DPDP Act · GDPR · India DPO Guide

DPDP Act vs GDPR: The Comparison India's DPOs Actually Need

Both laws say "data protection." But their philosophies diverge fundamentally — and if your Indian compliance programme is derived from your EU GDPR playbook, you have critical gaps. Here is the definitive side-by-side breakdown.

₹250Cr

DPDP max penalty

GDPR rights DPDP lacks

Legitimate interest bases

72hrs

GDPR breach clock

₹250Cr

DPDP max penalty vs GDPR's €20M

72hrs

GDPR breach notification vs DPDP's 'without delay'

GDPR rights India's DPDP does not replicate

Legitimate interest bases available under DPDP

Why DPOs are confused — and why it matters

When the Digital Personal Data Protection Act 2023 was notified, many Indian organisations did what felt logical: they opened their GDPR compliance framework and started mapping. They appointed a DPO, built consent workflows, drafted privacy notices. They assumed GDPR compliance was a reasonable proxy for DPDP compliance.

It is not. The two frameworks share vocabulary but diverge fundamentally in philosophy, legal architecture, and practical obligations. GDPR is a rights-first framework — it grants data subjects extensive rights and requires organisations to build systems around enabling those rights. DPDP is an obligations-first framework — it imposes specific duties on Data Fiduciaries and creates a dispute resolution board to adjudicate complaints. The distinction is not semantic. It shapes every operational decision from consent design to breach response to cross-border transfers.

For India's BFSI sector — where organisations may simultaneously process EU personal data (GDPR), Indian customer data (DPDP), and face RBI/SEBI/IRDAI sector-specific overlay — understanding precisely where the frameworks align and where they diverge is not optional. It is your compliance foundation.

ℹ️

Who this comparison is for: DPOs and privacy lawyers managing dual GDPR/DPDP obligations; CISOs building India-specific data security controls; Compliance heads at banks, NBFCs, insurers, and payment aggregators with international operations; Legal teams reviewing vendor contracts under both frameworks.

The lawful basis chasm

This is the single most consequential difference between the frameworks, and the one most commonly mishandled by Indian organisations that adapted their EU compliance programmes.

GDPR provides six lawful bases for processing personal data: consent, contract, legal obligation, vital interests, public task, and — critically — legitimate interests. Legitimate interest (Article 6(1)(f)) is the most widely used lawful basis in corporate data processing globally. It covers employee monitoring, fraud prevention, direct marketing, security logging, analytics, and countless other operations. You must conduct a three-part test (purpose, necessity, balancing), but the flexibility is enormous.

DPDP provides two lawful bases: consent (Section 6) and what the Act calls "legitimate uses" (Section 7). Do not confuse "legitimate uses" with GDPR's "legitimate interests" — they are entirely different constructs. DPDP's legitimate uses are a closed enumerated list covering state functions, medical emergencies, employment processing, and broadly beneficial purposes specified by the Central Government. There is no flexible balancing-test concept. Every processing operation falls into consent or one of the enumerated exceptions.

GDPR's legitimate interest basis — the most-used lawful ground in EU corporate processing — simply does not exist under India's DPDP Act. Every processing operation needs a consent gate or explicit exemption.

Lawful basis comparison — GDPR vs DPDP Act 2023

Lawful Basis	GDPR (Article 6)	DPDP Act 2023	Practical Impact
Consent	Yes — Article 6(1)(a)	Yes — Section 6	Both require freely given, specific, informed, unambiguous consent
Contract	Yes — Article 6(1)(b)	No direct equivalent	DPDP: covered under Section 7 deemed consent for contractual necessity
Legal obligation	Yes — Article 6(1)(c)	Partially via Section 7	State/regulatory processing exempt; private-sector legal obligations: use consent
Vital interests	Yes — Article 6(1)(d)	Yes — Section 7(b)(ii)	Medical emergencies enumerated under legitimate uses
Public task	Yes — Article 6(1)(e)	Yes — Section 7 (state)	Limited to state/government instrumentalities only
Legitimate interests	Yes — Article 6(1)(f)	NO EQUIVALENT	The single biggest compliance gap for Indian organisations with GDPR programmes

Consent architecture: similar words, different rules

Both frameworks require consent to be "free, informed, specific, and unambiguous." At that level of abstraction they appear identical. The divergences appear when you go one level deeper into implementation.

