Introduction
If your organisation already complies with the EU General Data Protection Regulation (GDPR), you might assume that India’s Digital Personal Data Protection Act, 2023 (DPDP Act) requires only minor adjustments.
That assumption is risky.
While DPDP draws philosophical inspiration from GDPR — focusing on individual rights, consent standards, and accountability — it differs in several structurally important ways. In some areas, DPDP is stricter. In others, it is more flexible. In a few, it introduces entirely new compliance concepts.
Treating GDPR compliance as equivalent to DPDP compliance is one of the most common mistakes organisations are making.
This guide explains the key differences Indian and multinational businesses must understand.
Shared Philosophy, Different Architecture
Both laws are built on a common foundation:
- Individuals have a right to privacy
- Organisations must process data responsibly
- Transparency is mandatory
- Breaches must be reported
- Regulators have enforcement powers
However, the operational mechanics differ significantly.
Understanding those differences is critical for compliance planning.
Scope of Personal Data
GDPR
Covers personal data in all forms — digital, paper-based, or otherwise.
A handwritten visitor register is regulated.
DPDP Act
Covers digital personal data only — including:
- Data collected digitally
- Data collected offline but later digitised
Purely paper-based records that are never digitised fall outside its scope.
Practical Impact
In reality, most organisations digitise data. Once digitised — even by scanning — the DPDP Act applies.
The distinction mainly affects legacy paper-based systems that remain fully manual.
Sensitive or Special Category Data
GDPR
Defines explicit “special categories” of personal data, including:
- Health data
- Biometric data
- Genetic data
- Religious beliefs
- Political opinions
- Sexual orientation
- Trade union membership
Processing such data requires an Article 9 legal basis.
DPDP Act
Does not formally classify “sensitive personal data” as a separate legal category.
Instead:
- Higher-risk processing may trigger designation as a Significant Data Fiduciary (SDF)
- Children’s data carries enhanced obligations
- The Government may notify specific categories for additional protection
Practical Impact
Under DPDP, risk-based compliance replaces categorical classification. However, biometric and health data remain high-risk areas and must be handled cautiously.
Legal Bases for Processing
GDPR
Provides six lawful bases:
- Consent
- Contractual necessity
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
The legitimate interests basis is widely used in Europe.
DPDP Act
Provides two primary bases:
- Consent
- Legitimate Use (a limited list under Section 7)
Legitimate Use includes:
- Employment-related processing
- Contractual necessity
- Legal compliance
- Government functions
- Medical emergencies
- Public interest situations
There is no general “legitimate interests” balancing test.
Why This Matters
Under GDPR, marketing analytics, fraud detection, or internal analytics often rely on legitimate interests.
Under DPDP, if processing does not fall within a specific Legitimate Use category, consent is required.
This makes DPDP more restrictive in practice.
Consent Requirements
Both laws require consent to be:
- Free
- Specific
- Informed
- Unambiguous
However, DPDP adds a notable element: consent must be unconditional.
Bundled consent tied to service access — where not strictly necessary — is problematic.
DPDP also mandates:
- A standalone privacy notice
- Clear explanation of purpose
- Clear withdrawal mechanism
- Availability in English or any of the 22 Eighth Schedule languages
GDPR does not impose a multilingual constitutional requirement.
Breach Reporting: A Major Difference
This is one of the strictest areas under DPDP.
GDPR
- Must report within 72 hours
- Only if the breach poses risk to individuals’ rights and freedoms
- Minor incidents may not require notification
DPDP Act
- All personal data breaches must be reported
- No materiality threshold
- Initial intimation without delay
- Full report within 72 hours
- Affected individuals must be informed
In parallel, India’s CERT-In rules require certain cyber incidents to be reported within 6 hours.
Operational Implication
Indian incident response must follow:
- A 6-hour CERT-In clock
- A 72-hour DPBI clock
- Mandatory individual notifications
Your GDPR materiality filter cannot be reused for DPDP.
Data Retention
GDPR
Data must be retained only as long as necessary for purpose.
Retention periods are controller-defined and documented.
DPDP Act
Requires deletion once purpose is served.
Additional requirements may include:
- Advance notice before erasure (for specified large platforms)
- Mandatory retention of processing logs for one year
- Inactivity-based deletion timelines for certain platforms
DPDP introduces procedural specificity beyond GDPR’s principle-based approach.
Data Portability
GDPR
Includes a right to data portability (Article 20).
Individuals can receive structured, machine-readable exports and transfer data to another provider.
DPDP Act
Does not include a portability right.
Rights include:
- Access
- Correction
- Erasure
- Grievance redressal
- Nomination
- Withdrawal of consent
Portability is not mandated.
Consent Managers
This concept is unique to DPDP.
Consent Managers are:
- Registered entities
- Intermediaries enabling individuals to manage consent across multiple organisations
- Required to maintain records for seven years
- Required to meet minimum capital requirements
GDPR has no equivalent infrastructure layer.
This introduces a new ecosystem in India’s compliance architecture.
Cross-Border Data Transfers
GDPR
Restrictive by default.
Transfers outside the EU require:
- Adequacy decision, or
- Standard Contractual Clauses (SCCs), or
- Binding Corporate Rules (BCRs)
DPDP Act
Permissive by default.
Cross-border transfers are allowed unless the Government restricts specific countries (negative list approach).
As of now, no negative list has been notified.
Strategic Impact
For multinational organisations:
- GDPR remains the stricter regime for transfers
- DPDP simplifies cross-border compliance — at least for now
However, future government notifications could change this landscape.
Penalty Structure
DPDP Act
- Maximum ₹250 crore per violation
- Fixed statutory caps
- Enforced by Data Protection Board of India (DPBI)
GDPR
- Up to 4% of global annual turnover or €20 million
- Turnover-based scaling
- Enforced by EU supervisory authorities
For large multinationals, GDPR fines can exceed DPDP caps.
For Indian SMBs, ₹250 crore is existentially significant.
Side-by-Side Summary
| Dimension | DPDP Act | GDPR |
|---|---|---|
| Scope | Digital data only | All formats |
| Sensitive data category | No formal classification | Explicit Article 9 category |
| Legal bases | Consent + specified Legitimate Uses | Six bases incl. Legitimate Interests |
| Legitimate interests | Not available | Available |
| Breach reporting | All breaches | Risk-based threshold |
| Data portability | Not included | Included |
| Consent Manager | Yes | No |
| Cross-border transfer | Allowed unless restricted | Restricted unless safeguarded |
| Maximum penalty | ₹250 crore | 4% global turnover |
What Organisations Should Do
If you are GDPR-compliant and expanding into India:
- Conduct a DPDP-specific gap assessment
- Re-evaluate reliance on legitimate interests
- Build zero-threshold breach reporting processes
- Review privacy notices for Indian language compliance
- Execute DPDP-aligned DPAs
- Monitor future government notifications on transfer restrictions
DPDP is not a clone of GDPR.
It is a distinct legal regime requiring independent implementation.
The Bottom Line
GDPR influenced global privacy standards.
DPDP adapts that model for India — but with its own architecture, stricter breach reporting, narrower legal bases, and unique consent infrastructure.
Organisations operating in India must build for DPDP explicitly.
GDPR alignment is a starting point — not a substitute.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection professional for specific compliance guidance.
Onfra helps Indian enterprises manage visitor, employee, and facility data in compliance with the DPDP Act. Explore Onfra’s DPDP-ready platform →