DPDP Act vs GDPR: What GDPR in India Actually Covers (and What It Misses)
Is GDPR compliance enough in India? A GDPR programme is a head start on the DPDP Act, not a finish line. The specific differences: consent, cross-border transfer, and enforcement.
GDPR compliance is not sufficient for DPDP Act compliance. The two laws share a consent-centred structure and similar individual rights, but differ materially on legal basis, sensitive-data classification, cross-border transfer, language requirements, and the Consent Manager framework, which has no GDPR equivalent.
If your company already serves EU customers, you likely have a GDPR compliance programme running: privacy notices, a Data Processing Agreement template, a cookie banner, maybe a Data Protection Officer. It is tempting to assume that covers the DPDP Act too, since both are comprehensive personal data laws with consent at the centre. It mostly does, but the gaps are specific and worth knowing before an Indian audit finds them for you.
Does GDPR apply in India?
GDPR is not Indian law, but it reaches Indian companies anyway. If you offer goods or services to people in the EU, or monitor their behaviour, GDPR applies to you regardless of where your company is registered. Plenty of Indian SaaS and services businesses are therefore subject to both GDPR (for their EU users) and the DPDP Act (for their Indian users), at the same time, with different rules for each.
That is the situation this comparison is written for. It is not a question of choosing one framework; it is a question of knowing where the two diverge so a single compliance programme does not quietly fail one of them.
Where DPDP and GDPR are similar
- •Both require a lawful basis (usually consent) before processing personal data.
- •Both give individuals rights to access, correct, and erase their data.
- •Both mandate breach notification to a regulator within a fixed window.
- •Both apply extraterritorially to companies processing their citizens' data, regardless of where the company is based.
Where they genuinely differ
| Area | GDPR | DPDP Act |
|---|---|---|
| Legal basis for processing | Six lawful bases, including "legitimate interest" | Primarily consent, with narrower "legitimate uses" than GDPR's legitimate interest |
| Sensitive data category | Explicit "special category data" (health, biometric, religion, etc.) with extra safeguards | No separate sensitive-data category; safeguards instead scale with harm potential under Rule 6 |
| Cross-border transfer | Adequacy decisions and Standard Contractual Clauses required for transfers outside the EEA | Blacklist approach: transfers are allowed by default unless the government restricts a specific destination [Rule 15] |
| Consent infrastructure | No equivalent registered intermediary | Consent Manager: a Board-registered platform for managing consent across companies [Rule 4] |
| Breach notification window | 72 hours to the supervisory authority | 72 hours to the Data Protection Board, but notice to affected users must be "without delay", which can be faster |
| Language requirements | Notices in the language(s) reasonably expected by the audience | Notices in English and any of the 22 Eighth Schedule languages the Data Principal chooses [§5(3)] |
| Regulator | Independent supervisory authorities per member state | Single Data Protection Board of India, functioning as a digital office [Rule 20] |
| Maximum penalty | €20 million or 4% of global annual turnover, whichever is higher | ₹250 crore per violation (not turnover-linked) |
The three gaps that catch GDPR-ready companies off guard
- 1.Legitimate interest does not translate directly. If your GDPR programme leans on legitimate interest as a lawful basis for analytics or marketing, that basis does not map cleanly onto DPDP's narrower "legitimate uses" [§7]. Expect to convert more processing activities to explicit consent than you did for GDPR.
- 2.Multilingual notices are a new build, not a copy-paste. A GDPR privacy policy translated once into Hindi does not satisfy §5(3); DPDP expects the notice to be available in whichever of the 22 Eighth Schedule languages the Data Principal chooses, reviewed for accuracy rather than machine-translated.
- 3.Cross-border transfer logic runs backwards. GDPR asks "is this destination approved?" before every transfer. DPDP currently asks "has the government specifically restricted this destination?", which is a different compliance posture. It is more permissive today, but it means your GDPR transfer-impact-assessment process does not directly apply.
The practical takeaway
A GDPR-ready company is ahead on the general muscle memory: notices, consent capture, breach response, and DSR handling. It is not ready on the DPDP-specific mechanics: consent structure, language coverage, retention schedules under Rule 8, and the eventual Consent Manager integration. Treat GDPR as the head start it is, work through our DPDP compliance checklist for the specific gaps, and run a free Compliance Score below to see where your current setup stands.
Frequently asked questions
Does GDPR apply in India?
GDPR is not Indian law, but it applies extraterritorially to any company, including Indian companies, that offers goods or services to people in the EU or monitors their behaviour. Many Indian SaaS businesses are subject to both GDPR (for EU users) and the DPDP Act (for Indian users) simultaneously.
If I am GDPR compliant, am I automatically DPDP compliant?
No. GDPR compliance covers a meaningful portion of DPDP requirements, particularly around consent capture, breach response, and Data Principal rights, but it does not cover DPDP-specific requirements such as multilingual notices in the Eighth Schedule languages, defined retention schedules under Rule 8, or the blacklist-based cross-border transfer model.
Does the DPDP Act have a "legitimate interest" basis like GDPR?
The DPDP Act has a narrower concept called "legitimate uses" under §7, covering specific scenarios such as voluntarily provided data or employment purposes. It is not a general catch-all basis in the way GDPR's legitimate interest is often used, so processing that previously relied on legitimate interest may need explicit consent under DPDP.
Is the DPDP Act stricter or more lenient than GDPR?
Neither uniformly. DPDP is more permissive on cross-border data transfer (allowed by default, restricted by exception) but has no separate sensitive-data category with GDPR-style extra safeguards, relying instead on proportionate security measures. Language and consent-manager requirements are unique to DPDP and have no GDPR equivalent.