Consent architecture comparison

Consent Attribute	GDPR	DPDP Act 2023
Granularity	Granular — separate consent per purpose	Can be bundled in a single consent notice (Draft Rules, Rule 3)
Withdrawal	Must be as easy to withdraw as to give (Article 7(3))	Must be easy to withdraw (Section 6(4)) — implementation details in Rules
Language	Plain language in the language of the data subject	Must be available in all 22 Scheduled Languages (Draft Rules)
Notice format	Privacy policy or layered notice	Consent notice must precede request; specific format in Draft Rules
Bundled consent	Generally prohibited — each purpose needs separate consent	Draft Rules permit layered consent in a single notice with separate items
Deemed consent	No equivalent concept	Section 7(b): voluntarily provided data for an obvious purpose — unique DPDP construct
Children	Under 16 (or 13 with Member State derogation)	Under 18 — verifiable parental consent; no deemed consent for minors
Conditional service	Cannot condition service on unnecessary consent	Cannot condition service on consent for processing not necessary for service

⚠️

The deemed consent trap: DPDP Section 7(b) allows processing personal data that a Data Principal "voluntarily provides" to a Data Fiduciary for a purpose that the person can reasonably expect. This is not a GDPR construct. If your EU compliance team sees this, they may incorrectly categorise it as "legitimate interest." It is not — it is a specific Indian law exemption with its own scope. Document it as "Section 7(b) deemed consent" in your DPDP records, not as a consent-equivalent for GDPR purposes.

Terminology translation table

The frameworks use different terminology for overlapping (but not identical) concepts. Using GDPR terminology in DPDP compliance documents is legally imprecise and can create gaps in enforcement defence.

Terminology translation — GDPR to DPDP Act

GDPR Term	DPDP Term	Key Difference
Data Controller	Data Fiduciary	DPDP adds a "Significant Data Fiduciary" (SDF) tier with additional obligations — no GDPR equivalent
Data Processor	Data Processor	Near identical conceptually; DPDP processor contracts have specific requirements in Rules
Data Subject	Data Principal	Minor semantic difference; DPDP adds right to nominate a representative (Section 14) with no GDPR equivalent
DPO (mandatory for some controllers)	No equivalent title yet	DPDP Rules 2025 do not mandate a DPO title; SDF obligations include a nodal officer concept
GDPR Article 30 ROPA	ROPA (DPDP Rules 2025)	DPDP ROPA has 11 mandatory fields vs GDPR's 8; includes Consent Artifact ID with no GDPR equivalent
Supervisory Authority (SA)	Data Protection Board (DPB)	DPB is a dispute-resolution adjudicatory body; GDPR SAs are proactive regulators with investigation powers
Standard Contractual Clauses (SCCs)	No equivalent mechanism	Cross-border: Central Government whitelist/blacklist model under Section 16; no SCC-type mechanism yet
Binding Corporate Rules (BCRs)	No equivalent	No BCR concept in DPDP; intra-group transfers subject to same rules as third-party transfers
Data Protection Impact Assessment (DPIA)	No explicit requirement yet	DPDP Rules 2025 may introduce DPIA equivalent for SDFs; not in Act itself
Joint Controller	No explicit concept	DPDP does not address joint Data Fiduciary scenarios — gap area for multi-party processing

Rights comparison: GDPR's 9 vs DPDP's 3 (+1)

This is the dimension that most directly affects your data principal-facing systems. If you have built a Data Subject Rights portal for GDPR, you need a significantly narrower — but differently structured — portal for DPDP.

DPDP grants Data Principals three rights: the right to information about their personal data being processed (Section 11), the right to correction, completion, updating, and erasure (Section 12), and the right to grievance redressal (Section 13). There is also a unique fourth right with no GDPR equivalent: the right to nominate another person to exercise rights on behalf of the Data Principal in cases of death or incapacity (Section 14).

