP Act (Rule 10): Parental consent required for anyone under 18. Additionally, the Act explicitly prohibits targeting advertising to children and tracking or monitoring their online behaviour. India's higher age threshold (18 vs 16/13) significantly expands the scope.
7. Right to Erasure
GDPR: "Right to be forgotten" — exists but with several exceptions (public interest, scientific research, legal claims, freedom of expression).
DPDP Act: Right to erasure on withdrawal of consent. The exceptions are less developed — the Act gives the government power to define them via rules, but fewer have been specified to date.
8. Consent Requirements
GDPR: Consent must be freely given, specific, informed, and unambiguous. Bundled consent (one tick for everything) is generally not permitted.
DPDP Act: Consent must be free, informed, specific, and unconditional. Very similar requirements. One notable difference: the Act requires that a consent notice be provided before or at the time of collection — not buried in terms and conditions.
If You're Already GDPR-Compliant
GDPR compliance gives you a head start — your data mapping, consent processes, and privacy notices are likely more mature than most. But you will still need to:
- Review your legal basis for processing — legitimate interests won't cover most activities under DPDP
- Update consent notices to meet DPDP's specific requirements
- Build a process for the DPDP-specific 72-hour breach notification to the Indian DPB
- Audit your children's data practices against India's stricter under-18 rules