DPDP vs GDPR: 10 Differences That Matter for Indian Businesses

If your organization already complies with GDPR — because you have European customers or employees — you have a significant head start on DPDP. But DPDP is not GDPR. Extending a GDPR programme to DPDP without understanding the differences produces gaps that look like compliance but are not. This is the side-by-side comparison for Indian businesses in 2026, covering what transfers directly, what needs adjustment, and what is entirely different.

What transfers directly

The underlying architecture of both regimes is similar: identify lawful basis, provide notice, obtain consent where required, enable data-subject rights, secure data, notify breaches, govern processors. An organization with mature GDPR compliance has most of the operational muscle memory DPDP requires.

Directly transferable:

Data mapping and records of processing
Privacy-by-design and privacy-impact assessment practices
Processor governance, DPA templates (with DPDP-specific clauses added)
Breach detection and response capability
Data-subject/Principal rights fulfilment infrastructure (though specific rights differ)
Policy documentation structure

Key differences to account for

1. No general “legitimate interest” basis

GDPR Article 6(1)(f) permits processing based on legitimate interest balanced against data subject rights. DPDP has no equivalent. Its non-consent basis is “certain legitimate uses” (§7), which is enumerated and narrower.

Practical impact: processing activities your GDPR programme bases on legitimate interest (fraud detection, direct marketing to existing customers, security analytics) may need consent under DPDP or need to be redesigned.

2. No explicit data minimization requirement

GDPR Article 5(1)(c) is a core principle. DPDP does not have an equivalent named principle, though §5 purpose-limitation effectively requires it operationally.

Practical impact: less of a shift; if you are already collecting only what you need for purpose-limited reasons, you are compliant with both.

3. Specific rights differences

GDPR grants: information, access, rectification, erasure, restriction, portability, object, not-to-be-subject-to-automated-decision, lodge complaint.

DPDP grants: access, correction (including completion and updating), erasure, grievance redressal, nomination.

Notable DPDP-missing rights:

No portability — no machine-readable-format export right as standalone
No general object right — consent withdrawal substitutes for some use cases but not all
No automated-decision-making right — profiling not separately regulated except for children

Notable DPDP-additions: nomination right (passing rights to another on death/incapacity) has no GDPR equivalent.

4. Cross-border transfer model

GDPR restricts transfers outside EU except to adequate countries, or via SCCs, BCRs, or specific derogations.

DPDP §16 permits transfers to any country except those on a government-published restricted list. This is structurally opposite to GDPR.

Practical impact: DPDP is more permissive by default, but the restricted list is the point of friction. Organizations should build architecture flexibility to geofence data if a country is added to the list.

5. Penalty structure

GDPR penalties: tiered at the higher of fixed amount or percentage of global turnover (up to 4% of annual global turnover, or €20 million).

DPDP penalties: fixed maximum per contravention (up to ₹250 crore). No revenue-percentage alternative.

Practical impact: for large multinationals, GDPR penalties can exceed DPDP caps. For Indian SMEs, DPDP caps are substantial but capped, which is both good and bad news.

6. Children’s data threshold

GDPR defines a child as under 16 by default, with member-state flexibility down to 13. DPDP defines a child as under 18.

Practical impact: products that treat 16+ users as adults under GDPR must treat up to 18-year-olds as children under DPDP.

7. Consent Manager framework

DPDP has a registered-intermediary framework allowing users to manage consents across multiple Data Fiduciaries through a Consent Manager. GDPR has no equivalent built-in; consent management is direct.

Practical impact: DPDP-optimized consent architecture can route through Consent Managers, reducing per-Fiduciary consent management burden.

8. Significant Data Fiduciary regime

DPDP’s SDF designation with additional obligations (DPO, auditor, DPIA) has broadly equivalent GDPR obligations for all controllers (DPO requirements, DPIA for high-risk processing) — but DPDP’s SDF regime only applies to designated entities.

9. Breach notification timing

Both 72 hours. Operationally similar clocks. DPDP rules provide slightly different content requirements in the notification.

10. Data Principal duties

DPDP §15 imposes duties on Data Principals (not to impersonate, not to suppress info, not to file false complaints). GDPR has no equivalent Principal-side obligations.

Adapting a GDPR programme to DPDP

For organizations with existing GDPR compliance, the 90-day DPDP extension roadmap:

Review all processing bases — identify and redesign anything currently relying on legitimate interest
Review cross-border data flows — map against the likely initial restricted-country list
Update privacy notice for DPDP-specific requirements including language plurality
Update DPAs with DPDP-specific clauses
Review children’s data handling against the 18-year threshold
Update data-subject-rights fulfilment to include nomination and to match DPDP-specific response timelines
Assess SDF-designation likelihood and prepare for heightened obligations if applicable
Document India-specific processor relationships and sub-processor chains
Translate key notices and consent content to relevant Indian languages
Map sectoral regulator overlays (RBI, IRDAI, SEBI, ABDM) onto the unified programme

A GDPR-mature organization can reach DPDP compliance in 60–120 days of focused work. A GDPR-immature organization building both regimes together will take longer — but the shared architecture saves significant redundant work.

DPDP vs GDPR: Key Differences for Indian Businesses (2026)