We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Cybersecurity blog

DPDP vs GDPR: Key Differences for Indian Businesses

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

DPDP vs GDPR: Key Differences for Indian Businesses

Nine times out of ten, when an Indian founder tells me they are already DPDP-ready because their vendor gave them a GDPR-compliant platform, I know the next hour is going to be awkward. They have paid for a Rolls-Royce consent banner and a sixty-page Data Processing Agreement written for Frankfurt, and none of it maps cleanly to the law they actually have to answer to.

The Digital Personal Data Protection Act, 2023 (DPDP Act) is not GDPR with Indian names swapped in. It is a shorter, sharper, more executive-heavy law, and the places where it diverges from the General Data Protection Regulation (GDPR, the European Union privacy law) are precisely the places that will cost you money if you assume they are the same. This is a field guide to those divergences, written from the audit chair.

Why the two laws feel similar and are not

On paper they rhyme. Both give individuals rights over their data. Both put obligations on the organisation that decides why and how data is processed. Both carry penalties that make a CFO sit up. If you read the section headings side by side, you would think DPDP is a lightly localised GDPR.

The trouble starts underneath the headings. GDPR has 99 articles, 173 recitals, and a decade of case law, guidance, and Data Protection Authority decisions clarifying every ambiguous phrase. The DPDP Act has 44 sections, no recitals, and its operative detail deferred to Rules and to a Data Protection Board that, at the time of writing, is still being stood up. So when you hit a hard question under DPDP, there is often no guidance to fall back on, and the safe reading is the conservative one. Practitioners who treat DPDP as GDPR-lite consistently under-scope their controls.

The vocabulary changed, and the vocabulary matters

Half the confusion in a DPDP readiness review is people using GDPR words for DPDP roles. The words are not interchangeable, and the mismatch shows up in your contracts.

GDPR termDPDP equivalentWhat actually differs
Data SubjectData PrincipalSame idea, but DPDP also creates duties on the individual and a fine up to Rs 10,000 for filing frivolous complaints
Data ControllerData FiduciaryDPDP frames the relationship as fiduciary trust, not just control, which raises the bar on how you justify processing
Data ProcessorData ProcessorOnly defined role that keeps its name, but DPDP gives processors far less direct statutory exposure than GDPR does
Personal DataPersonal DataGDPR carves out special categories with extra rules, DPDP has no separate sensitive-data tier at all
Supervisory AuthorityData Protection Board of IndiaThe Board is an adjudicatory body, not a full-spectrum regulator, and cannot issue GDPR-style binding guidance

That last row is the one people miss. Under GDPR you can lean on regulator guidance to interpret grey areas. Under DPDP the Board mainly turns up after something has gone wrong, to adjudicate and impose penalties. There is no friendly helpline for a nuanced consent question.

Six divergences that change your actual controls

These are the ones I flag in every DPDP gap assessment, because getting them wrong means rebuilding a control rather than tweaking it.

1. Legal basis: DPDP is a consent-and-legitimate-uses world

GDPR gives you six lawful bases under Article 6, including the famously elastic legitimate interests, which lets you process data where you have a genuine business need that is not overridden by the individual's rights. DPDP does not have legitimate interests. Full stop. Your two roads are consent, or a closed list of certain legitimate uses under Section 7 (employment, a service the person voluntarily approached you for, medical emergencies, a few state functions).

In practice this means every marketing analytics, profiling, or enrichment activity that a European firm quietly runs on legitimate interests needs explicit consent in India. If your consent architecture was designed for GDPR, it is almost certainly under-collecting for DPDP. I have watched teams discover on day one of an audit that their entire retargeting stack has no valid Indian legal basis.

2. Consent must come with a notice, and the notice has hard content rules

DPDP Section 5 and 6 require that consent be free, specific, informed, unconditional, unambiguous, and accompanied by an itemised notice. The notice must list the personal data being collected, the purpose, how to exercise rights, and how to complain to the Board. It must also be available in English and any of the 22 languages in the Eighth Schedule of the Constitution if the Principal asks. GDPR has transparency duties too, but it never obliged you to serve the notice in Marathi or Tamil on request. Your consent management platform has to support that.

3. Consent Managers are a uniquely Indian creature

DPDP introduces the Consent Manager, a registered intermediary through which a Data Principal can give, manage, review, and withdraw consent across fiduciaries. There is no GDPR analogue. It sits in the same regulatory family as the account aggregator framework the RBI built for financial data. If your sector moves towards Consent Manager routing, a GDPR-native consent tool will not plug in without work.

