DPDPA vs GDPR: 6 Key Differences Every Indian Business Must Know

The GDPR (General Data Protection Regulation) came into force in the European Union in May 2018 and quickly became the global gold standard for data protection. Many Indian companies that serve European customers have already built GDPR compliance programmes.

Now India has its own law — the Digital Personal Data Protection Act 2023. And while the DPDPA was clearly inspired by the GDPR, the two laws have significant differences. Assuming your GDPR compliance covers your DPDPA obligations is a dangerous mistake that could expose your business to fines of up to ₹250 crore.

Here are the 6 most important differences between DPDPA and GDPR that Indian businesses must understand.

GDPR: Applies to both digital and physical personal data — including paper files, handwritten records, and any other form of personal information.

DPDPA: Applies only to digital personal data. Paper records that are never digitised fall outside the scope of the DPDPA entirely.

What this means for you: If your business has patient records, HR files, or customer contracts in physical form only, the DPDPA does not apply to those specific records. However, the moment you scan them, enter them into a system, or store them digitally — they fall under the Act.

This is the most critical difference — and the one most likely to trip up companies transitioning from GDPR.

GDPR: Allows six legal bases for processing personal data — consent, contract, legal obligation, vital interests, public task, and legitimate interests. Many companies rely heavily on the 'legitimate interests' basis to process data without obtaining explicit consent.

DPDPA: Primarily relies on consent. There is no 'legitimate interests' basis in the DPDPA. If you process personal data without consent in India, you need to fall under one of the specific exemptions listed in the Act — which are more limited than GDPR's legitimate interests.

GDPR uses the term 'Data Controller' for the organisation that decides how and why data is processed. This is a neutral, administrative term.

DPDPA uses the term 'Data Fiduciary'. The word 'fiduciary' is deliberate — it implies a duty of trust and care, not just legal compliance. A fiduciary is expected to act in the best interests of the person whose data they hold.

While this may seem like just a naming difference, it signals the DPDPA's intent: organisations are not just compliance units — they are expected to be responsible custodians of personal data. The practical obligations are similar, but the underlying philosophy is different.

GDPR gives individuals a wide range of rights: access, rectification, erasure, restriction of processing, data portability, objection to processing, and rights related to automated decision-making.

DPDPA gives fewer rights: access, correction, erasure, grievance redressal, and the right to nominate a representative. Notably absent from the DPDPA are:

• Right to Data Portability: Users cannot demand their data in a machine-readable format to move to another service
• Right to Object to Processing: No general right to object to processing beyond withdrawing consent
• Rights related to Automated Decision-Making: No explicit protection against purely automated decisions (like AI-based loan rejections)

What this means: DPDPA compliance is simpler in terms of individual rights — but if you serve both Indian and European users, you still need to implement the full GDPR rights framework for your EU users.

GDPR: Has strict rules for transferring data outside the EU. Organisations must use specific legal mechanisms — Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions — before sending data to countries outside the European Economic Area.

DPDPA: Takes an opposite approach. Cross-border data transfers are permitted by default — except to countries specifically restricted by the Indian Government through notification. The Government has not yet published a list of restricted countries, which means transfers are currently largely unrestricted.

This is simpler than GDPR's approach, but watch this space. The Government may restrict transfers to specific countries as geopolitical considerations evolve. Having a good record of where your data flows is important preparation.

GDPR: Sets 16 as the age of digital consent (with member states able to lower it to 13). Requires parental consent for users below the threshold.

DPDPA: Sets 18 as the age of consent for data processing. All users under 18 require verifiable parental consent before their data can be processed. This is a higher bar than GDPR and will have significant implications for any platform with young users — edtech, gaming, social apps, or any consumer service.

The DPDPA also introduces a unique concept not in GDPR: the Consent Manager. This is a registered intermediary that allows users to manage all their consents in one place across multiple platforms. Consent Manager registration opens in November 2026.

• DPDPA children's age threshold: 18 years (GDPR: 16 years)
• Parental consent: Must be verifiable — platforms must implement age verification
• Profiling children: Completely prohibited under DPDPA
• Consent Manager: A new regulated entity unique to India, not present in GDPR

If your organisation is already GDPR-compliant, you have a strong foundation — but you are not done. The gaps between GDPR and DPDPA, particularly around legal basis for processing, children's data, and the absence of legitimate interests, require specific attention.

The good news is that the core work — data mapping, consent management, vendor audits, security controls — is largely the same. With the right platform, organisations can manage both GDPR and DPDPA compliance in a single unified system.

DataDefend is purpose-built for Indian organisations navigating both GDPR and DPDPA. Our consent management platform, vendor risk tools, and DSAR automation are designed to cover both regulatory frameworks without double the effort.