Written by

Sumeshwar Pandey

View Profile

DPDP vs GDPR: Where Global Teams Get India Wrong

Why a GDPR-era privacy programme is not enough in India, and how leadership can turn DPDP requirements into a disciplined operating plan instead of last-minute firefighting.
Key takeaways
  • GDPR maturity gives a strong foundation in India, but DPDP’s digital-only scope, consent model, children’s rules, and enforcement structure leave material gaps if you reuse your EU playbook unchanged.[1]
  • The biggest risks come from wrong assumptions: treating DPDP as a lighter GDPR, overusing “legitimate interest”, misreading cross-border rules, underestimating children’s data, and assuming a single global DPO can absorb India.[4]
  • An effective model for global organisations is a common privacy baseline with India-specific overlays: clear accountability for DPDP, integrated records and risk registers, and consistent standards where higher protection reduces complexity.
  • A 12–24 month DPDP roadmap should start with governance and triage, then move through notices, consent UX, contracts and records, and finally automation for rights, retention, and breach response in India-facing systems.[5]
  • Delaying DPDP implementation increases regulatory exposure, slows enterprise and regulated-sector deals, and raises the cost of change when the first Indian customer, regulator, or partner tests your controls.

The hidden risk in assuming GDPR covers India

Picture a familiar situation: your organisation has spent years aligning to GDPR, privacy is embedded into major product and sales processes, and regulators in Europe have not raised major concerns. You decide to scale engineering, support, or go-to-market in India and the working assumption is that only minor tweaks are needed—add India to the privacy notice, adjust a contract or two, and carry on. On paper the logic seems sound. In practice, this is exactly where many global teams absorb hidden risk.
India’s Digital Personal Data Protection Act 2023 is built on some of the same ideas as GDPR—data fiduciaries and processors, consent, individual rights—but it is not a carbon copy. It applies to digital personal data, including non-digital data once digitised, and reaches extraterritorially to organisations outside India that offer goods or services in India. It leans heavily on consent and a defined set of statutory “legitimate uses” instead of the broader menu of lawful bases under GDPR. It sets a higher age threshold for children and recognises formal consent managers. It concentrates enforcement in a national Data Protection Board that can combine financial penalties with remedial directions.[1]
For an executive team, the consequence is simple: a GDPR-aligned programme is a good starting point, but it does not, by itself, give you a defensible position under DPDP. The gaps sit precisely in areas that drive board-level decisions—risk appetite for cross-border flows, how far to personalise products for Indian users, what to automate in consent and rights handling, and how much local governance to fund. Treating India as “just another GDPR jurisdiction” creates a false sense of security at the very moment regulators, large Indian customers, and sectoral supervisors are sharpening their expectations.

Structural differences between DPDP and GDPR that matter to leadership

DPDP and GDPR share high-level goals but they diverge in ways that change how you should design your operating model. Four structural contrasts matter most for leadership: scope, legal bases, individual rights and transparency, and how enforcement and cross-border transfers work in practice.
Key structural differences between DPDP and GDPR and how they influence operating choices.
Issue DPDP (India) GDPR (EU) Leadership impact
Scope and territorial coverage Covers digital personal data, including non-digital data once digitised, for processing within India and processing outside India that relates to offering goods or services in India. Covers personal data (digital and structured offline records) of individuals in the EU, and applies to organisations that target or monitor them, regardless of where the organisation is established.[2] Centralised processing hubs and shared services may bring Indian data into scope even without an Indian legal entity, so hosting, vendor, and intra-group transfer decisions need an explicit India view.
Legal bases for processing Consent is the primary basis, supplemented by a defined list of statutory “legitimate uses” such as compliance with Indian law, emergencies, and certain employment contexts; there is no open-ended legitimate interests test. Provides six lawful bases—consent, contract, legal obligation, vital interests, public task, and legitimate interests—with the last allowing a balancing-test-based justification for some analytics, security, and product uses.[2] Many data uses currently justified in Europe under legitimate interests may need consent or redesign in India. Leadership needs to set clear rules on when to seek consent, when a legitimate use applies, and when to change the underlying feature.
Individual rights and transparency Provides a focused set of rights: information about processing and processors, correction and erasure, grievance redressal, and nomination of another person to exercise rights, plus requirements for clear notices and consent withdrawal options. Grants a broad catalogue of rights, including access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making, supported by detailed transparency obligations. You must decide whether to offer GDPR-level rights in India for simplicity and brand consistency, or to design a distinct DPDP experience and accept more variation in systems and workflows.
Enforcement model and cross-border transfers Enforced by a central Data Protection Board of India, which can impose monetary penalties and direct remedial measures or safeguards. Cross-border transfers are broadly permitted except to countries or territories that may be restricted by government notification, while sectoral regulators can impose additional localisation or retention rules.[1] Enforced by independent supervisory authorities in each member state, coordinated via a European Data Protection Board, with well-known tiers of administrative fines. Cross-border transfers rely on adequacy decisions, standard contractual clauses, and binding corporate rules, with a strong focus on third-country protection levels.[3] Boards need explicit answers on where Indian data is stored, which laws govern access, how much to invest in India-specific safeguards, and how quickly the organisation could adjust if India tightens transfer restrictions.

