GDPR vs DPDP Act Comparison
Compare Europe's GDPR with India's Digital Personal Data Protection Act (DPDPA) 2023.
| Aspect | GDPR (EU) | DPDPA 2023 (India) | Key Difference |
|---|
No matching aspects found. Try a different search term.
About the DPDPA 2023
India's Digital Personal Data Protection Act was passed in August 2023. It is India's first dedicated data protection law, replacing the previous IT Act provisions. Rules are still being finalized as of 2026.
DPDPA uses "Data Principal" (equivalent to GDPR's "Data Subject") — the individual whose personal data is being processed.
The entity that determines the purpose and means of processing is the "Data Fiduciary" — equivalent to GDPR's "Data Controller".
Certain entities may be designated as "Significant Data Fiduciaries" with additional obligations — similar to GDPR's higher-risk controllers.
Frequently asked questions
Does DPDPA 2023 apply to my Indian business?
Yes, if you process digital personal data of individuals in India, whether or not you are based in India. It also applies to processing outside India if it relates to offering goods or services to individuals in India.
Is the DPDPA fully in force?
The DPDPA was enacted in August 2023 but the implementing rules (delegated legislation) are still being finalized by the government as of 2026. Businesses should monitor the Data Protection Board of India notifications for enforcement dates.
How does DPDPA consent compare to GDPR consent?
Both require free, specific, informed and unambiguous consent. DPDPA requires consent to be presented in clear plain language with an option to withdraw. Unlike GDPR, DPDPA lists fewer legal bases for processing — legitimate interests is not recognized in the same way.
What are the penalties under DPDPA vs GDPR?
GDPR penalties can reach €20 million or 4% of global annual turnover. DPDPA penalties can reach ₹250 crore (approx. €28 million) per instance and up to ₹500 crore for significant breaches. Both have tiered penalty structures.
Does DPDPA require a Data Protection Officer?
Only "Significant Data Fiduciaries" designated by the government are required to appoint a Data Protection Officer. This is more targeted than GDPR, which requires a DPO for a broader set of organisations based on the nature of processing.