DPDP Act vs GDPR: How India's Law Differs from Europe's
The DPDP Act borrows the GDPR's vocabulary but not its architecture. Some obligations are lighter in India, several are stricter, and a few — consent managers, nomination rights — exist nowhere else. Here is the practical comparison.
Side-by-side comparison
| Dimension | DPDP Act (India) | GDPR (EU) |
|---|---|---|
| Scope | Digital personal data only (or digitised offline data) | All personal data, digital or manual filing systems |
| Lawful bases | Consent or enumerated "legitimate uses" only — no open-ended legitimate interest | Six bases including contract, legal obligation and legitimate interests |
| Sensitive data | No separate category — uniform protection | Special categories with stricter conditions |
| Consent standard | Free, specific, informed, unconditional, unambiguous, clear affirmative action | Substantially similar standard |
| Breach notification | Every breach must be reported to the Board and affected individuals | Risk-based: report only breaches likely to risk rights and freedoms |
| Penalties | Absolute caps — up to ₹250 crore per instance | Up to €20M or 4% of global turnover, whichever is higher |
| Cross-border transfer | Allowed by default except to blacklisted countries | Restricted by default — needs adequacy or safeguards |
| DPO requirement | Only Significant Data Fiduciaries; DPO must be based in India | Required for certain processing regardless of size |
| Right to portability | Not provided | Provided |
| Nomination right | Unique: nominate someone to exercise rights after death/incapacity | Not provided |
| Consent managers | Registered interoperable consent platforms (from Nov 2026) | No equivalent |
| Children | Under 18; verifiable parental consent; no tracking/targeted ads at children | Under 16 (member states may lower to 13) |
Where DPDP is stricter than GDPR
- Universal breach notification: there is no "unlikely to result in risk" carve-out — every personal data breach must be reported.
- No legitimate-interest ground: routine processing that European teams justify under legitimate interests needs consent or a listed legitimate use in India.
- Age of consent is 18 — the highest threshold among major regimes — with verifiable parental consent required below it.
Where DPDP is lighter
- No records-of-processing, DPIA or DPO obligations for ordinary fiduciaries (these attach only to Significant Data Fiduciaries).
- Cross-border transfers are permitted by default rather than restricted by default.
- No right to data portability and no direct right to compensation through the Board (civil remedies remain separate).
If you already comply with GDPR
You are perhaps 70% of the way there — but the remaining 30% bites: consent-only processing where you relied on legitimate interests, notification of every breach, India-resident DPO if you are notified as an SDF, and consent-manager interoperability. Map the deltas rather than assuming coverage.
One safeguard that satisfies both regimes
Client-side document processing transmits nothing, so there is no processor, no transfer, and no breach surface — under either law. That is how every EverydayPDF tool works.
How zero-upload worksFrequently asked questions
Is the DPDP Act a copy of the GDPR?+
No. It shares concepts (consent, breach notification, individual rights) but is structurally different: consent-centric with no legitimate-interest ground, no sensitive-data category, absolute penalty caps instead of turnover-linked fines, and unique constructs like consent managers and the nomination right.
Which law has higher penalties, DPDP or GDPR?+
It depends on the organisation. GDPR fines scale to 4% of global turnover, so they can exceed ₹250 crore for very large companies. For small and mid-sized organisations, DPDP's absolute per-instance caps can be proportionally far harsher.
Do I need to report every data breach under the DPDP Act?+
Yes. Unlike the GDPR's risk-based threshold, the DPDP regime requires every personal data breach to be reported to the Data Protection Board and communicated to affected individuals, within the timelines prescribed by the Rules.
Does GDPR compliance make me DPDP compliant?+
Not automatically. The biggest gaps are usually processing grounds (no legitimate interests under DPDP), universal breach notification, the under-18 consent threshold, and — for Significant Data Fiduciaries — an India-based Data Protection Officer.
Continue reading
What is the DPDP Act?
India's first comprehensive data protection law, explained in plain English — definitions, scope, rights and duties.
Penalties under DPDP
The full fine schedule — from ₹10,000 for individuals to ₹250 crore for security-safeguard failures.
Consent requirements
The anatomy of valid consent — notice contents, withdrawal, Section 7 legitimate uses, and consent managers.
Compliance checklist
Twelve concrete steps — from data mapping to breach drills — sized for firms without a compliance department.
This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.
