DPDP vs GDPR: A Practical Comparison for Indian CTOs

Why GDPR Experience Both Helps and Misleads

Many Indian SaaS companies and global delivery centres are already GDPR-compliant — either because they serve European customers or because their investors required it. This is a head start: the principles are similar, the documentation mindset is similar, and the technical controls overlap significantly.

But DPDP is not GDPR. Treating it as a simple "India localisation" of GDPR is a mistake that will create compliance gaps. This guide explains the differences that matter for CTOs and engineering leaders.

The Key Differences

1. DPO Requirement

GDPR: A Data Protection Officer is required for public authorities and organisations engaged in large-scale systematic monitoring or large-scale processing of sensitive data.

DPDP: A DPO is required only for Significant Data Fiduciaries (SDFs). Most organisations need only a Grievance Officer — a lower bar, but still a formal appointment with a name and contact published on your website.

What to do: Assess whether you are an SDF candidate. If not, appoint a Grievance Officer immediately. Their details must be publicly accessible.

2. Lawful Basis for Processing

GDPR: Six lawful bases — consent, contract, legal obligation, vital interests, public task, and legitimate interests.

DPDP: Primarily consent and legitimate use (a narrower set of scenarios defined in the Act, including compliance with Indian law, medical emergencies, employment, and certain state functions). The DPDP Act does not have the broad "legitimate interests" balancing test that GDPR allows.

What to do: Audit your GDPR lawful bases. Any processing relying on "legitimate interests" needs to be re-mapped to a valid DPDP basis — likely consent for most commercial processing.

3. Data Protection Impact Assessments (DPIAs)

GDPR: DPIAs are required for any high-risk processing — including systematic profiling, large-scale sensitive data processing, and systematic monitoring.

DPDP: DPIAs are required only for SDFs. Other Data Fiduciaries are not required to conduct DPIAs under the Act.

What to do: If you were conducting DPIAs for GDPR compliance, continue — it's good practice and may be required if you become an SDF. If not, DPIAs are not mandatory unless SDF-designated.

4. Right to Data Portability

GDPR: Explicit right to portability — individuals can request their data in a structured, machine-readable format and transfer it to another controller.

DPDP: No explicit right to data portability. Data principals have access, correction, and erasure rights, but not a formal portability right.

What to do: If you built portability features for GDPR, keep them (good product practice). But you are not legally required to add them for DPDP compliance.

5. Automated Decision-Making Protections

GDPR Article 22: Explicit protections against purely automated decisions with significant effects — individuals have the right to human review, an explanation, and to contest the decision.

DPDP: No equivalent provision explicitly covering automated decision-making.

What to do: GDPR-built protections in this area are not required by DPDP but may still be relevant for EU customers. Don't remove them.

6. Penalty Structure

GDPR: Up to 4% of global annual turnover or €20 million, whichever is higher. The proportional structure makes penalties existential for large companies.

DPDP: Flat ceilings — up to ₹250 crore (≈USD 30M) per violation category. Not percentage-based, so the relative burden varies by company size.

What to do: For Indian companies with revenues under ~₹600 crore, DPDP penalties are proportionally higher relative to size. Budget for compliance accordingly.

7. Data Localisation

GDPR: No explicit data localisation requirement. Cross-border transfers require adequacy decisions or appropriate safeguards (SCCs, BCRs).

DPDP: Personal data may be transferred outside India, subject to any requirements or restrictions the Central Government specifies by general or special order (DPDP Rules, 2025, Rule 15). This is a restriction/negative-order model — there is no approved-country "whitelist." Significant Data Fiduciaries may additionally be required to localise specific data categories notified by the Government (Rule 13(4)). (Rules notified 13 Nov 2025.)

What to do: If you operate data centres outside India, assess your cross-border transfer exposure. Regulated sectors (BFSI, healthcare) may face stricter requirements via sector regulators (RBI, IRDAI, SEBI).

Side-by-Side Comparison

What Carries Over from GDPR

These GDPR controls are directly applicable to DPDP and require no changes:

• Consent management — valid consent standards are very similar
• Privacy notices — structure and content requirements are comparable
• Data retention and erasure — purpose limitation principle applies equally
• Data breach incident response — similar obligation to notify; notification timelines differ
• Vendor/processor management — DPA obligations are equivalent
• Security safeguards — appropriate technical and organisational measures required

Your DPDP Gap Analysis Checklist (for GDPR-Compliant Companies)

• [ ] Re-evaluate lawful bases — replace "legitimate interests" with consent or DPDP legitimate use
• [ ] Appoint a Grievance Officer and publish their contact details
• [ ] Update privacy notices to include DPDP-specific rights and Grievance Officer details
• [ ] Build or procure a consent management platform that stores DPDP-compliant consent artifacts
• [ ] Implement rights workflows for access, correction, erasure and grievance (grievance redressal within ≤90 days per Rule 14(3); set your own SLA for the others)
• [ ] Review cross-border data transfer arrangements against any Central Government transfer restrictions/orders (Rule 15) and SDF localisation obligations (Rule 13(4))
• [ ] Assess SDF designation risk and prepare for additional obligations if applicable

Need help with the gap analysis? Our free DPDP self-assessment maps your organisation against all 15 obligation areas and identifies your specific gaps. Or talk to our DPDP experts.