Right	GDPR	DPDP Act	Key Difference
Right to information / access to personal data	✅	✅	DPDP: right to information about processing; GDPR: full copy of data (Article 15)
Right to correction and erasure	✅	✅	Both frameworks include, with some differences in scope
Right to grievance redressal / lodge complaint	✅	✅	GDPR: complaint to supervisory authority; DPDP: complaint to DPB via Data Fiduciary first
Right to data portability	✅	❌	GDPR Article 20 — no equivalent in DPDP Act 2023
Right to object to processing	✅	❌	GDPR Article 21 — no equivalent; DPDP only allows withdrawal of consent
Right to restrict processing	✅	❌	GDPR Article 18 — no equivalent in DPDP Act 2023
Right not to be subject to automated decisions	✅	❌	GDPR Article 22 — no equivalent; DPDP has no automated decision-making provision
Right of access (full copy of personal data)	✅	❌	GDPR Article 15 gives full data copy; DPDP only requires information about categories processed
Right to lodge complaint with supervisory authority	✅	❌	GDPR SAs are proactive regulators; DPB is complaint-driven adjudicatory body
Right to nominate (on death/incapacity)	❌	✅	DPDP Section 14 — unique provision with no GDPR equivalent

🚨

Critical operational gap: GDPR's right to data portability (Article 20) is a cornerstone of open banking initiatives in the EU. If your organisation has built portability APIs to comply with GDPR, these are not required under DPDP — but they may be mandated separately by RBI's Account Aggregator framework. Ensure your portability obligations are attributed to the correct legal source in your compliance records.

Penalty structure: percentage vs fixed ceiling

The penalty architectures are philosophically different. GDPR's percentage-of-global-turnover model is designed to be proportionate to company size — a small startup and a global bank face penalties scaled to their capacity. DPDP's fixed ceiling model is transparent and predictable but may be less deterrent for very large organisations.

GDPR Penalties

Tier 1 (Most Serious)

€20M or 4% of global turnover

Whichever is higher — for violations of basic principles, children's data, BCRs, lawful basis failures

Tier 2

€10M or 2% of global turnover

For controller/processor obligations, consent conditions, DPO requirements, breach notification

Impact on large MNCs: Percentage-based — a company with €10B global revenue faces up to €400M per Tier 1 violation. Devastating for global firms.

DPDP Act Penalties (Schedule)

Data breach — failure of security safeguards₹250 Crore

Children's data — failure of obligations₹200 Crore

Failure to notify breach to DPB₹150 Crore

Non-fulfilment of additional SDF obligations₹150 Crore

Failure to fulfill Data Principal rights₹50 Crore

Breach of any other provision₹50 Crore

Fixed ceilings: Predictable for large firms but DPB adjudicates — no court involvement for most violations.

For Indian BFSI organisations with global operations, the strategic risk comparison matters. A European data protection authority can levy €400M against a bank with €10B global revenue. The DPDP Act's maximum for any single violation is ₹250 crore (approximately €28M at current rates). However, the DPB can levy separate penalties per violation — a systematic failure touching multiple obligations could result in cumulative penalties that approach GDPR-scale totals.

Critically, for Indian BFSI entities, the RBI, SEBI, and IRDAI remain the de facto primary enforcers. DPDP compliance will increasingly become an audit criterion in sector-regulator examinations — meaning regulatory enforcement risk runs through your prudential supervisor, not just the DPB.