Where global teams typically misread India’s privacy regime

Most of the problems global organisations face in India come not from the words of the Act but from assumptions imported from Europe and North America.
  • Treating DPDP as a lighter version of GDPR. This leads to shortcuts like reusing EU notices verbatim, assuming the same consents will do, or treating Indian individual rights as a subset of those in the EU. In reality, DPDP’s focus on digital data, its specific list of legitimate uses, and the role of the Data Protection Board produce a different risk shape. Underestimating that difference can leave you exposed on how you document consent, how you prove that a legitimate use applies, or how you respond when the Board asks for evidence.
  • Assuming GDPR lawful basis analysis carries over unchanged. Product and marketing teams used to GDPR often rely heavily on legitimate interests for analytics, product telemetry, and some profiling. Under DPDP there is no general balancing-test-based legitimate interests ground. You either fit within a defined legitimate use or you do not, in which case consent may be the only viable basis. If teams assume their existing GDPR analysis carries over, they may continue running India-facing features on a legal basis the Indian law does not recognise, with no fallback design if that assessment is challenged.[4]
  • Misunderstanding cross-border transfers and data location. GDPR-trained teams typically think in terms of adequacy, standard contractual clauses, and transfer impact assessments. DPDP starts from a different place: transfers are allowed by default unless India notifies restricted jurisdictions, while sectoral regulators such as financial or insurance supervisors can impose their own localisation, retention, and access expectations. If your India strategy depends on centralising processing in a non-Indian region, assuming EU transfer tooling will satisfy Indian regulators is a fragile bet. You need a considered position on where Indian data sits, who can access it, and how you will respond if restrictions tighten.
  • Underestimating children’s data and India-focused governance. DPDP treats anyone under 18 as a child, with parental consent and specific prohibitions on tracking, targeted advertising, and harmful content, whereas GDPR allows member states to set a lower consent age. Global consumer and edtech products often calibrate age gates and parental flows to the lowest European threshold and roll that out globally; in India that approach can quickly put you out of step with DPDP. At the same time, many boards assume a single global DPO or privacy head can absorb India with no change in mandate or resourcing. If your Indian operations are designated a significant data fiduciary, DPDP expects an India-based DPO and an independent data auditor, and even where you are below that threshold, regulators and enterprise customers will expect a named, accountable India-facing privacy lead. Failing to plan for this is less about legal formality and more about leaving a critical risk area without clear operational ownership.[1]

