Why GDPR Compliance Doesn't Mean DPDP Compliance
If your company is already GDPR-compliant, you might assume you're covered for India's DPDP Act. You'd be wrong.
While the DPDP Act draws inspiration from GDPR, it diverges in several critical areas — sometimes being stricter than GDPR, and sometimes taking a fundamentally different approach.
Companies that try to retrofit their GDPR compliance programme for India will find gaps. Here are the 10 most important differences.
1. Breach Notification: 6 Hours vs 72 Hours
GDPR: Notify the supervisory authority within 72 hours of becoming aware of a breach.
DPDP Act: Notify CERT-In within 6 hours of discovery. Notify the Data Protection Board within 72 hours. Notify affected individuals without unreasonable delay.
This is the single biggest difference. GDPR gives you a long weekend. The DPDP Act gives you a morning. You cannot handle a 6-hour notification requirement with manual processes — you need pre-built templates, automated workflows, and a tested incident response plan.
Impact: Companies need automated breach detection and notification systems specifically calibrated for Indian deadlines.
2. Children's Age Threshold: 18 vs 16
GDPR: Children are defined as under 16 (member states can lower to 13).
DPDP Act: Children are defined as under 18. No flexibility.
This two-year difference is massive. A 17-year-old college student in India is a "child" under the DPDP Act. For EdTech, gaming, social media, and e-commerce companies, this dramatically expands the scope of strict children's data provisions.
Additionally, the DPDP Act absolutely bans tracking, behavioural monitoring, and targeted advertising for children. GDPR has restrictions but not an outright ban.
Impact: Any platform with users aged 16-17 needs verifiable parental consent under DPDP — something GDPR doesn't require.
3. Penalty Structure: Fixed Cap vs Revenue Percentage
GDPR: Up to €20 million or 4% of global annual turnover, whichever is higher.
DPDP Act: Fixed maximum penalties per violation type (Rs 50 crore to Rs 250 crore). No revenue-based calculation.
This means the DPDP Act's penalties hit smaller companies disproportionately harder. A Rs 250 crore fine might be 0.1% of TCS's revenue but 10x the annual revenue of a mid-size startup.
However, GDPR penalties are uncapped for large companies (4% of Google's revenue = billions). The DPDP Act's Rs 250 crore cap actually protects the largest enterprises.
Impact: Mid-market Indian companies face relatively higher penalty exposure under the DPDP Act than under GDPR.
4. Legal Basis for Processing: Simplified vs Complex
GDPR: Six legal bases — consent, contract, legal obligation, vital interests, public interest, legitimate interests.
DPDP Act: Two primary bases — consent and legitimate uses (Section 7). Legitimate uses include: performance of a contract, compliance with law, medical emergencies, employment, and state functions.
The DPDP Act notably does not include "legitimate interests" as a legal basis — the most frequently (and controversially) used basis under GDPR. This means Indian companies must rely more heavily on explicit consent.
Impact: Companies that process data under GDPR's "legitimate interests" need to obtain explicit consent for the same processing under the DPDP Act.
5. Cross-Border Transfers: Negative List vs Adequacy
GDPR: Transfers allowed to "adequate" countries (positive list) or with Standard Contractual Clauses / Binding Corporate Rules.
DPDP Act: Transfers allowed to all countries except those the Central Government restricts (negative list). No SCCs or BCRs required.
This is actually more permissive than GDPR. Until the government publishes a restricted countries list, cross-border transfers are effectively unrestricted. However, this could change overnight — the government can add countries to the restricted list at any time.
Impact: Currently easier than GDPR, but uncertain. Companies should document their cross-border data flows now to prepare for potential restrictions.
6. DPO Requirement: SDFs Only vs Mandatory for Many
GDPR: Mandatory DPO for public authorities, companies doing large-scale systematic monitoring, or large-scale processing of sensitive data.
DPDP Act: DPO (called "Data Protection Officer") required only for Significant Data Fiduciaries (SDFs) — designated by the government based on volume, sensitivity, and risk.
Most mid-market companies won't be designated as SDFs, meaning they're not required to appoint a DPO. However, having one is still best practice.
Impact: Lower compliance overhead for smaller companies compared to GDPR.
7. Individual Rights: Fewer but Stricter
GDPR: Eight rights — access, rectification, erasure, portability, restriction, objection, automated decision-making, and not to be subject to profiling.
DPDP Act: Four core rights — access, correction, erasure, grievance redressal. Plus a unique right: nomination (appoint someone to exercise rights after death).
The DPDP Act has fewer rights but enforces them more strictly. The 7-day fulfilment SLA is shorter than GDPR's 30-day standard (extendable to 90 days).
Impact: Faster response required, but fewer categories of requests to handle.
8. Consent Managers: Unique to India
GDPR: No concept of a registered consent intermediary.
DPDP Act: Introduces "Consent Managers" — registered entities that serve as intermediaries between Data Principals and Data Fiduciaries for consent management.
Consent Managers must be registered with the Data Protection Board, incorporated in India, and meet prescribed technical standards. This creates a new category of regulated infrastructure that doesn't exist under GDPR.
Impact: Foreign consent management platforms (OneTrust, TrustArc) cannot register as Consent Managers in India. This creates an opportunity for Indian-built platforms.
9. Sensitive Data: No Special Category
GDPR: Defines "special categories" of data (health, biometric, genetic, racial, political, religious, sexual orientation) with stricter processing requirements.
DPDP Act: Does not distinguish between regular and sensitive personal data. All personal data gets the same level of protection.
This simplifies compliance (no need to classify data sensitivity) but also means health data and email addresses get the same legal treatment.
Impact: Simpler data classification, but companies processing health or biometric data may find the DPDP Act's protections less specific than GDPR's.
10. Enforcement Body: New Board vs Established Authorities
GDPR: Enforced by established Data Protection Authorities (DPAs) in each EU member state, many with decades of experience.
DPDP Act: Enforced by the Data Protection Board of India (DPB) — a new body that hasn't been constituted yet. Adjudication is purely digital.
The DPB's approach is still unknown. Will they be aggressive like Ireland's DPC (which fined Meta €1.2 billion) or lenient? The digital-first adjudication process suggests efficiency, but the lack of precedent creates uncertainty.
Impact: Enforcement patterns won't be clear until the Board is operational and delivers its first rulings. Companies should prepare for strict enforcement as a precaution.
Summary: Where India Is Stricter
| Aspect | GDPR | DPDP Act | Stricter? |
|---|---|---|---|
| Breach notification | 72 hours | 6 hours (CERT-In) | India |
| Children's age | 16 (can be 13) | 18 (fixed) | India |
| Consent withdrawal | "As easy as giving" | "As easy as giving" | Same |
| Data request response | 30 days | 7 days | India |
| Legal bases | 6 bases | 2 bases (no legitimate interests) | India |
| Cross-border transfers | Restricted | Open (negative list) | GDPR |
| Sensitive data categories | Yes | No | GDPR |
| DPO requirement | Broad | SDFs only | GDPR |
Bottom line: GDPR compliance gives you a head start, but it's not enough. You need India-specific controls for breach notification, children's data, and consent management.
Check your DPDP readiness in 3 minutes
12 questions, instant score, detailed category breakdown.