DPDP Act vs GDPR: Key Differences, Penalties and Compliance in 2026

India's DPDP Act and Europe's GDPR both protect personal data but differ sharply on consent, penalties and rights. A clear comparison for businesses.
India's Digital Personal Data Protection (DPDP) Act is often called "India's GDPR," and the comparison is useful, but it can also be misleading. Both laws exist to protect personal data, both reach beyond their own borders, and both can impose eye-watering penalties. Yet they are built on different philosophies, and a company that is fully compliant with Europe's General Data Protection Regulation (GDPR) is not automatically compliant with the DPDP Act. For any business that handles the data of both Indian and EU residents, understanding where the two diverge is now a board-level concern.
DPDP Act vs GDPR at a glance
| Dimension | GDPR (EU) | DPDP Act (India) |
|---|---|---|
| Data covered | Personal data, digital and on paper | Digital personal data only |
| Decision-maker | Data Controller; processors also directly liable | Data Fiduciary; processors not directly regulated |
| Lawful basis | Six bases, including legitimate interests | Consent-first, plus limited "legitimate uses"; no legitimate interests |
| Individual rights | Access, rectify, erase, portability, object, automated-decision protection | Access, correction and erasure, grievance, and nomination (unique) |
| Maximum penalty | 20 million euros or 4% of global turnover, whichever is higher | Fixed amounts, up to 250 crore rupees; not revenue-linked |
| Telling affected users of a breach | Only if the breach is "high risk" | Always, for any breach |
| Cross-border transfers | Adequacy decision or safeguards (SCCs) required | Open by default; only government-restricted countries blocked |
| In force | Since 2018 | Phased; full penalties from 13 May 2027 |
Same goal, different design
GDPR, in force since 2018, is a broad and prescriptive framework covering personal data in any format, digital or paper. The DPDP Act, passed in 2023 with its implementing Rules notified on 13 November 2025, is deliberately leaner: it governs only digital personal data (or physical data later digitised) and is built around consent. Both apply extraterritorially. GDPR binds any organisation processing the data of people in the EU; the DPDP Act binds any entity processing the digital personal data of people in India in connection with offering goods or services. So a SaaS company in Bengaluru selling to Europe, or a firm in Berlin serving Indian users, can fall under both at once.
The vocabulary: who is who
- The person: a "Data Principal" under DPDP, a "Data Subject" under GDPR.
- The decision-maker: a "Data Fiduciary" under DPDP, a "Data Controller" under GDPR. The word "fiduciary" is deliberate, framing the company as a trustee responsible for preventing harm.
- The processor gap: GDPR places direct legal obligations on data processors, the vendors who handle data on a controller's behalf. The DPDP Act does not regulate processors directly. It makes the Data Fiduciary fully responsible for the processors it engages, so the duty to police your vendors sits squarely on you.
- The big players: DPDP creates a category of "Significant Data Fiduciary" (SDF), designated by the government based on the volume and sensitivity of data handled, with extra obligations such as appointing an India-based Data Protection Officer and conducting audits.
Lawful basis: consent-first versus six routes
This is the sharpest philosophical split. GDPR offers six lawful bases for processing, including the flexible "legitimate interests" route that much of the ad-tech and analytics world relies on. The DPDP Act is far narrower: processing rests primarily on consent, supported by a short list of "legitimate uses" such as a service the person has asked for, or a legal obligation. Crucially, there is no "legitimate interests" basis in the DPDP Act. Companies that justify processing under legitimate interests in Europe must re-map those activities to consent or a listed legitimate use in India.
DPDP consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action and accompanied by a plain-language notice. India also introduces a structure with no GDPR equivalent: the Consent Manager, a company registered with the Data Protection Board (incorporated in India, with a minimum net worth of 2 crore rupees) that lets people grant, manage and withdraw consents across services through a single interface.
Your rights as an individual
GDPR grants a wider menu of rights, including data portability and the right not to be subject to purely automated decisions. The DPDP Act gives Data Principals a tighter set: the right to access information about their data, the right to correction and erasure, the right to grievance redressal, and one right with no direct GDPR counterpart, the right to nominate another person to exercise their rights in the event of death or incapacity. As drafted, it does not include a standalone data-portability right or specific protection against automated decision-making.