Designing a global privacy operating model that respects DPDP

For most international organisations, the strategic choice is not between a single global standard and a patchwork of local exceptions; it is how to set a credible global baseline while allowing for deliberate, well-governed overlays where the law or the market genuinely diverges. DPDP forces you to be explicit: what is common across all regions, what is India-specific, and who has the authority to make that call. A workable pattern is to treat core principles—data minimisation, security, breach response discipline, and basic transparency—as global non-negotiables, while configuring India-specific rules in areas like consent flows, children’s protections, and cross-border transfers.
Governance design comes first. Boards should know which executive ultimately owns India privacy risk, how that role relates to the global CISO and CPO, and whether India has its own named privacy lead or DPO with a defined mandate. If your Indian operations could be notified as a significant data fiduciary—for example, because of processing volume, use of new technologies, or involvement of children—you should design for that scenario in advance: an India-based DPO, clarity on their independence, an escalation path to group leadership, and an understanding of how data audits and impact assessments will plug into your existing risk and assurance cycles.[1]
The second design decision is how to structure records, processes, and tooling. DPDP does not reproduce GDPR’s terminology around records of processing activities, but once rules and enforcement begin to bite, you will still be expected to demonstrate where Indian personal data flows, on what basis it is processed, and how rights requests and withdrawals of consent are honoured. Running a separate India spreadsheet or manual workflow outside your global systems will feel nimble in year one and unmanageable by year three. A better pattern is to expand your existing records and workflows to tag India-in-scope processing, attach the relevant DPDP legal basis, and capture India-specific terms in vendor contracts, while keeping a single system of record wherever possible.
Finally, leadership needs a view on where to harmonise up to a GDPR-style standard in India and where to accept DPDP’s own thresholds. Harmonising up makes sense where a higher common denominator actually simplifies your world: for example, offering GDPR-level individual rights globally allows you to build one DSAR workflow rather than maintaining separate India and EU variants. Applying your strictest breach-notification clock as an internal standard can align incident response. On the other hand, enforcing GDPR-like age thresholds or consent formalities worldwide when only India has a statutory under-18 rule may unnecessarily constrain product design elsewhere. The point is not to chase perfection, but to make these trade-offs consciously, with a clear rationale recorded in your risk register and understood by your engineering, product, and commercial leads.

An India-focused DPDP execution roadmap for the next 12–24 months

Once leadership accepts that India needs more than cosmetic adjustments, the question becomes sequencing. You cannot stop product development or sales for a year while you re-architect privacy, but you also cannot assume DPDP obligations will wait for your convenience. A pragmatic roadmap breaks the work into three overlapping waves over roughly 12 to 24 months, each with a clear outcome: immediate risk reduction, solid foundations, and scaled execution.
  1. Stabilise governance and visibility (0–3 months)
    In the first three months, focus on governance and visibility. Confirm who owns DPDP at the executive level and name an India-facing privacy lead, even if you are not yet a significant data fiduciary. Map where Indian personal data sits today: which products touch Indian users, which systems store their data, which vendors process it, and which data flows cross borders. Update public-facing privacy notices to acknowledge DPDP and to provide India-specific information in clear, accessible language. Put a basic playbook in place for data breaches and rights requests from Indian individuals, even if it is partially manual, and make sure your India leadership and sales teams know the organisation’s position when large customers or partners ask about DPDP readiness.
  2. Rebuild foundations in India-facing products and contracts (3–9 months)
    From roughly three to nine months, the work shifts to foundations. Product and design teams should revisit consent flows for India, including sign-up screens, settings, and withdrawal mechanisms, to align with DPDP’s consent standard and to account for the higher age threshold for children where relevant. Engineering and operations teams should extend existing data inventories and logs to record India-specific legal bases and to capture when and how consent was obtained or a legitimate use was relied upon. Legal and procurement teams need to refresh vendor templates and key third-party contracts so that responsibilities for DPDP compliance, security, sub-processing, and cross-border transfers are clearly allocated. At the same time, policy and security teams should rationalise retention schedules for Indian data, reconciling erasure rights under DPDP with retention requirements from financial, tax, or sector-specific laws.[5]
  3. Scale, automate, and evidence controls (9–24 months)
    Over nine to twenty-four months, the emphasis moves to scale and resilience. Manual triage for India rights requests and breaches will not hold if your Indian user base or enterprise footprint grows. This is the window to automate DSAR intake and tracking for Indian individuals, preferably in a way that leverages your existing GDPR processes while honouring DPDP’s specific rights. Consent and preference management for India should integrate with core systems rather than sitting as a detached project, including integrations with any formal consent managers your products adopt. Data deletion and retention enforcement for India-in-scope systems should move from policy documents to controls that actually delete or archive data on schedule and can be evidenced if the Data Protection Board asks.
    • Can you identify, within hours, where Indian personal data is stored and which systems and vendors are involved?
    • Can you explain, with documentation, the legal basis for your main India data uses and when consent versus legitimate uses are relied on?
    • Can you show logs of consent and withdrawals for India-facing products and services?
    • Can you demonstrate how an India rights request or security incident is handled end-to-end, including escalation and remediation?
    • Do you know who in India will engage with regulators or key customers if something goes wrong, and how they are supported by global leadership?

