DPDPA vs GDPR: Key Differences for Indian Businesses (2026)
If you have a global SaaS or e-commerce business, you are now juggling two privacy regimes: the EU's GDPR and India's DPDPA 2023. They look similar on the surface but the operational details — lawful bases, transfer rules, fines, and timelines — are very different. This is a practitioner's comparison.
Scope: who and what is covered
GDPR applies to processing of personal data of individuals in the EU/EEA, regardless of where the controller is. It covers structured filing systems, automated processing, and even some manual processing.
DPDPA applies to processing of "digital personal data" within India, and to processing outside India if it relates to offering goods or services to Data Principals within India. Crucially, DPDPA does not cover non-digital data — paper-based records are out of scope. This is a meaningful narrowing compared to GDPR.
Lawful bases for processing
GDPR has six lawful bases (Article 6): consent, contract, legal obligation, vital interests, public task, legitimate interests. The "legitimate interests" basis is the workhorse for most B2B operations under GDPR.
DPDPA has only two: consent (Section 6) and legitimate uses (Section 7). The "legitimate uses" list is closed and narrow — employment, medical emergency, judicial functions, public interest. There is no open-ended "legitimate interests" balancing test. Practically, this means most B2C operations in India must rely on consent for everything that is not explicitly listed.
Data subject rights
GDPR grants eight rights including portability and the famous "right to be forgotten" (erasure). DPDPA grants four primary rights: information about processing, correction & erasure, nomination, and grievance redressal. There is no general "right to portability" under DPDPA, and the right to erasure is more limited.
Penalties
GDPR caps fines at €20 million or 4% of global turnover, whichever is higher. DPDPA caps penalties at ₹250 crore per instance — there is no turnover-based cap. For very large multinationals this means GDPR can hit harder; for Indian companies the absolute rupee amount is what matters.
Both regimes also offer regulatory orders, suspensions, and tiered penalties for different violations. See the DPDPA penalty schedule.
Cross-border data transfers
GDPR has a complex transfer regime — adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules, derogations. DPDPA flips this: transfers are allowed by default, except to countries explicitly blacklisted by the Central Government. This is genuinely simpler for businesses with global infrastructure.
Children's data
GDPR sets the digital age of consent at 16 (member states can lower to 13). DPDPA defines a child as anyone under 18 and requires verifiable parental consent. This is a much higher bar — apps and sites with younger users must rebuild consent flows for India.
Notification timelines
GDPR mandates breach notification within 72 hours. DPDPA does not specify hours in the statute itself, but the Rules set the manner and timeline (also expected to land at 72 hours for serious breaches). Both require notification to the regulator and to affected individuals.
Grievance and DPO
GDPR requires a DPO only when processing meets certain thresholds (public authority, large-scale special category data, regular & systematic monitoring). DPDPA goes further: every Data Fiduciary must appoint a grievance officer. Significant Data Fiduciaries must appoint a DPO based in India who reports to the board.
Practical guidance for dual compliance
- Adopt the stricter of the two for shared mechanics. Use GDPR-style granular, opt-in consent banners — they satisfy DPDPA too.
- Localise your privacy notice. Maintain an EU-facing notice and an India-facing notice. The India-facing one must reference DPDPA sections (5, 6, 8, 9, 11). Generate one here.
- Build separate DSR pipelines. EU DSR timelines (1 month) and DPDPA timelines differ; track them separately in your support tool.
- Map data flows. Identify which datasets are governed by which law. India-resident data is DPDPA. EU-resident is GDPR. US-resident may be CCPA/CPRA. Document this in a single Records of Processing Activities (RoPA).
- Re-evaluate "legitimate interests" assumptions. What you got away with under GDPR's LI basis often will not survive under DPDPA's tighter consent regime.
Conclusion
DPDPA is not "GDPR-lite" — it is a different statute with its own architecture. The good news: if you have already done the GDPR groundwork, ~70% of the controls and documentation translate directly. The remaining 30% (consent, child data, grievance officer, India-specific rights) is what you need to add. Walk our checklist to find your gaps.
Generate your DPDPA privacy policy
Free. Two minutes. Section-by-section references. English & Hindi.
Open the generator →