DPDPA vs GDPR: Key Differences Every Indian Business Must Know (2026)
DPDPA vs GDPR — how are India's data protection law and Europe's GDPR different? This authoritative side-by-side comparison covers legal basis, consent standards, penalties, enforcement, cross-border transfers, and what Indian businesses with EU customers must do.
DPDPA vs GDPR: A Side-by-Side Comparison (2026)
India's Digital Personal Data Protection Act 2023 (DPDPA) and the European Union's General Data Protection Regulation (GDPR) are both comprehensive data protection laws — but they differ significantly in scope, legal basis, consent standards, and enforcement. Understanding the differences is critical for Indian businesses that serve global customers or operate across borders.
Quick Comparison Table
| Aspect | DPDPA 2023 (India) | GDPR (EU) |
|---|---|---|
| Enacted | August 11, 2023 | May 25, 2018 |
| Full enforcement | May 13, 2027 | May 25, 2018 (active) |
| Scope | Digital personal data of Indian residents | All personal data of EU residents (digital & non-digital) |
| Legal basis for processing | 2 bases (Consent + Legitimate Uses) | 6 legal bases |
| Consent standard | Free, specific, informed, unconditional, unambiguous | Freely given, specific, informed, unambiguous |
| Legitimate interests | Not available as a general basis | Available (Article 6(1)(f)) |
| Maximum penalty | ₹250 Crores (~€28 million) | €20 million or 4% of global turnover |
| Enforcement authority | Data Protection Board of India (single, central) | 52 national DPAs (decentralised) |
| DPO requirement | For Significant Data Fiduciaries only | For most processors and fiduciaries |
| Breach notification | Notify DPB + data principals (no specific deadline) | 72-hour deadline to notify DPA + individuals |
| Cross-border transfers | Govt-approved country list (negative list) | Adequacy decision or standard contractual clauses |
| Right to be forgotten | Right to erasure (Section 13) | Right to erasure (Article 17) |
| Children's data | Verifiable parental consent required | 16 years (or 13+ with member state derogation) |
Key Difference #1: Legal Basis for Processing
The most significant structural difference. GDPR provides six legal bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. DPDPA has only two: Consent and Legitimate Uses (a narrow set of defined exceptions).
This means Indian businesses cannot rely on "legitimate interests" as a catch-all basis — as many EU companies do. Almost everything under DPDPA requires explicit user consent.
Key Difference #2: Consent Standard
Both laws require high-quality consent, but DPDPA adds "unconditional" to its list — consent cannot be contingent on other conditions. Under DPDPA, bundling consent with terms of service (a common practice) is explicitly prohibited.
Under GDPR, consent must also be "freely given" but the "unconditional" language is less explicit — giving EU businesses slightly more flexibility.
Key Difference #3: Enforcement Structure
GDPR is enforced by 52 independent national Data Protection Authorities (DPAs) across the EU/EEA. Each has independence from government. The DPDPA creates a single Data Protection Board of India (DPB), whose members are appointed by the Central Government — raising questions about institutional independence that GDPR avoids.
Key Difference #4: Data Breach Notification
GDPR mandates a 72-hour deadline to notify the relevant DPA after discovering a personal data breach. DPDPA requires notification to the DPB and affected data principals, but does not prescribe a specific timeframe in the Rules — this may be clarified through future notifications.
Key Difference #5: Cross-Border Data Transfers
GDPR uses an adequacy decision model — the European Commission evaluates non-EU countries for adequate protection, supplemented by Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).
DPDPA uses a negative list model — the Indian Central Government will publish a list of restricted countries. Transfers to countries not on the restricted list are permitted without additional safeguards. This is a more permissive approach.
What If You Have Both Indian and EU Customers?
If your business collects data from both Indian residents and EU residents, you must comply with both DPDPA and GDPR simultaneously. In practice, this means:
- Meeting DPDPA's consent requirements (which are similar to GDPR's) covers most obligations
- Adding GDPR-specific requirements: 72-hour breach notification, legitimate interests documentation, DPO appointment (if required), SCCs for transfers
- Using a CMP that supports both GDPR and DPDPA configurations simultaneously
The good news: a CMP built for DPDPA's strict consent standard will generally meet GDPR's consent requirements too — the consent standard is comparable.
Frequently Asked Questions
Is DPDPA based on GDPR?
DPDPA was influenced by GDPR's framework and shares similar principles (consent, data minimisation, data subject rights). However, DPDPA is significantly simpler — it has only 2 legal bases vs GDPR's 6, and is written specifically for India's context. It does not adopt GDPR wholesale.
Is India on the GDPR adequacy list?
No. As of March 2026, the European Commission has not granted India an adequacy decision under GDPR. This means EU companies transferring personal data to India must use Standard Contractual Clauses (SCCs) or other approved mechanisms.
Does GDPR apply to Indian companies?
Yes, if you offer goods or services to EU residents or monitor their behaviour. GDPR has extra-territorial scope (Article 3). Indian startups serving EU customers must comply with GDPR regardless of where they are based.
Which is stricter — DPDPA or GDPR?
GDPR is generally considered stricter in scope (covers non-digital data), legal bases (more nuanced), penalties (turnover-based), and enforcement rigour. However, DPDPA's consent requirements are comparably strict, and its penalty ceiling (₹250 Crores) is significant for Indian-sized businesses. As enforcement matures in India, the gap may narrow.
Can one consent banner be used for both DPDPA and GDPR?
Yes, with the right CMP. A consent banner that meets DPDPA's requirements (free, specific, informed, unconditional, unambiguous, multilingual, with purpose-based granularity) will also satisfy GDPR's consent standard. You'll need the CMP to serve different notice content based on user geography.
Manage DPDPA and GDPR Compliance with Consently
Consently.in is built natively for DPDPA — India's most demanding consent standard. Our platform's consent architecture also satisfies GDPR consent requirements, making it the right choice for Indian businesses with global reach.
- DPDPA-native consent management (purpose-based, unconditional)
- 22 Indian Schedule 8 languages + international language support
- Cookie consent + DPDPA purpose consent in one platform
- Geo-targeted consent notices (different banners for Indian vs EU visitors)
- Audit trails for both DPDPA and GDPR documentation requirements