The business cost of delaying DPDP implementation in India

Treating DPDP as a low-priority compliance task has a predictable cost profile. Regulatory exposure is the most visible: the Data Protection Board can impose significant monetary penalties per contravention and can also order you to change practices, stop certain processing, or adopt specific safeguards. Early enforcement in any new regime tends to focus on clear, demonstrable failings—no real consent mechanism, repeated security lapses, or inability to honour rights—and organisations that have postponed implementation are by definition the easiest targets. The financial impact of an order to halt a data flow or pause a product line serving India can dwarf the penalty itself.
The less visible costs show up in commercial and reputational channels. Large Indian enterprises, especially in financial services, healthcare, and technology, are already updating vendor due diligence questionnaires to ask about DPDP readiness, data location, and India-specific policies. If your answers rely on generic GDPR statements, deals slow down, additional contractual promises are demanded, or opportunities are lost altogether. At the same time, Indian consumers and employees are becoming more vocal about data misuse and security incidents, and local media are quick to link privacy failures with questions about respect for Indian users. By the time a regulator knocks on the door, the organisation may already have absorbed brand damage and internal disruption that far exceed the cost of building a measured, early-stage compliance programme.

Common questions from boards and CXOs on DPDP vs GDPR

Board and executive discussions on DPDP tend to circle around a consistent set of questions: whether GDPR compliance is “good enough”, whether DPDP is stricter or looser than GDPR, whether to push a single global standard, and how much local structure is really required in India. Underneath each of these is the same concern: how to manage risk without fragmenting the operating model or slowing growth in a strategically important market.
The most effective conversations frame DPDP as one more major regulator in your ecosystem, alongside EU data protection authorities, financial supervisors, and security regulators, rather than as a standalone legal puzzle. That framing naturally leads to the right next steps: a clear executive owner, an integrated risk view that recognises India’s specific rules, and a paced roadmap that lets product, engineering, and sales teams adapt without constant emergency reprioritisation.
FAQs

A mature GDPR programme gives you strong building blocks—governance, security controls, records, and rights workflows—but it does not automatically cover DPDP’s specific requirements. The main gaps tend to be in lawful basis, consent, and India-focused governance. Many GDPR-era practices rely on legitimate interests, which DPDP does not recognise as an open-ended lawful basis; under DPDP you either fit within a defined legitimate use or you need consent. Consent flows themselves often need rework to meet DPDP’s expectations for clear, specific, and revocable consent in a digital context, including support for withdrawal and, where relevant, parental consent for individuals under 18. Finally, GDPR programmes usually assume European regulators and rights; they rarely identify an India-based privacy lead, map India-specific data flows, or align contracts with DPDP’s digital and cross-border structure. Until those elements are addressed, your position in India is incomplete even if your European compliance is strong.

Neither regime is uniformly stricter across all dimensions. GDPR is broader in scope, covers more types of processing and more individual rights, and has a long-established enforcement ecosystem. DPDP is narrower in some respects, such as its focus on digital personal data and a shorter list of statutory rights, but tighter in others. It sets a higher age threshold for children, leans more heavily on consent and a closed list of legitimate uses, formally recognises consent managers, and centralises enforcement in a Data Protection Board with the ability to pair financial penalties with behavioural directions. For senior leaders, the useful framing is not “stricter versus looser” but “different shape of risk”: some uses that are comfortable under GDPR’s legitimate interests framework are more constrained in India, while some GDPR-specific formality is not mirrored in DPDP. Your operating model needs to reflect that shape rather than assuming one regime subsumes the other.