4. No sensitive-data category, but a Significant Data Fiduciary tier instead

GDPR Article 9 gives health, biometric, religious, and similar data extra protection. DPDP deliberately flattens that. There is no special category. Instead the risk lever is the entity: the Central Government can notify certain organisations as Significant Data Fiduciaries based on volume and sensitivity of data, risk to sovereignty, and public order. An SDF must appoint a Data Protection Officer based in India, appoint an independent data auditor, and run periodic Data Protection Impact Assessments. So the compliance weight shifts from the type of data to the scale of the organisation processing it.

5. Cross-border transfers: blocklist, not whitelist

This is the single biggest philosophical flip, and it trips up every multinational. GDPR uses a whitelist model: you may transfer personal data outside the EU only to countries with an adequacy decision or under safeguards like Standard Contractual Clauses. Everything is forbidden unless permitted.

DimensionGDPRDPDP Act
Default postureTransfer restricted unless country is adequate or SCCs in placeTransfer permitted to all countries by default
Government roleAdequacy decisions add permitted destinationsGovernment may notify a blocklist of restricted countries
Mechanism you maintainStandard Contractual Clauses, TIAs, BCRsWatch the notified restricted list, honour sectoral localisation
Sectoral overlayUniform across sectorsRBI payments data must be stored in India, similar sectoral rules stack on top

So DPDP is more permissive on its face. But do not celebrate. The RBI's 2018 payments-data localisation direction still requires that payment system data be stored only in India, and sectoral regulators like SEBI and IRDAI layer their own localisation and reporting expectations on top of DPDP. The base law relaxed, the sector rules did not.

6. Breach reporting: everything is reportable, and fast

GDPR gives you a materiality filter. Under Article 33 you notify the supervisory authority within 72 hours only where the breach is likely to result in a risk to individuals' rights and freedoms, and you tell affected individuals only where the risk is high. DPDP has no such filter in the Act itself: every personal data breach is notifiable to the Board and to each affected Data Principal, with the timelines to be set in the Rules. On top of that you still have the CERT-In Directions of April 2022, which require reporting cyber incidents within 6 hours. So an Indian breach can trigger two clocks at once, and neither of them cares whether the breach was trivial.

What the penalties actually look like

Both regimes bite, but they bite differently. GDPR scales fines to global turnover. DPDP works off fixed rupee ceilings per contravention, set in its Schedule, and the Board decides the amount case by case.

FailureDPDP penalty (up to)GDPR comparison
Failure to prevent a personal data breach / weak security safeguardsRs 250 croreUp to 20 million euro or 4 percent of global turnover
Failure to notify the Board or Principals of a breachRs 200 crorePart of the up to 10 million euro / 2 percent tier
SDF-specific obligation failures (DPO, audit, DPIA)Rs 150 croreCovered under the up to 10 million euro / 2 percent tier
Breach of children's data dutiesRs 200 croreHandled through Article 8 plus general fines
Data Principal filing a frivolous complaintRs 10,000No individual-side penalty exists

Two things to note. There is no turnover multiplier in DPDP, which means for a very large company the rupee ceiling can be gentler than GDPR, and for a mid-sized Indian firm Rs 250 crore is existential. And DPDP is the only one of the two that can fine the individual. That children's-data line matters too: DPDP by default forbids tracking, behavioural monitoring, and targeted advertising directed at children under 18, and demands verifiable parental consent, which is stricter and broader than the GDPR position that centres on ages 13 to 16.

What actually happens in the room

Let me give you a composite from real readiness reviews. A Bengaluru SaaS company, roughly 200 people, sells to European and Indian customers. They booked us thinking DPDP would be a one-week tick-box because they had held ISO 27001 and a GDPR programme for three years.

Day one, we pulled their record of processing. Their marketing team was enriching Indian sign-ups with a third-party data provider and running lookalike modelling, all justified under legitimate interests in their GDPR register. There is no legitimate interests under DPDP, so for their Indian Data Principals that entire activity had no lawful basis. That is not a paperwork fix. It is either fresh consent capture at the point of collection or switching the activity off for Indian data.

Day two, the consent notice. It was a single English paragraph. DPDP wants an itemised notice, available in the Principal's chosen scheduled language, with a route to the Board. Their consent platform had no multilingual notice capability and no per-purpose granularity, so a withdrawal of marketing consent would also have killed service consent. Rebuild.

Day three, breach response. Their runbook copied the GDPR 72-hour risk-based test. In India they had to add the CERT-In 6-hour clock and drop the materiality filter entirely. And their data-transfer clauses named EU Standard Contractual Clauses but said nothing about RBI payments-data localisation, even though they processed card-linked billing. Three days, three structural gaps, none of them visible from the GDPR paperwork. This is the norm, not the exception.

The mapping most teams should build first

Before you touch a single control, build the crosswalk. For every processing activity, you want one row that answers the DPDP-specific questions your GDPR register never asked.

