DPDP-GDPR Divergence Map: A Practitioner's Comparative Analysis

Introduction 

The global data privacy landscape has never been more consequential or more complicated for organisations that operate across borders. When India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act), it joined a growing constellation of comprehensive data protection regimes anchored by the European Union's General Data Protection Regulation (GDPR). The result is a law that converges with global norms at the level of principle but diverges sharply in architecture, scope, and enforcement mechanics. For multi-jurisdictional data fiduciaries, understanding exactly where these two frameworks align and where they split is not merely a formality. It is the foundation of any robust compliance strategy. 

Why should companies care about the divergences? 

Under the GDPR, penalties can reach €20 million or 4% of a company's global annual turnover, whichever is higher. On the other hand, the DPDP Act empowers the Data Protection Board of India (DPB) to impose fines of up to ₹250 crores (approximately €27 million) per breach.  

For a multinational operating in both the EU and India simultaneously, non-compliance on either front can translate into significant financial exposure, and that is before reputational damage is factored in. Beyond penalties, the practical complexity compounds quickly. A company serving Indian and European users must maintain consent mechanisms that satisfy the GDPR's opt-in logic and manage cross-border transfer protocols that differ fundamentally between the two regimes. 

Key Areas of Regulatory Divergence 

Here is where companies must pay particularly close attention to: 

• Sensitive Personal Data Categories 

This is perhaps the most structurally significant difference. The GDPR creates a separate, more protective tier for “special categories” of data like health information, biometric data, racial or ethnic origin, sexual orientation, and so on. Processing such data is prohibited unless a specific exception applies. The DPDP Act takes a flat approach; all digital personal data is treated equally, with no additional safeguards for health records, financial data, or biometrics. 

• Different sets of lawful bases for processing 

The GDPR recognises six lawful bases for processing, including the widely-used “legitimate interests” basis, which allows controllers to process data without consent when their interests are balanced against and do not override individual rights. The DPDP Act does not include legitimate interests. Instead, it provides consent and “legitimate uses”, covering employment, state-provided services, medical emergencies, and compliance with law, which are more constrained and less flexible than the GDPR equivalent. 

• Cross-Border Data Transfers 

The GDPR's cross-border transfer framework is detailed and well-established; it includes adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and other approved mechanisms. Under the DPDP Act, the central government can restrict transfers to specific countries by notification, effectively a negative list approach, while transfers to all other countries are presumptively permitted. No SCCs or equivalents have been established yet. For multinationals, this creates both an opportunity (fewer transfer barriers for now) and a risk (sudden restrictions by government notification with limited notice). 

• Child Data: A Higher Bar in India 

The DPDP Act defines a child as anyone under 18 and requires verifiable parental consent before processing any child's data. It also expressly prohibits behavioural monitoring and targeted advertising directed at children. The GDPR sets the default threshold at 16, permitting member states to lower it to 13. India's approach is stricter, with an explicit prohibition on advertising to minors, a material compliance consideration for platforms serving teenagers. 

• Data Breach Notification 

Under the GDPR, data controllers must notify the relevant supervisory authority within 72 hours of becoming aware of a breach. Notification to data subjects is required where the breach is likely to result in high risk to their rights and freedoms. On the other hand, DPDPA, In the event of a personal data breach, mandates organisations to notify the Data Protection Board of India within 72 hours and affected individuals within the timelines prescribed under the law. CERT-In must also be informed within 6 hours. 

• Right to Data Portability & Right to Object 

The DPDP Act omits two GDPR rights that have significant operational implications: the right to data portability (allowing individuals to receive their data in a machine-readable format and transfer it to another provider) and the right to object to automated decision-making. For data-rich industries like banking, insurance, and healthcare, portability is an increasingly meaningful consumer protection. It's absence in India reduces the rights burden on companies but may widen the India-EU compliance gap as international standards evolve. 

• Regulatory Independence 

The GDPR requires supervisory authorities to be fully independent from government. The Data Protection Board of India, by contrast, is appointed and controlled by the central government, raising concerns, particularly where enforcement involves government entities. This structural difference has implications for how companies assess enforcement risk, especially in regulated sectors where the state itself is a participant. 

• Consent Managers 

The DPDP Act introduces “Consent Managers”, entities registered with the DPB that act as a single point of contact through which data principals can manage, review, provide, and withdraw consent across multiple data fiduciaries. There is no GDPR equivalent. Once operationalised, this mechanism will require companies to interface with registered consent managers and align their consent infrastructure accordingly. 

Navigating Multi-Jurisdictional Compliance 

For organisations managing obligations under both the GDPR and the DPDP Act, the following strategic approach offers a practical path forward: 

• Anchor globally, adapt locally: The most efficient architecture is to treat GDPR compliance as the global baseline. Since GDPR imposes stricter obligations in most areas, sensitive data, transfer mechanisms, individual rights, aligning global processes to GDPR standards typically satisfies DPDP requirements by default, with India-specific adaptations layered on top. 

  
  

• Map the divergences explicitly: Conduct a gap analysis that identifies where DPDP obligations differ from your existing GDPR framework. Key focus areas include consent notice language (India requires multilingual accessibility), child age thresholds (update age-gating to 18 for Indian users), and breach notification (prepare broad notification protocols that cover every affected data principal, not just high-risk cases). 

  
  

• Build a jurisdiction-specific consent infrastructure: Consent under the DPDP Act must be granular, withdrawable, and accessible in regional languages. Where your GDPR-compliant consent mechanism does not meet these requirements, Indian users need a separate or adapted flow. Plan for integration with consent managers once the DPB publishes registration and operational rules. 

  
  

• Prepare for evolving cross-border transfer rules: The DPDP Act's negative-list approach to data transfers is not yet fully operationalised. Companies should monitor central government notifications closely, maintain contractual safeguards with Indian data processors and partners, and ensure that intra-group transfer arrangements are documented and defensible. 

  
  

• Designate a Data Protection Officer for SDFs: If your organisation is designated or likely to be designated as a significant data fiduciary, based on the volume or sensitivity of Indian user data or it’s potential impact on national security, electoral integrity, or public order, DPO appointment and periodic DPIAs will be mandatory. Start the designation assessment now rather than waiting for government notification. 

  
  

• Invest in grievance redressal: Unlike GDPR, the DPDP Act requires data principals to exhaust the data fiduciary's grievance mechanism before approaching the DPB. This makes a well-functioning, documented internal redressal system not just good practice but also a legal prerequisite to regulatory proceedings. 

  
  

• Plan for government notification risks: The Central Government's powers under the DPDP Act, to restrict cross-border transfers by notification, to exempt government agencies from compliance, and to designate SDFs, introduce regulatory uncertainty that is difficult to plan around. Build flexibility into your data architecture so that geographic segregation of Indian user data can be implemented at short notice if required. 

Conclusion 

For multi-jurisdictional data fiduciaries, the DPDP- GDPR divergence map is not a compliance obstacle but a strategic asset. Organisations that understand both regimes deeply can build governance frameworks that satisfy both, earn the trust of users in the world's two largest democratic data markets, and position themselves competitively as global data regulation continues to mature. The goal is not just legal compliance; it is building the institutional capability to operate responsibly with personal data wherever in the world that data originates. 

Want to know more? 

Learn more about India's data protection environment, compliance frameworks, and in-depth analyses of privacy policies at tsaaro.com.