🔄 GDPR vs DPDP: Key Differences for Consultants
If you already know GDPR, this comparison will accelerate your DPDP learning curve. While the two laws share DNA, there are significant structural and substantive differences that affect implementation. Do not assume GDPR compliance equals DPDP compliance.
| Aspect | 🇪🇺 GDPR | 🇮🇳 DPDP Act |
|---|---|---|
| Scope of Application | Applies to all personal data — both digital and paper-based records in a filing system | Applies ONLY to digital personal data, or non-digital data that is subsequently digitised. Pure paper records not digitised are out of scope. |
|
💡 Note: This is a narrower scope but in practice, most business data is digital. Do not ignore paper records that may be scanned or entered into systems later. |
||
| Lawful Bases for Processing | Six lawful bases: consent, contract performance, legal obligation, vital interests, public task, legitimate interests | Only two paths: Consent (Section 6) or Certain Legitimate Uses (Section 7). No equivalent of GDPR's broad 'legitimate interests' basis. |
|
💡 Note: This is a major difference. Many GDPR programmes rely heavily on legitimate interests. Under DPDP, you likely need consent for most commercial processing. Re-evaluate every processing activity's legal basis. |
||
| Consent Standard | Free, specific, informed, unambiguous — given by a clear affirmative action | Free, specific, informed, unconditional, unambiguous — given by a clear affirmative action. Note the addition of 'unconditional.' |
|
💡 Note: The 'unconditional' requirement means you cannot make consent conditional on agreeing to unrelated processing. This closes a loophole that some GDPR implementations exploited. |
||
| Data Protection Officer | Mandatory for public authorities, large-scale systematic monitoring, and large-scale processing of special categories | Mandatory ONLY for Significant Data Fiduciaries (designated by the Central Government). DPO must be based in India. |
|
💡 Note: Fewer organisations will be legally required to have a DPO under DPDP, but appointing one voluntarily is still strongly recommended as best practice. |
||
| Data Protection Authority | Independent supervisory authorities in each EU member state with broad regulatory, investigative, and corrective powers. Issues guidance and opinions. | Data Protection Board of India (DPBI) — functions more like an adjudicatory tribunal. Handles complaints and imposes penalties. Does not have the broad regulatory/guidance role of EU DPAs. |
|
💡 Note: Do not expect the DPBI to issue detailed implementation guidance like EU DPAs do. The Rules from the Central Government will fill this gap. Watch for DPBI decisions as case law develops. |
||
| Penalties | Up to EUR 20 million or 4% of global annual turnover, whichever is higher. Calculated based on severity, duration, intent, cooperation. | Fixed maximum amounts per violation type (Rs 50 Crore to Rs 250 Crore). No percentage-of-turnover calculation. Schedule in the Act lists specific amounts for specific violations. |
|
💡 Note: DPDP penalties are significant in absolute terms but may be lower for very large companies compared to GDPR's turnover-based approach. However, penalties can be imposed per violation, so cumulative exposure can be enormous. |
||
| Data Subject / Principal Rights | Eight rights: access, rectification, erasure, restriction, portability, objection, automated decision-making, and withdraw consent | Five rights: access (summary only), correction, erasure, grievance redressal, and nomination. No data portability, no right to restrict processing, no right to object. |
|
💡 Note: The absence of a data portability right means Data Fiduciaries do not need to provide data in machine-readable format. The nomination right is unique to DPDP and needs new implementation. |
||
| Data Subject / Principal Duties | No duties on data subjects. The concept does not exist. | Data Principals have four duties (Section 15): comply with laws, do not file false complaints, do not furnish false information, do not impersonate. Penalty: Rs 10,000. |
|
💡 Note: This is entirely novel. While the penalties are small, the concept signals a different philosophical approach. Include Data Principal Duties in your privacy notices so individuals are aware. |
||
| Children's Age Threshold | Under 16 (member states can lower to 13). 'Child' refers to minors below this age. | Under 18 — no exceptions or flexibility for different thresholds. India has a very large under-18 population. |
|
💡 Note: The under-18 threshold significantly increases the compliance burden for consumer-facing businesses. Implement robust age verification — the penalty for children's data violations is Rs 200 Crore. |
||
| Cross-Border Transfers | Whitelist approach: transfers allowed only to countries with EU adequacy decisions or with safeguards (SCCs, BCRs, etc.) | Blacklist approach: transfers allowed to all countries EXCEPT those specifically restricted by the Central Government notification. |
|
💡 Note: Currently much simpler than GDPR — no need for SCCs or adequacy assessments. But this could change quickly if the government restricts key jurisdictions. Maintain flexibility in your data architecture. |
||
| Breach Notification Timeline | 72 hours to notify the supervisory authority after becoming aware of a breach | Timeline to be prescribed in the Rules. Must notify both the DPBI and affected Data Principals. The specific timeframe is not yet finalised. |
|
💡 Note: Plan for a 72-hour notification window as a safe assumption. When Rules specify the actual timeframe, adjust your processes accordingly. Failing to notify carries a Rs 200 Crore penalty. |
||
| Consent Manager | No equivalent concept. Consent management is handled by each data controller independently. | Consent Managers are registered entities that provide a platform for Data Principals to manage consent across multiple Data Fiduciaries. A new intermediary layer. |
|
💡 Note: This is a unique DPDP concept. Plan for integration with Consent Managers once they become operational. Build APIs for consent status communication. Evaluate whether your client should become a Consent Manager (business opportunity). |
||
| Notice Requirements (Language) | Must be in a clear and plain language. No specific language requirements beyond the applicable country's official language. | Must be in English and all 22 languages listed in the Eighth Schedule of the Indian Constitution. |
|
💡 Note: The 22-language requirement is a significant operational and cost challenge. Budget for professional translation. Prioritise based on your user base demographics, but plan to cover all 22. |
||
| Data Protection Impact Assessment | Required when processing is likely to result in a high risk to individuals' rights and freedoms. Applies broadly based on risk assessment. | Required ONLY for Significant Data Fiduciaries. Not required for regular Data Fiduciaries regardless of processing risk. |
|
💡 Note: While not legally required for non-SDFs, conducting DPIAs for high-risk processing is still recommended as a best practice. It demonstrates due diligence and helps identify risks proactively. |
||
| Right to be Forgotten | Right to erasure (Article 17) with specific grounds. Some jurisdictions require court/authority involvement. | Right to erasure when consent is withdrawn and the purpose no longer applies. No court involvement needed. Simpler trigger mechanism. |
|
💡 Note: DPDP's erasure right is more straightforward than GDPR's. When consent is withdrawn, erase — unless a legal obligation requires retention. No balancing test against public interest or freedom of expression. |
||