GDPR vs DPDP Act
India's DPDP Act takes a digital-first approach to data protection. With 1.4 billion potential data subjects and penalties up to INR 250 crore (~$30M), compliance is critical for companies serving the Indian market.
At a Glance
Key differences between GDPR vs DPDP Act for mid-market companies (<200 employees).
Detailed Comparison
| Comparison Point | GDPR | DPDP Act |
|---|---|---|
| Jurisdiction | EU/EEA (27 member states) | India (entire territory) |
| Effective Date | May 25, 2018 | August 11, 2023 (rules pending as of 2025) |
| Scope | All personal data processing | Digital personal data only |
| DSAR Response Deadline | 1 month (calendar) | To be specified in rules |
| Maximum Fine | €20M or 4% of global turnover | INR 250 crore (~$30M USD) per violation |
| Controller Term | Data Controller | Data Fiduciary |
| Processor Term | Data Processor | Data Processor |
| Consent Model | Opt-in (6 legal bases) | Consent-centric (fewer legal bases) |
| DPO Equivalent | Data Protection Officer (DPO) | Not required for all (Significant Data Fiduciaries must appoint) |
| Breach Notification | 72 hours to authority | "Without delay" to Data Protection Board + data principal |
| Data Localization | No localization required | Transfers allowed except to government-restricted countries |
| Children's Data | Parental consent under 16 | Verifiable parental consent required, no behavioral tracking |
| Right to Erasure | Yes (Article 17, extensive) | Yes (right to erasure on consent withdrawal) |
| Data Portability | Yes (machine-readable format) | Not explicitly included |
| Enforcement Body | National DPAs + EDPB | Data Protection Board of India |
India's Digital-First Approach
The DPDP Act represents a new generation of privacy legislation. Unlike GDPR, which covers all personal data processing, the DPDP Act specifically targets digital personal data — data collected, stored, or processed in digital form. This digital-first scope reflects India's position as a digital economy with massive online populations.
Data Fiduciary: A New Concept
The DPDP Act introduces the concept of "Data Fiduciary" instead of GDPR's "data controller." While functionally similar, the fiduciary framing implies a higher standard of care and trust. "Significant Data Fiduciaries" — large-scale processors designated by the government — face additional obligations including appointing a DPO equivalent, conducting data audits, and impact assessments.
Penalties Are Comparable
DPDP Act penalties can reach INR 250 crore (~$30 million USD) per violation, which is comparable to GDPR's €20 million cap. However, GDPR's alternative penalty of 4% of global turnover has no equivalent under the DPDP Act. For large multinationals, GDPR's percentage-based penalty can be significantly higher.
Consent Is Central — But Simpler
The DPDP Act takes a more consent-centric approach than GDPR. While GDPR provides 6 legal bases for processing (consent, contract, legal obligation, vital interest, public interest, legitimate interest), the DPDP Act relies more heavily on consent and "certain legitimate uses" that are narrower than GDPR's legitimate interest basis. This means companies may need explicit consent for processing activities that would fall under legitimate interest in the EU.
Children's Data Gets Extra Protection
The DPDP Act places strong restrictions on processing children's data: no behavioral tracking or targeted advertising directed at children, and verifiable parental consent is required. GDPR also protects children's data but allows more flexibility for member states to set the consent age (13-16). India's blanket prohibition on behavioral tracking of children is stricter.
Rules Are Still Pending
A critical caveat: as of early 2025, the detailed rules implementing the DPDP Act have not been finalized. Key details — including specific DSAR response timelines, consent manager requirements, and Significant Data Fiduciary thresholds — will be defined in these rules. Companies should build flexible compliance systems that can adapt to the final rules.
Building Compliance for Both
If you need to comply with both GDPR and the DPDP Act: (1) your GDPR consent framework provides a strong foundation, but you may need to collect more explicit consents for India, (2) prepare for stricter children's data requirements under DPDP, (3) monitor the finalization of DPDP rules for specific deadlines and thresholds, and (4) ensure your data transfer mechanisms account for India's country-based restriction approach (different from GDPR's mechanism-based approach).
Which Law Applies to You?
GDPR applies if: You process personal data of EU/EEA residents — any format, digital or physical.
DPDP Act applies if: You process digital personal data of individuals in India, or process such data outside India in connection with offering goods/services to people in India.
Both apply if: You serve EU and Indian markets digitally. Build GDPR compliance first for the broader foundation, then adapt consent flows and children's data handling for India's stricter requirements. Monitor DPDP rule finalization closely.
Related Resources
GDPR Compliance Guide
Full compliance guide for General Data Protection Regulation
DPDP Act Compliance Guide
Full compliance guide for Digital Personal Data Protection Act
DSAR Deadline Calculator
Calculate exact response deadlines for 69 jurisdictions
Enforcement Actions
Real fines and enforcement cases from privacy authorities
Privacy Blog
Practical guides and analysis for mid-market companies
Frequently Asked Questions
What is the maximum fine under India's DPDP Act?
Does the DPDP Act apply to non-digital data?
What is a Data Fiduciary under India's DPDP Act?
Can I transfer data out of India under the DPDP Act?
Are the DPDP Act rules finalized?
Get the full GDPR vs DPDP Act comparison checklist
A printable checklist covering every compliance requirement from both laws, organized by priority for mid-market companies.
See how these laws are enforced in practice
Browse real enforcement actions and fines from privacy authorities worldwide. Learn what violations cost companies like yours.
Browse Enforcement ActionsDisclaimer: This comparison is maintained independently by PrivacyCache for informational purposes. We strive for accuracy but laws evolve and specific requirements may change. This is not legal advice. Consult qualified legal counsel for compliance decisions. Last updated: 4/2/2026.