Penalties: fixed crores versus a slice of turnover
Both regimes hit hard, but they calculate the pain very differently. GDPR caps fines at the higher of 20 million euros or 4% of global annual turnover, so the penalty scales with the size of the company. The DPDP Act instead sets fixed, event-driven maximums in a schedule, not linked to revenue:
- Up to 250 crore rupees for failing to take reasonable security safeguards that lead to a breach.
- Up to 200 crore rupees for failing to notify the Board or affected people of a breach.
- Up to 200 crore rupees for breaching the special protections for children's data.
- Up to 150 crore rupees for a Significant Data Fiduciary failing its extra obligations.
- Up to 50 crore rupees for other contraventions.
The fixed-amount model has a sting that is easy to miss. Because the ceiling does not scale down for small companies, a start-up can in theory face the same 250 crore rupee maximum as a conglomerate. Under GDPR's percentage model, a small firm's exposure shrinks with its turnover. For Indian SMEs, the DPDP penalty structure can therefore be proportionally harsher than GDPR.
What enforcement looks like in practice
Here an honest caveat matters. GDPR has years of muscular enforcement behind it; India's regime is only just switching on. So the cautionary case studies, for now, come from Europe, and they show how expensive these laws can be:
- Meta, 1.2 billion euros (2023). Ireland's Data Protection Commission issued the largest GDPR fine to date over Meta's transfers of EU user data to the United States.
- Amazon, 746 million euros (2021). Luxembourg's authority penalised Amazon over its advertising and consent practices.
- TikTok, 345 million euros (2023). The Irish DPC fined TikTok over the handling of children's accounts, which were public by default.
- LinkedIn, 310 million euros (2024). The Irish DPC penalised LinkedIn over behavioural advertising and consent.
India's Data Protection Board, the body empowered to investigate breaches and impose those crore-scale penalties, is now being stood up. But the full schedule of penalties only takes effect on 13 May 2027, so India's first landmark fines are still ahead. Treating the European fines as a preview of what non-compliance can cost is the sensible posture.
Breach notification: high-risk versus everyone
GDPR requires notifying the supervisory authority within 72 hours, and notifying individuals only when a breach poses a "high risk" to their rights. The DPDP Act is stricter on the individual side: a Data Fiduciary must inform every affected person and the Board of any personal-data breach, regardless of how risky it is. There is no "high-risk" filter to hide behind.
Cross-border data transfers
GDPR restricts transfers outside the EU unless the destination has an "adequacy" decision or appropriate safeguards such as Standard Contractual Clauses are in place. The DPDP Act takes the opposite default: a negative-list model, allowing transfers to any country except those the central government specifically restricts. As of mid-2026 no such restricted list had been published, leaving transfers broadly open, though the Board's own transfer templates are expected during 2026.
The timeline: when the DPDP Act actually bites
The Act has been law since 2023, but its teeth arrive in phases set by the November 2025 Rules:
- From late 2025: the Data Protection Board is established.
- 13 November 2026: the Consent Manager framework and related provisions become operational.
- 13 May 2027: the substantive obligations and the full schedule of penalties take effect.
That staggered runway is the window businesses have to get ready.
What this means for your business
If you already comply with GDPR, you have a real head start, but not a free pass. The gaps that catch GDPR-ready companies out are consistent: re-basing "legitimate interests" processing onto consent, notifying all users of any breach rather than only high-risk ones, taking direct responsibility for the processors you previously treated as separately liable, meeting the children's-data rules, and preparing for SDF obligations if your data volumes are large. GDPR compliance does not equal DPDP compliance, and the cheapest time to close the gap is before May 2027, not after the first enforcement order.
Frequently Asked Questions
Is the DPDP Act basically India's GDPR?
They share the same goal and both apply extraterritorially, but the DPDP Act is leaner and consent-centric, covers only digital data, gives individuals fewer rights, does not regulate processors directly, and uses fixed-rupee penalties instead of turnover-based fines.
What is the maximum DPDP penalty?
Up to 250 crore rupees for failing to maintain reasonable security safeguards. Other failures carry maximums of 200 crore, 150 crore or 50 crore rupees. These are fixed amounts, not a percentage of revenue.
If I comply with GDPR, am I compliant with the DPDP Act?
No. GDPR compliance is a strong foundation, but you must still address consent-first processing, all-breach notification, processor oversight, children's data, and the phased Indian timeline.