Data Privacy · DPDP Act 2023
India's Digital Personal Data Protection Act 2023 (DPDP Act) is now a compliance reality — not a future consideration. For Indian IT companies and SaaS firms that already maintain GDPR compliance for their European clients, the natural question is: how much of what we've already built can we reuse?
The answer: more than you might expect, but with some critical gaps that will catch organisations off guard. This article maps the two frameworks side by side — focusing specifically on where DPDP diverges from GDPR, and where Indian organisations face genuine new obligations.
If your organisation has a functioning GDPR compliance programme, you're not starting from scratch. The following GDPR controls have direct equivalents in DPDP and can be mapped across with minimal modification:
Here is where organisations need to pay close attention. These are the areas where GDPR compliance does not automatically mean DPDP compliance.
| Area | GDPR Position | DPDP Act Position | Gap / Action Required |
|---|---|---|---|
| Lawful basis for processing | 6 lawful bases including legitimate interests | Consent or "certain legitimate uses" — no general legitimate interests basis | Review all processing activities relying on legitimate interests under GDPR — each needs either consent or a specific DPDP "legitimate use" category |
| Children's data | 16 years (or lower with member state option); parental consent for under-16 | 18 years; parental consent mandatory; no age-assurance exemption without verifiable mechanism | If any services are used by or targeted at under-18s, the compliance bar under DPDP is significantly higher than GDPR |
| Cross-border data transfers | Adequacy decisions, SCCs, BCRs, derogations | Government to publish approved country list; transfers to non-approved countries restricted | The approved country list is not yet published. Organisations must monitor for the notification and review all international transfer arrangements when published |
| Data localisation | No localisation requirement; transfer mechanisms available | No blanket localisation requirement in DPDP text, but "Significant Data Fiduciaries" may face additional rules | Monitor Significant Data Fiduciary classification criteria — organisations meeting the threshold may face localisation obligations |
| Significant Data Fiduciary (SDF) obligations | No direct equivalent (though DPO requirement overlaps) | SDFs must appoint a Data Protection Officer in India, conduct DPIAs, and undergo independent audits | Determine if your organisation will be classified as an SDF when criteria are published. If yes, budget for DPO appointment and independent audit programme |
| Grievance redressal | Right to lodge complaint with supervisory authority | Data Principal can first contact Data Fiduciary's Consent Manager / grievance officer; then escalate to Data Protection Board | Must establish a named grievance officer with published contact details and a defined response process (72 hours acknowledgement, 30-day resolution) |
| Right to nominate | No direct equivalent | Data Principal can nominate another person to exercise rights on their behalf in case of death or incapacity | New operational requirement with no GDPR parallel — nomination handling process needs to be designed from scratch |
DPDP requires consent requests in "clear and plain language" and gives the Data Principal the right to withdraw consent "as easily as it was given." This sounds similar to GDPR but in practice the DPDP's implementing rules are expected to require significantly simpler language — closer to plain-English consumer notices than the legalese that passes GDPR scrutiny in many implementations. Review all consent notices now.
Unlike GDPR's DPO requirement (which applies only above certain thresholds), DPDP requires every Data Fiduciary to have a grievance redressal mechanism with a named officer. For many mid-sized IT firms, this means a named individual (not a generic email address) must be published and responsive within defined timelines. This is a new operational overhead with no GDPR equivalent for sub-threshold organisations.
GDPR's tiered penalty structure (up to 4% of global turnover or €20M) is well understood. DPDP's penalty structure is different — it provides for penalties up to ₹250 crore per category of violation, with specific amounts per violation type as set by the Data Protection Board. Importantly, the Board has discretion over amounts. The risk model is different from GDPR and should be factored into your privacy risk assessment.
If you have limited bandwidth, prioritise in this order: (1) Audit all current consent mechanisms against DPDP's clear language requirement. (2) Appoint and publish a grievance officer. (3) Map all processing activities to either consent or a specific DPDP legitimate use category. (4) Monitor for SDF classification criteria and cross-border transfer approved country list publication.
The DPDP Act is notified. The implementing rules are being finalised. The window to build compliance before enforcement begins is narrowing. The organisations that will transition smoothly are those that start the gap assessment now rather than waiting for the final rules.
Your GDPR programme is a genuine head start — use it. Conduct a formal mapping exercise comparing your existing controls to DPDP requirements, identify the gaps above, and build a remediation roadmap that addresses them in priority order. The grievance officer appointment and consent language review can be done quickly. The SDF preparation requires more lead time but the criteria aren't yet published — monitor for them and be ready to move fast when they are.
We provide DPDP gap assessments for organisations with existing GDPR programmes, and end-to-end DPDP implementation support for those starting fresh.
Schedule a Free Consultation →