Breach notification: the clock comparison

Breach notification comparison — GDPR, DPDP, and CERT-In

Notification Dimension	GDPR	DPDP Act 2023	CERT-In Overlay
Regulator notification	72 hours to supervisory authority (Article 33)	"Without delay" to DPB — no specific hour clock in final Rules	6 hours to CERT-In from detection (mandatory for all Indian entities)
Individual notification	Without undue delay to data subjects if high risk (Article 34)	"Without delay" to affected Data Principals	Not directly applicable — separate obligation
Threshold to notify	Likely to result in risk to rights and freedoms of individuals	Breach of personal data processed by Data Fiduciary	All 20+ reportable incident types regardless of personal data
Content of notice	Nature, DPO contact, likely consequences, measures taken (Article 33(3))	Nature of breach, categories affected, probable consequences, measures taken	Separate CERT-In portal fields — different data requirements
Partial report accepted	Yes — phased reporting within 72-hour window	Not yet specified in Rules	Yes — submit what you know within 6 hours
Documentation	All breaches must be documented regardless of notification threshold	Implied by ROPA obligations	CERT-In submission creates its own record trail

⚠️

The dual-track breach response: If your organisation suffers a cyber incident involving personal data, three independent clocks may run simultaneously: CERT-In 6-hour reporting (cybersecurity incident), DPDP "without delay" notification to DPB and Data Principals (personal data breach), and for EU-resident data: GDPR 72-hour notification to the relevant supervisory authority. Your incident response SOP must explicitly manage all three tracks with separate teams, forms, and recipients.

Cross-border data transfers

Cross-border transfer is an area of significant practical uncertainty under DPDP because the Rules have not yet specified the restricted country list under Section 16.

Cross-border transfer mechanisms comparison

Transfer Mechanism	GDPR	DPDP Act 2023
Adequacy decision	Yes — European Commission can declare third country adequate	No equivalent — Central Government notifies allowed/restricted countries
Standard clauses	Standard Contractual Clauses (SCCs) — widely used	No SCC-type mechanism in Act or Rules 2025
Intra-group mechanism	Binding Corporate Rules (BCRs)	No BCR concept — all transfers subject to same rules
Derogations	Article 49 derogations for specific situations (consent, contract, vital interests)	No derogation framework specified yet
Data localisation	No general localisation requirement (Member States may add)	No broad localisation mandate in DPDP — but SDF designation may add requirements
RBI payment data	Not applicable	RBI Payment System Data Storage (2018) mandates localisation of payment data — separate from DPDP

The practical advice for BFSI organisations pending Rules notification: audit all cross-border data flows involving Indian personal data; tag them by transfer category; build conditional contract clauses stating "subject to DPDP Rules notification on permitted countries." Do not assume that countries with GDPR adequacy decisions will automatically be on India's permitted list — the Central Government's criteria are different.

Children's data: DPDP is more restrictive

This is one area where India's DPDP Act goes significantly further than GDPR.

Children's data protections comparison

Children's Data Dimension	GDPR	DPDP Act 2023
Age threshold	16 years (Member States may lower to 13)	18 years — highest threshold of any major jurisdiction
Parental consent	Required below age threshold	Required below 18 — must be verifiable
Profiling prohibition	No absolute ban — must comply with Article 22 safeguards	Absolute prohibition on behavioural monitoring, targeted advertising, and profiling of minors
Tracking prohibition	Addressed through consent and cookie rules	Absolute ban on tracking of minors — no exceptions
Age verification	Reasonable efforts to verify	Verifiable parental consent — standard to be set by Rules
Deemed consent	No equivalent	Explicitly excluded for minors — Section 7 deemed consent cannot be used for children's data

For BFSI organisations: the 18-year threshold is particularly relevant for youth banking products, student loan applications, and school-segment financial services. Any processing of data of persons under 18 — including account holders, nominees, and beneficiaries — requires verifiable parental consent and absolute prohibition on any profiling or tracking, even where that processing would be lawful under GDPR.

