India's Digital Personal Data Protection Act 2023 is often described as "India's GDPR." While both laws share the same foundational philosophy — consent-based data processing and strong individual rights — there are critical differences that every business operating in India, or globally, needs to understand. Getting this wrong means double compliance gaps.
DPDP Act 2023
Digital Personal Data Protection Act — India
In force: Nov 2025 | Deadline: May 2027
GDPR 2018
General Data Protection Regulation — EU/EEA
In force: May 2018 | Fully enforced
Who Should Read This
This guide is essential for: Indian companies with EU customers, EU/global companies with Indian users, businesses building a unified global privacy programme, and compliance teams deciding how to prioritise DPDP vs GDPR efforts.
Side-by-Side: DPDP vs GDPR
| Area | 🇮🇳 DPDP Act 2023 | 🇪🇺 GDPR |
|---|---|---|
| Scope of Data | Digital personal data only — physical/offline records excluded | All personal data — digital and physical (paper records included) |
| Lawful Bases for Processing Key Diff | Primarily consent and certain legitimate uses. No "legitimate interests" basis. | 6 lawful bases — consent, contract, legal obligation, vital interests, public task, legitimate interests |
| Consent Standard | Free, specific, informed, unconditional, unambiguous — with clear affirmative action | Freely given, specific, informed, unambiguous — affirmative action required |
| Privacy Notice Format Key Diff | Standalone notice mandatory before consent. Cannot be bundled with T&Cs. Must be available in scheduled Indian languages. | Layered notices permitted. Privacy policy can be integrated if clearly accessible. |
| Individual Rights | Access, correction, erasure, grievance redressal, nomination of representative | Access, rectification, erasure, restriction, portability, objection, automated decision rights |
| Data Portability Key Diff | Not included in the current DPDP Act. Expected in future amendments. | Explicit right to data portability under Article 20 |
| Children's Data Age Key Diff | Under 18 years — guardian consent required. Stricter than GDPR. | Under 16 years (or 13 with member state option) |
| Data Protection Officer | Mandatory for Significant Data Fiduciaries only. Must be India-based. | Mandatory for public bodies, and high-risk/large-scale processors. Can be based anywhere in EU. |
| Breach Notification | 72 hours to notify DPBI and affected individuals | 72 hours to notify supervisory authority; individuals "without undue delay" |
| Cross-border Transfers | Permitted with exceptions. Government may restrict specific countries. Sensitive data localisation possible. | Restricted to countries with adequacy decision, or via SCCs/BCRs/binding safeguards |
| Maximum Penalty Key Diff | ₹250 Crore (~€27M) per violation — fixed cap | €20 million or 4% of global turnover — whichever is higher |
| SME Exemptions Key Diff | No size exemptions. All organisations processing Indian user data must comply. | Some lighter obligations for organisations with fewer than 250 employees (e.g. record-keeping) |
| Enforcing Authority | Data Protection Board of India (DPBI) | National Data Protection Authorities (DPAs) in each EU member state |
The 5 Most Important Differences to Act On
No Legitimate Interests Basis
GDPR allows processing without consent if you have a "legitimate interest." DPDP does not. If you rely on legitimate interests for EU processing, you need an alternative lawful basis for your Indian users — typically explicit consent. Audit every processing activity.
Standalone Privacy Notice
GDPR allows layered notices integrated into T&Cs. DPDP mandates a completely separate, standalone privacy notice in plain language before consent is taken. Your existing GDPR-compliant notice likely needs a DPDP-specific version.
Children's Age Threshold is 18
GDPR's age of consent is 16 (or 13 in some states). DPDP's is 18 — the highest of any major data law. Any product or service that may be used by 13–17 year olds needs guardian consent mechanisms specifically for Indian users.
No SME Exemptions
GDPR gives small businesses some relief on record-keeping. DPDP gives none — every startup, SME, and enterprise processing Indian user data faces the same obligations. India-focused startups cannot assume they're too small to comply.
DPO Must Be India-Based
GDPR allows a single EU-based DPO for all EU operations. DPDP's DPO for Significant Data Fiduciaries must be based in India. A global company can't simply point their EU DPO at India — they need a separate India-based appointment.
Fixed vs Turnover-Based Penalties
GDPR's 4%-of-turnover model hits large companies harder. DPDP's ₹250 Crore fixed cap is more impactful for Indian SMEs and startups. For a ₹10 Crore startup, ₹250 Crore is catastrophic. Compliance is not optional regardless of size.
GDPR Compliance ≠ DPDP Compliance
Being GDPR-compliant gives you a strong foundation — but it does not automatically satisfy DPDP requirements. Key gaps to close: standalone Indian privacy notice, removal of legitimate interests reliance, children's age threshold adjustment, and India-based DPO appointment for SDFs.
Which Should You Prioritise?
If you're an Indian company with EU customers — start with DPDP (domestic law, closer enforcement) and then layer GDPR on top. The two frameworks are complementary.
If you're a global/EU company with Indian users — your GDPR programme is a good starting point. Identify the 5 differences above and build DPDP-specific compliance on top.
If you're a pure India-focused business — focus exclusively on DPDP. GDPR only applies if you actively target EU residents.
Unified Compliance Programme Approach
The most efficient approach for companies operating in both markets is a unified privacy programme with a shared foundation (consent management, data mapping, security) and jurisdiction-specific modules for DPDP and GDPR differences. Our platform supports both.
Frequently Asked Questions
Yes, the DPDP Act shares GDPR's core philosophy — consent-based processing and strong individual rights. However, there are key differences: no legitimate interests basis, stricter children's age threshold (18 vs 16), mandatory standalone privacy notices, India-based DPO requirement, and no data portability right in the current version.
No. GDPR compliance does not automatically satisfy DPDP requirements. While there is significant overlap, the 5 key differences — legitimate interests basis, notice format, children's age, DPO location, and SME exemptions — require specific DPDP-focused action even for GDPR-compliant organisations.
GDPR's 4% of global turnover can exceed DPDP's ₹250 Crore cap for large multinationals (e.g. 4% of Meta's revenue far exceeds ₹250 Crore). For Indian SMEs and startups, DPDP's fixed ₹250 Crore per violation is the more immediately devastating exposure. Both are serious.
🌏 Compliant Across India & EU?
Our AI-powered gap analysis covers DPDP Act requirements with a clear view of GDPR overlaps. Know exactly where your gaps are — across both frameworks.
Launch Free Gap Analysis