DPDPA vs GDPR: Key Differences Every Indian Business Must Know

The Legal Basis for Processing Data

GDPR Offers Multiple Grounds. DPDPA Does Not.

One of the most practically significant differences between the two laws is the range of legal bases available for processing personal data.

GDPR gives businesses six lawful grounds. Consent is one. But organisations can also rely on contractual necessity, compliance with a legal obligation, protection of vital interests, performance of a task in the public interest, and legitimate interests. The legitimate interests ground, in particular, has been widely used by businesses to justify data processing without seeking explicit consent from users.

DPDPA takes a far more restrictive approach. Consent is the primary and default ground for processing personal data. The Act does include a category called certain legitimate uses, which covers situations like medical emergencies, national security, employment related processing, and compliance with legal obligations. But these are narrowly defined. There is no broad, flexible legitimate interests ground that businesses can invoke whenever they deem it proportionate.

The practical consequence is significant. Indian businesses that process data based on legitimate interests under GDPR will need to review every such instance and determine whether it can be supported under DPDPA's narrower framework. In many cases, the answer will be that explicit consent needs to be obtained.

Scope and Territorial Reach

Both Apply Beyond Borders, But Differently

Both GDPR and DPDPA have extraterritorial reach. Both apply not just within their home jurisdiction but also to organisations outside it, depending on the nature of their activities.

GDPR applies when an organisation, regardless of where it is based, processes the personal data of individuals located in the European Union, particularly when offering goods or services to them or monitoring their behaviour.

DPDPA applies to the processing of digital personal data within India and to processing outside India when it involves personal data of individuals located in India. This means a company based anywhere in the world that offers an app, a website, or a service to Indian users is covered.

The key difference is that GDPR excludes processing for purely personal or household purposes and treats all personal data, digital or physical, within its scope. DPDPA applies only to digital personal data. It does not cover physical records unless they are digitised. This narrower scope is intentional and reflects India's focus on regulating the digital economy specifically.

User Rights Under Each Law

Similar in Spirit, Different in Structure

Both frameworks grant individuals rights over their personal data. The right to access, the right to correction, and the right to erasure exist in both. But the scope and structure differ in important ways.

GDPR includes a right to data portability, which allows individuals to request their data in a structured, machine readable format and transfer it to another service provider. DPDPA does not include an explicit portability right in the current framework.

GDPR also includes a right to object to processing and specific rights related to automated decision making and profiling, including the right not to be subject to a decision based solely on automated processing. DPDPA does not address automated decision making rights in the same way.

On the other hand, DPDPA introduces a specific right for Data Principals to nominate another individual to exercise their rights in the event of their death or incapacity. This is not present in GDPR in the same form.

For businesses, the practical difference is that GDPR compliance systems built around portability or automated decision making rights will not automatically satisfy DPDPA's requirements, and vice versa. The systems need to be reviewed separately.

Governance Structures and Accountability

DPOs vs Significant Data Fiduciaries

GDPR mandates the appointment of a Data Protection Officer for certain categories of organisations. These include public authorities, organisations that carry out large scale systematic monitoring of individuals, and organisations that process special categories of sensitive data on a large scale. The DPO must have expert knowledge of data protection law and report directly to the highest level of management.

DPDPA introduces a different concept: Significant Data Fiduciaries. This is a category that the government can designate based on factors such as the volume of personal data processed, the sensitivity of the data, the risk to user rights, and the potential impact on national security. Significant Data Fiduciaries face additional obligations including annual Data Protection Impact Assessments, independent audits, appointment of a Data Protection Officer based in India, and stricter controls on cross border data transfers.

For businesses that are not classified as Significant Data Fiduciaries, the governance expectations are lighter. But lighter does not mean absent. Every organisation handling personal data must still have grievance redressal mechanisms, designated contacts for user queries, and internal processes for managing consent, data requests, and breach notifications.

Cross Border Data Transfers

Two Entirely Different Models

This is one of the most practically significant areas of divergence between the two laws.

GDPR operates on an adequacy model. Data can only be transferred from the EU to countries outside the EU if those countries have been determined to provide an adequate level of data protection, or if specific transfer mechanisms such as Standard Contractual Clauses are in place. Building and maintaining cross border transfer compliance under GDPR is a significant operational exercise.

DPDPA takes the opposite approach. The default position is that data transfers outside India are permitted. The government can restrict transfers to specific countries through a notification, creating a negative list. As of now, that list has not been published, which means transfers are currently unrestricted. However, Significant Data Fiduciaries may face additional restrictions if the government mandates that specific categories of data must remain within India.

This creates a more flexible environment for most businesses but introduces uncertainty because the restricted country list may evolve. Organisations with large cross border data flows need to monitor these developments closely and build flexibility into their data transfer agreements.

How Penalties Are Calculated

Different Scales, Different Factors

GDPR is known for its penalty structure. Fines can reach up to 4 percent of global annual turnover or 20 million euros, whichever is higher. European data protection authorities have issued penalties in the hundreds of millions of euros to large technology companies.

DPDPA's penalties are structured differently. They are capped at fixed rupee amounts rather than calculated as a percentage of turnover. The maximum penalty is Rs 250 crore for the most serious violations, such as inadequate security safeguards leading to a data breach. Other violations carry lower caps, ranging from Rs 10,000 for individuals to Rs 200 crore for breaches involving children's data. The Data Protection Board of India considers factors like the nature and gravity of the violation, whether it was repeated, what harm resulted, and what steps the organisation took to mitigate that harm.

For large global corporations, GDPR fines can be far more financially damaging than DPDPA penalties. But for mid sized and smaller Indian businesses, the Rs 250 crore ceiling is a genuinely serious number, and the reputational damage that accompanies enforcement action can be far more costly than the fine itself.

Way Forward

The starting point for any Indian business is not to ask whether GDPR compliance covers DPDPA. It does not. The starting point is to treat DPDPA as a distinct legal framework requiring its own compliance programme.

If your organisation already has a GDPR programme, that is a useful foundation. The data mapping, privacy notice practices, and breach notification protocols you have built will translate. But you will need to review your legal bases for processing and remove or rebuild any that rely on legitimate interests grounds that do not have a parallel in DPDPA. You will need to verify that your consent mechanisms meet the specific, affirmative, and withdrawable standards that Indian law requires. And you will need to establish a grievance mechanism that is accessible to Indian users.

If your organisation does not have a GDPR programme, the task is larger but not insurmountable. Focus first on data mapping, then on consent architecture, then on user rights processes. These three areas cover the core of what DPDPA requires.

In both cases, the phased implementation timeline that runs through May 2027 gives organisations time to build properly rather than rush. Use that time deliberately.

Conclusion

DPDPA and GDPR share a common goal: protecting the personal data of individuals and holding organisations accountable for how they use it. But they approach that goal differently, reflect different policy priorities, and create different operational requirements.

For Indian businesses, the risk of treating DPDPA as simply a regional version of GDPR is real. The gaps in consent architecture, the absence of certain user rights, the different approach to cross border transfers, and the consent centric processing model all require specific attention.

Understanding the differences is not just a compliance exercise. It is the foundation for building a data governance programme that is genuinely fit for purpose in the Indian market