What Indian BFSI organisations must do differently for DPDP vs GDPR

Practical compliance actions for organisations transitioning from GDPR-led programmes to dual GDPR + DPDP compliance:

❌Remove "legitimate interest" from any processing justification in Indian processing records — this lawful basis does not exist under DPDP

✅Map all 11 DPDP ROPA fields (different from your EU ROPA — includes Consent Artifact ID, no GDPR equivalent)

✅Build a separate consent management layer for India — EU consent records cannot be reused; Indian law requires consent notices in 22 scheduled languages

✅Classify if you qualify as a Significant Data Fiduciary — volume + sensitivity thresholds set in Rules (expect lower thresholds for BFSI)

✅Add "deemed consent" mapping for employee and vendor data processed under DPDP Section 7 (legitimate use exemptions)

❌Don't assume your GDPR DPO appointment covers Indian requirements — no DPO title mandated yet but a nodal officer concept exists for SDF compliance

✅Update breach response SOP to cover DPDP "without delay" notification + CERT-In 6-hour dual-track running simultaneously

✅Audit children's data processing: DPDP sets the age bar at 18 (vs GDPR's 16/13), with an absolute ban on profiling and behavioral monitoring — more restrictive than GDPR

✅Review cross-border data transfer contracts — DPDP Section 16 restricted country list not yet published; build conditional clauses pending Rules notification

❌Don't map DPDP rights to your GDPR Subject Access Request workflow — DPDP has only 3 of GDPR's 9 rights; your SAR process needs a separate India track

Enforcement risk: DPB vs GDPR supervisory authorities

Understanding the enforcement philosophy of each regulator shapes your risk prioritisation.

GDPR supervisory authorities are independent public bodies with broad investigative powers. They can conduct own-initiative investigations, issue dawn raids, impose provisional bans on processing, and levy administrative fines without waiting for a complaint. The Irish DPC, ICO, CNIL, and BaFin have all demonstrated willingness to pursue complex multi-year investigations against major organisations. GDPR enforcement is proactive.

India's Data Protection Board is an adjudicatory body modelled more as a quasi-judicial tribunal than a proactive regulatory authority. It responds to complaints filed by Data Principals — it does not initiate suo motu investigations (at least not in the current Act text). This makes DPDP enforcement fundamentally complaint-driven in its initial phase. The DPB imposes penalties after adjudication, not unilaterally.

However, for BFSI organisations, this enforcement comparison is somewhat misleading. The real enforcement risk comes through sector regulators. RBI, SEBI, and IRDAI conduct regular cybersecurity and data governance audits. DPDP compliance is increasingly becoming an audit criterion in these examinations — the RBI's IT examination framework, SEBI's CSCRF assessment, and IRDAI's guidelines all reference data protection obligations. A DPDP compliance gap found during an RBI examination does not go to the DPB — it results in regulatory enforcement through RBI's own supervisory powers, including business restrictions and personal accountability for executives.

ℹ️

The practical enforcement priority for BFSI: While GDPR SA enforcement commands headlines, Indian BFSI organisations should treat RBI/SEBI/IRDAI examinations as the near-term DPDP enforcement mechanism. The DPB will take time to mature as an institution. Your sector regulator will ask about DPDP compliance on Day 1.

Continue Your Research

DPDP ROPA

Your ROPA Is Incomplete. Here's What DPDP Rules 2025 Actually Demand.

The 11 mandatory ROPA fields under DPDP Rules 2025 — including the Consent Artifact ID with no GDPR equivalent.

Read article CERT-In SOP

CERT-In 6-Hour Incident Reporting: The BFSI Practitioner's SOP

DPDP breach notification and CERT-In's 6-hour clock run in parallel. Know your dual-track obligation.

Read article RBI DPSC

RBI Master Direction on Digital Payments Security Controls: The BFSI Compliance Playbook

RBI DPSC operates alongside DPDP Act. Understand how the two frameworks interact for BFSI data controllers.

Read article

Is your India data compliance DPDP-ready?

Share this comparison with your DPO, legal counsel, and CISO before your next DPDP compliance review.

Share on LinkedIn Share on X Share on WhatsApp DPDP Compliance Assessment →

Automate DPDP compliance tracking with CreativeCyber

CreativeCyber's DPDP Assessment Portal provides a structured compliance readiness tool built specifically for Indian organisations — covering lawful basis mapping, ROPA completion, consent management design, and breach notification workflows. Start your DPDP compliance assessment or read the complete DPDP ROPA guide.