GDPR vs DPDP Act: The Complete Comparison for Indian Businesses Operating Internationally

Why Indian Businesses Care About Both

Indian companies operating internationally often face both EU GDPR and India's DPDP Act 2023 simultaneously. The two laws share principles but differ in execution, and getting compliance wrong with either is expensive.

GDPR applies to any business that processes personal data of EU residents, regardless of where the business is located. DPDP applies to any business processing personal data of Indian residents, regardless of where it processes. A Bengaluru-based SaaS company serving customers in Germany and India must comply with both.

This guide walks through the practical differences, what is the same, what is different, and how to run a single compliance program covering both efficiently.

Scope and Applicability

Both laws have extraterritorial reach but with slightly different triggers:

• GDPR applies if: you process personal data of individuals located in the EU (regardless of citizenship), in connection with offering goods/services to them OR monitoring their behavior in the EU. Establishment in the EU also triggers GDPR independent of data subject location.
• DPDP applies if: you process personal data of individuals in India (Data Principals) in connection with offering goods/services. Processing entirely outside India of data not connected to Indian goods/services is generally excluded.
• Key practical difference: GDPR has a strict "monitoring behavior" trigger (cookies, analytics) that DPDP does not explicitly include. A US company analyzing Indian website visitors triggers DPDP only if it offers them goods/services; the same analysis of EU visitors triggers GDPR regardless.

Consent and Lawful Basis for Processing

Both laws require a lawful basis for processing, but the menu differs:

• GDPR (6 lawful bases): consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Consent must be freely given, specific, informed, unambiguous and revocable.
• DPDP (2 lawful bases): consent and legitimate uses (an enumerated list including employment, public interest, medical emergency, etc.). DPDP's consent requirements are similar to GDPR: free, specific, informed, unconditional, unambiguous, and revocable.
• Practical implication: GDPR's "legitimate interests" basis is broader and more business-friendly than DPDP's "legitimate uses" enumeration. For routine business processing (analytics, fraud prevention, service improvement), GDPR offers more flexibility; DPDP requires consent or fitting within the enumerated list.

Individual Rights Comparison

Both laws grant individuals significant rights, with overlap and distinctions:

• Access: both grant the right to obtain personal data and information about processing. GDPR includes right to a copy in machine-readable format.
• Correction: both grant right to rectify inaccurate data.
• Erasure: GDPR's "right to be forgotten" is broader. DPDP allows erasure but with exceptions for legal obligations and certain legitimate uses.
• Portability: GDPR explicit right. DPDP does not currently include portability as a standalone right.
• Restriction of processing: GDPR explicit right. DPDP does not include this as a standalone right.
• Object to processing: GDPR explicit right including objection to direct marketing. DPDP allows withdrawal of consent but framing is different.
• Automated decision-making: GDPR has detailed Article 22 provisions. DPDP does not yet include detailed automated decision-making restrictions.
• Grievance redressal: DPDP mandates a Grievance Officer responding to complaints within stipulated time. GDPR's equivalent is the response timeline to data subject requests (typically 30 days).

Penalties and Enforcement

Both laws have substantial financial penalties but with different structures:

• GDPR: up to EUR 20 million OR 4% of annual global turnover (whichever higher) for severe violations. Lesser violations: EUR 10M or 2% of turnover. Supervisory Authorities in each EU country issue penalties (CNIL in France, ICO in UK, etc.).
• DPDP: up to INR 250 crore per violation for failure to prevent personal data breach. Other violations up to INR 200 crore. Penalty per violation, not per turnover.
• In absolute terms: GDPR can be larger for global companies (Meta's 1.2 billion EUR fine, Amazon's 746M EUR fine). DPDP is large for India but capped per violation.
• Enforcement bodies: GDPR via individual EU country Supervisory Authorities (consistency mechanism for cross-border). DPDP via Data Protection Board of India (DPB) at the central level.

Cross-Border Data Transfers

Both laws restrict cross-border transfers but use different mechanisms:

• GDPR transfers: only to countries with EU Commission adequacy decision (limited list including UK, Switzerland, Japan, Israel), via Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or specific derogations. Schrems II requires Transfer Impact Assessments.
• DPDP transfers: generally permitted to any country unless specifically restricted by Central Government notification. The notification system is more permissive than GDPR's adequacy regime.
• Practical implication: GDPR has historically blocked or complicated transfers to the US (until Data Privacy Framework was adopted in 2023). DPDP's approach is more open by default but allows the Government to restrict on national-security grounds.
• For Indian businesses: DPDP makes outbound transfers (Indian data going to US/EU) relatively easy. GDPR makes inbound transfers (EU data coming to India) harder, requiring SCCs and possibly TIAs.

Running a Unified Compliance Program

Most Indian businesses with both EU and Indian exposure run a unified program covering both. The strategy:

• Build to GDPR's higher standard where requirements differ, this typically satisfies DPDP automatically
• Add DPDP-specific elements: Grievance Officer designation, consent in 22 Indian languages where applicable, breach notification to DPB within stipulated time
• Map data flows once: a single Record of Processing Activities (RoPA) covering both regulations
• Unified consent capture: same UI/flow with backend logic to apply appropriate retention and rights based on individual's location
• Vendor contracts: dual GDPR + DPDP clauses in DPAs, with consistent breach notification and audit rights
• Training: combined data protection training covering both, role-specific deepening for those handling EU/Indian data

Practical Next Steps

If your business processes both EU and Indian personal data and you do not yet have a unified compliance program, start with:

• Gap analysis against both GDPR and DPDP simultaneously, this catches differences efficiently
• Data flow mapping across all systems, geographies and vendors
• Privacy notice updates with location-aware language
• Consent management platform with both regulations baked in
• Data subject request workflow built to GDPR's broader rights menu
• Vendor contract refresh with dual-regulation DPAs
• Training rollout, with role-specific modules for those with elevated access
• External validation (ISO 27001 + ISO 27701 makes both auditors happy)
• Combine with ISO 27001:2022 certification for security control evidence both regulators accept