Applying your highest standard everywhere can be attractive because it reduces internal debate and promises a single set of rules. In some areas, that works well: offering GDPR-level individual rights globally and using your strictest incident-response timelines as the internal norm can simplify processes and tooling. However, a blanket approach can also create unnecessary friction. For example, aligning every market to India’s under-18 threshold for children’s consent could complicate products targeted at older teenagers elsewhere. Likewise, imposing EU-style data localisation expectations on India when DPDP and sectoral rules do not yet require them may drive avoidable infrastructure cost. A better approach is to define a global baseline and then identify a limited set of areas where you consciously harmonise up (because it simplifies operations or meaningfully reduces risk) and a few where you accept jurisdiction-specific rules. The key is to document those choices, keep them visible in your risk register, and revisit them as Indian rules and market expectations evolve.

DPDP requires additional governance from entities designated as significant data fiduciaries, including an India-based DPO and independent data auditor. Even if you are not yet designated, there are practical reasons to create clear India-facing accountability. Someone in or close to India needs the mandate and time to understand local regulatory developments, oversee implementation of India-specific controls, coordinate responses to Indian rights requests and breaches, and engage with Indian stakeholders such as regulators or key enterprise customers. Your existing global DPO or CPO can retain overall responsibility, but they are unlikely to have the local context and bandwidth to manage day-to-day DPDP work. Many organisations address this by appointing an India privacy lead who reports into the global function, with a clear charter, decision rights, and access to engineering, product, and legal teams supporting India.

Boards do not need a clause-by-clause comparison of DPDP and GDPR; they need a clear view of risk, ownership, and progress. A concise briefing usually covers five points. First, explain why India matters to your organisation in strategic terms—revenue, operations, data processing, or talent. Second, summarise the key ways DPDP changes your risk profile compared to GDPR, focusing on lawful basis, children’s data, enforcement, and cross-border flows. Third, state who at executive level owns DPDP risk and whether you have India-facing privacy leadership in place. Fourth, outline your 12–24 month roadmap in two or three phases, with an honest view of current status and resourcing. Finally, highlight emerging uncertainties—such as pending rules or sectoral regulations—and how you are monitoring them. That framing lets the board challenge assumptions, approve investment, and track delivery without needing to become privacy specialists themselves.

Sources
  1. The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) - Government of India / India Code
  2. India Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025 – Summary and implications - EY India
  3. Regulation (EU) 2016/679 (General Data Protection Regulation) - Publications Office of the European Union
  4. Comparison of the DPDP Act, 2023 with GDPR and global privacy laws: convergence and divergence - King Stubb & Kasiva (KS&K)

Related pages

Updated At May 19, 2026

Data Processors vs Data Fiduciaries: Operational Responsibilities Explained

For Indian procurement and leadership teams: a practical guide to data fiduciary vs data processor roles under the DPDP Act, with contract, RFQ, scorecard, and vendor-risk implications.

 Updated At Apr 18, 2026

Significant Data Fiduciary (SDF) Status: Checklist for Fast-Growing Companies

A business-style piece for decision-makers that explains significant data fiduciary (sdf) status— checklist for fast-growing companies and turns policy

 Updated At Apr 18, 2026

The DPO Handbook for Indian Companies

A business-style piece for decision-makers that explains the dpo handbook for indian companies and turns policy requirements into an operating plan for

 Updated At Apr 18, 2026

Cross-Functional Privacy Governance: Legal, Product, Security, Marketing

A business-style piece for decision-makers that explains cross-functional privacy governance— legal, product, security, marketing and turns policy requirements

 Updated At May 20, 2026

Board Reporting for Privacy: KPIs Every Leadership Team Should Track

Learn how Indian boards can use a focused privacy KPI stack aligned to DPDP, NIST and ISO 27701 to oversee regulatory exposure, operations and trust.