  • Which Data Principals are in scope, and are any of them under 18, because that flips you into verifiable parental consent territory
  • What is the DPDP legal basis, consent or a specific Section 7 legitimate use, and never the word legitimate interests
  • Is your consent notice itemised, per-purpose, and multilingual on request
  • Does this activity move data cross-border, and is the destination on any notified restricted list or caught by RBI, SEBI, or IRDAI localisation
  • Could your organisation be notified as a Significant Data Fiduciary given the volume, and if so is the India-based DPO and independent auditor lined up
  • Does your breach runbook run both the DPDP notify-everyone rule and the CERT-In 6-hour incident clock

A practical fix-it checklist

If you are turning a GDPR programme into a defensible DPDP one, this is the short list I hand teams to work through in the first fortnight.

  • Re-baseline every legitimate-interests activity to consent or a Section 7 legitimate use, and switch off anything that fits neither for Indian data
  • Rebuild consent notices to be itemised and per-purpose, with a mechanism to serve them in Eighth Schedule languages on request
  • Add an easy, standing withdrawal-of-consent route that is as simple as the give-consent journey, and confirm withdrawal propagates to processors
  • Implement age assurance and verifiable parental consent before any processing of under-18 data, and remove behavioural tracking and targeted ads aimed at children
  • Rewrite the breach runbook to notify the Board and every affected Principal with no materiality filter, and wire in the CERT-In 6-hour incident report
  • Map cross-border flows against sectoral localisation, especially RBI payments data stored only in India, and keep watching the notified restricted-country list
  • Assess whether you are likely to be a Significant Data Fiduciary and pre-appoint an India-resident DPO, an independent data auditor, and a DPIA cadence
  • Update processor contracts so they reflect Data Fiduciary and Data Processor duties under DPDP, not just GDPR controller-processor clauses

The bottom line for Indian businesses

That founder with the Frankfurt consent banner was not wrong to invest in privacy. They were wrong to assume the investment transferred. GDPR maturity gives you a head start on governance, records, and security hygiene, and that is genuinely worth a lot. But DPDP is its own law, with its own posture on legal basis, transfers, children, breaches, and penalties, and the gaps sit exactly where you least expect them because the headings look so familiar.

Read DPDP as its own instrument, build the India-specific crosswalk before you build controls, and treat the still-emerging Rules as a reason to be conservative rather than to wait. If you want a second pair of eyes, our CERT-In empanelled auditors run DPDP readiness reviews hands-on and can tell you in days where your GDPR programme quietly stops protecting you under Indian law.

FAQs

Is my GDPR compliance enough to satisfy the DPDP Act?

No. It is a strong foundation for governance and security, but DPDP diverges on legal basis (no legitimate interests), consent notices (itemised and multilingual on request), cross-border transfers (blocklist not whitelist), breach reporting (no materiality filter), and children's data. Each of those needs India-specific work on top of a GDPR programme.

Does DPDP have a category of sensitive personal data like GDPR Article 9?

No. DPDP deliberately has no separate sensitive-data tier. Instead of protecting data types more heavily, it applies extra duties to organisations notified as Significant Data Fiduciaries, based on the volume and sensitivity of data they handle and the risk they pose.

How fast do I have to report a data breach under DPDP?

DPDP requires you to notify the Data Protection Board and every affected Data Principal of any personal data breach, with the precise timeline set in the Rules and no materiality threshold. Separately, the CERT-In Directions of April 2022 require reporting notified cyber incidents within 6 hours, so an Indian breach can start two clocks at once.

Can I keep transferring personal data to my EU or US cloud under DPDP?

Broadly yes. DPDP permits cross-border transfers to all countries by default and only restricts destinations the Government notifies on a blocklist. But sectoral rules still apply, most notably the RBI direction that payment system data must be stored only in India, so check localisation obligations for your sector before relying on the permissive default.

What is a Significant Data Fiduciary and how do I know if I am one?

It is an organisation the Central Government notifies as significant based on data volume and sensitivity, risk to individuals, sovereignty, or public order. If notified, you must appoint an India-based Data Protection Officer, appoint an independent data auditor, and conduct periodic Data Protection Impact Assessments. Assess your likely status early rather than waiting to be told.

How do DPDP penalties compare to GDPR fines?

GDPR scales to global turnover (up to 4 percent or 20 million euro). DPDP uses fixed rupee ceilings per contravention, up to Rs 250 crore for security-safeguard failures, with the Board deciding the amount. There is no turnover multiplier, and uniquely, DPDP can also fine an individual up to Rs 10,000 for a frivolous complaint.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Free 1-minute check
DPDP Readiness Checker
Check your readiness for India’s DPDP Act and see your priority gaps — free.
Try it free →

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205