DPDP Act vs GDPR: Key Differences for Businesses Operating in India and Europe

If your business serves customers in both India and Europe, you now have two comprehensive data protection regimes to comply with: the EU's General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act, 2023. They are similar in philosophy but different enough in execution that a GDPR-compliant program does not automatically satisfy DPDP requirements.

I have helped four companies navigate dual-compliance programs. The most common mistake is assuming DPDP is "basically GDPR for India." It is not. This comparison highlights the differences that actually matter for implementation.

Key Takeaways

• GDPR's "legitimate interest" legal basis does not exist under DPDP. This is the single most impactful difference for businesses.
• DPDP sets the children's data age threshold at 18, compared to GDPR's 16 (with national options down to 13).
• DPDP penalties are capped per violation type (max ₹250 crore). GDPR penalties scale with global revenue (4% of annual turnover).
• DPDP does not distinguish between "sensitive" and "ordinary" personal data. GDPR does.
• DPDP does not include a right to data portability. GDPR does.

The Full Comparison

Feature	DPDP Act 2023 (India)	GDPR (EU)
Enacted	August 2023, full enforcement May 2027	May 2018
Scope	Digital personal data only	All personal data (digital and physical)
Territorial reach	India + offshore entities serving Indian consumers	EU + entities targeting/monitoring EU residents
Legal bases for processing	Consent + enumerated "legitimate uses" (Section 7)	6 bases: consent, contract, legal obligation, vital interests, public interest, legitimate interest
Legitimate interest	❌ Does not exist	✅ Available (requires balancing test)
Sensitive data	No separate category	Special categories with heightened protections
Consent withdrawal	Must be as easy as giving consent	Must be as easy as giving consent
Right to access	✅ Included	✅ Included
Right to correction/erasure	✅ Included	✅ Included
Right to data portability	❌ Not included	✅ Included (Article 20)
Right to object to processing	❌ Not separately defined	✅ Included (Article 21)
DPO requirement	Only for Significant Data Fiduciaries	Required for most large-scale processors
Breach notification	72 hours to DPBI + affected individuals	72 hours to supervisory authority
Maximum penalty	₹250 crore per violation type	4% of global annual turnover or €20M
Enforcement body	Data Protection Board of India (adjudicatory only)	Supervisory Authorities (regulatory + adjudicatory)
Cross-border transfers	Allowed except to restricted countries (list TBD)	Restricted by default, requires adequacy or safeguards
Children's age threshold	18 years	16 years (member states may lower to 13)
Data processor obligations	Via contract with Data Fiduciary	Direct obligations under GDPR

The Five Differences That Actually Affect Implementation

1. No Legitimate Interest Under DPDP

This is the single most operationally significant difference. Under GDPR, many businesses rely on Article 6(1)(f) - legitimate interest - to process personal data without explicit consent. Common uses include fraud detection, direct marketing to existing customers, and analytics.

The DPDP Act does not recognise legitimate interest. Section 7 provides a closed list of "legitimate uses" (employment, medical emergencies, legal compliance, etc.), and your processing must fall within one of these categories or you need consent.

Practical impact: If your current data processing relies on GDPR legitimate interest assessments, those activities will require explicit consent under DPDP. This typically affects analytics, remarketing, and CRM workflows.

2. No Sensitive Data Category Under DPDP

GDPR Article 9 creates special categories of personal data - health records, biometric data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation - that receive heightened protections and require additional legal grounds for processing.

The DPDP Act treats all personal data equally. Health data, financial data, and email addresses receive identical protection under the Act. There is no lighter regime for basic contact information and no heavier one for health records.

Practical impact: This actually simplifies DPDP compliance compared to GDPR. You do not need to maintain separate processing inventories or apply different consent mechanisms based on data sensitivity. However, businesses processing health or financial data should still apply enhanced security given the practical risk, even if the law does not mandate differentiated treatment.

3. Penalty Structure

GDPR penalties scale with company size: up to 4% of global annual turnover or €20 million, whichever is higher. This means a company with €10 billion in revenue faces potential fines of €400 million.

DPDP penalties are fixed caps per violation type: ₹250 crore (approximately €27 million) is the absolute maximum for a single category of violation. For smaller companies, DPDP's capped structure may actually represent a higher proportional risk than GDPR. For global enterprises, it represents a lower ceiling.

