GDPR vs DPDP Act: Key Differences Every Compliance Team Should Know

Two Frameworks, One Goal

The EU's General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act 2023 (DPDP Act) both aim to protect individuals' right to control their personal data, but they take meaningfully different approaches to achieving that goal. For global organisations operating in both markets, understanding these differences is essential for avoiding compliance gaps and building programmes that satisfy both laws efficiently.

The GDPR, which came into force in 2018, is a comprehensive, principles-based regulation with detailed prescriptive requirements. The DPDP Act, while taking inspiration from GDPR and other global frameworks, makes deliberate choices to depart from the European model — particularly in its reliance on delegated rule-making by the Government of India.

Territorial Scope: Who Does Each Law Cover?

GDPR applies to organisations established in the EU/EEA, and to organisations outside the EU that offer goods or services to EU residents or monitor their behaviour. The 'establishment' principle means a non-EU company with an EU office is covered regardless of where its data processing occurs.

The DPDP Act applies to the processing of digital personal data within India and — critically — to the processing of data of Indian residents by organisations outside India when it occurs in connection with an activity related to offering goods or services to Data Principals within India. Like GDPR, the DPDP Act has an extraterritorial reach that makes it relevant to any global business with Indian customers.

Lawful Basis for Processing: A Fundamental Divergence

This is arguably the most significant structural difference between the two regimes. GDPR provides six lawful bases for processing: consent, contract, legal obligation, vital interests, public task, and legitimate interests. The 'legitimate interests' basis is widely used in practice, allowing organisations to process data when their interests are balanced against the individual's rights.

The DPDP Act takes a different approach: it recognises consent as the primary lawful basis, supplemented by 'deemed consent' for a defined list of situations (including employment, medical emergencies, and legal proceedings). Critically, the DPDP Act does not include a general 'legitimate interests' basis. This means organisations that rely heavily on legitimate interests for analytics, fraud prevention, or direct marketing in their GDPR compliance programme must reassess those activities under DPDP.

Data Subject Rights: Coverage and Timelines

GDPR provides eight distinct data subject rights: access, rectification, erasure, restriction, portability, objection, rights related to automated decision-making, and the right not to be subject to profiling. These rights are detailed and come with specific timelines — generally 30 days for most requests, with a possible one-month extension for complex or numerous requests.

The DPDP Act currently provides four rights: access, correction and erasure, grievance redressal, and the right of nomination. It does not currently include explicit data portability, restriction of processing, or objection rights. Response timelines are not specified in the Act itself but are expected to be prescribed by rules. Organisations should build flexible DSR workflows capable of handling a broader set of right types as the Act matures.

Data Breach Notification: Timelines and Obligations

GDPR's breach notification framework is well established: notify the competent supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals; notify affected individuals 'without undue delay' if the risk is high. The 72-hour window is strict and applies from awareness, not discovery.

The DPDP Act requires notification to the Data Protection Board and to affected Data Principals 'as soon as possible' — arguably an even more demanding standard than GDPR's 72-hour clock. There is no risk threshold for notification: any personal data breach must be reported, rather than only those posing risk. This makes DPDP breach notification obligations more extensive in scope.

Enforcement and Penalties: Different Models, High Stakes

GDPR enforcement is decentralised through national Data Protection Authorities (DPAs) in each EU/EEA member state, with the lead supervisory authority principle applying to cross-border processing. Penalties can reach €20 million or 4% of global annual turnover — whichever is higher — for the most serious breaches.

The DPDP Act establishes a centralised Data Protection Board of India as the sole enforcement body. Penalties are defined in absolute rupee amounts rather than as a percentage of turnover, reaching up to ₹250 crore (approximately €27 million) per instance. While the maximum GDPR penalty for a global giant may dwarf the maximum DPDP penalty, for Indian companies the DPDP penalties are material.

Building a Unified Compliance Programme

For organisations covered by both GDPR and the DPDP Act, the most efficient approach is to build a unified compliance programme grounded in the stricter standard, then layer jurisdiction-specific requirements on top. In practice, this means starting with GDPR's more detailed requirements as the baseline — comprehensive consent, all eight data subject rights, 72-hour breach notification, full RoPA — and supplementing with DPDP-specific elements like grievance officer appointment and deemed consent categories.

A single data map, a unified DSR platform, and shared policy templates can serve both jurisdictions with appropriate customisation. The cost of building to two standards is far lower than building two separate programmes, and significantly reduces the risk of gaps emerging as both laws evolve.