The DPDP Act penalty is per violation, not per incident. A company with systemic failures across multiple categories could face cumulative penalties exceeding any single cap.

4. Children's Data

GDPR sets the age threshold at 16, with member states having the option to lower it to 13. The DPDP Act sets it at 18 with no flexibility.

Under DPDP Section 9, processing children's data requires verifiable parental consent. Additionally, the Act explicitly prohibits tracking, behavioural monitoring, and targeted advertising directed at children - prohibitions that go beyond GDPR's requirements.

Practical impact: Any service used by people under 18 in India (social media, gaming, educational platforms) needs robust age verification and parental consent mechanisms. Companies that currently set their age gates at 13 or 16 under GDPR must raise them to 18 for Indian users.

5. Cross-Border Data Transfers

GDPR restricts transfers by default: data can only leave the EU if the destination country has an adequacy decision, or the transfer is covered by Standard Contractual Clauses, Binding Corporate Rules, or another approved mechanism.

The DPDP Act inverts this approach under Section 16(1): data can be transferred to any country except those on a restricted list published by the Central Government. As of March 2026, this restricted list has not been published, meaning transfers are currently unrestricted.

Practical impact: For now, cross-border transfers are easier under DPDP than GDPR. But businesses should build architectural flexibility to restrict flows if specific countries are added to the restricted list.

What Dual-Compliance Actually Requires

If you are already GDPR-compliant, achieving DPDP compliance is not starting from scratch - but it is not a checkbox exercise either. Here is what needs additional work:

Gap Analysis Checklist

1. Audit your legitimate interest processing. Every activity currently justified under GDPR Article 6(1)(f) needs a DPDP-compliant legal basis. This usually means switching to consent or confirming it falls within Section 7's enumerated legitimate uses.

2. Review consent mechanisms. DPDP requires consent to be "free, specific, informed, unconditional, and unambiguous" - similar to GDPR but with "unconditional" as an additional requirement. Bundled consent (accepting cookies as a condition for accessing content) is explicitly non-compliant under DPDP.

3. Update children's data flows. Raise any age verification thresholds from 13/16 to 18 for Indian users. Implement verifiable parental consent if you do not have it already.

4. Implement DPBI breach notification. Your existing GDPR breach notification process targets the relevant EU supervisory authority. Under DPDP, breaches must be reported to the Data Protection Board of India within 72 hours, and affected individuals must also be notified directly.

5. Remove data portability from your Indian obligations. DPDP does not require data portability. You can simplify your Indian DSR portal to exclude this right, reducing engineering overhead.

6. Prepare Indian consent records. DPDP consent records have their own requirements that may differ from your GDPR records. See our guide to consent record-keeping for what to log.

7. Appoint a DPO (if applicable). If you are designated as a Significant Data Fiduciary, you must appoint a DPO based in India - not your existing EU-based DPO.

The Bottom Line

GDPR compliance gives you roughly 70% of what you need for DPDP compliance. The remaining 30% is where the laws meaningfully diverge: legitimate interest, children's data thresholds, the penalty structure, and enforcement mechanics.

The most dangerous assumption is that dual compliance is automatic. It is not. But with a structured gap analysis and targeted adjustments, most GDPR-compliant organisations can achieve DPDP readiness in three to six months.

Frequently Asked Questions

If I am GDPR-compliant, am I automatically DPDP-compliant?

No. While GDPR compliance provides a strong foundation, there are material gaps: the absence of legitimate interest as a legal basis, the higher children's data age threshold (18 vs 16), and India-specific reporting obligations to the DPBI. A gap analysis is essential.

Does DPDP apply to my EU-based company if we have Indian customers?

Yes. Section 3 of the DPDP Act has extraterritorial reach: any entity processing personal data of individuals in India in connection with offering goods or services falls within the Act's scope, regardless of where the entity is headquartered.

Which law has stricter penalties - DPDP or GDPR?

It depends on company size. For large multinational companies, GDPR's percentage-of-turnover model typically produces higher potential fines. For small and mid-size companies operating in India, DPDP's fixed caps (up to ₹250 crore / ~€27M) could represent a proportionally larger penalty. Both laws impose penalties per violation, meaning cumulative fines can be substantial.