All articles
Comparison 10 min read 2 May 2026 Primitra

DPDP Act vs GDPR: 7 Differences That Will Trip Up Indian Startups

If you've ported a GDPR program to India, here's where the Digital Personal Data Protection Act, 2023 diverges — consent architecture, cross-border transfers, Significant Data Fiduciary thresholds, and breach notification timelines.

Most of the DPDP Act compliance work we do with Indian startups is really unlearning. Founders and legal teams who lived through GDPR readiness in 2017–2018 arrive with strong instincts that are directionally right but tactically wrong for India.

Here are the seven divergences that most frequently derail a straight GDPR-to-DPDP port.

1. There is no "legitimate interests" basis

Under Article 6(1)(f), GDPR lets you process personal data on the basis of your legitimate interests, provided a balancing test favours the controller. The DPDP Act does not include this basis. Section 7 lists the "legitimate uses" — voluntary provision by the data principal for a specified purpose, employment, legal obligation, medical emergency, disaster response, and a few others. If none of those apply, you need consent under Section 6.

Practical impact: analytics, personalisation, and fraud-prevention processing that GDPR programs run on legitimate interests need a consent path in India. This is often the single largest architecture change.

2. Consent is stricter, and withdrawal must be as easy as consent

GDPR requires freely given, specific, informed, and unambiguous consent (Article 4(11)). The DPDP Act adds "unconditional" (Section 6(1)) and explicitly mandates that withdrawal be "as easy as giving consent" (Section 6(4)).

"As easy as" gets audited literally. If sign-up is one click, withdrawal must be one click. If sign-up is a single form, withdrawal cannot require a support ticket. Many Indian startups fail here because their onboarding is smoother than their unsubscribe flow.

3. Notice must precede or accompany consent — and it's prescriptive

GDPR privacy notices are governed by Articles 13–14 and are relatively flexible in format. The DPDP Act's Section 5 requires an itemised notice specifying the personal data collected and the purpose, in plain language, and importantly in English or any language listed in the Eighth Schedule of the Constitution.

For a consumer product in India, this means your consent notice may need to be available in Hindi, Tamil, Bengali, and other listed languages depending on your user base. GDPR notices in English-only rarely satisfy Section 5.

4. Cross-border transfers use a blocklist, not an allowlist

GDPR restricts transfers unless the destination country is covered by an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or a derogation (Chapter V).

The DPDP Act inverts this. Section 16 permits transfers to any country unless the Central Government notifies restrictions on a specific country. There is (as of 2026) no published blocklist. The default is permissive — but sectoral regulators (RBI, IRDAI, SEBI) impose their own localisation requirements that continue to bind.

Practical impact: your GDPR SCC toolkit does not translate directly. You need a sector-aware transfer strategy.

5. Significant Data Fiduciary status is a real threshold with real consequences

There is no GDPR equivalent to the Significant Data Fiduciary (SDF) designation. Under Section 10, the Central Government may designate a Data Fiduciary as an SDF based on volume and sensitivity of data, risk to sovereignty, risk to electoral democracy, and risk to public order.

Once designated, an SDF must:

  • Appoint a Data Protection Officer based in India (Section 10(2)(a)).
  • Appoint an independent data auditor (Section 10(2)(b)).
  • Conduct periodic DPIAs and audits (Section 10(2)(c)).

For scaling startups, quietly crossing an SDF threshold — without noticing — is a real risk. Our DPO services are frequently engaged the quarter after designation, which is too late.

6. Breach notification: no fixed hour count in the Act, but expect fast

GDPR's Article 33 sets a 72-hour clock for controller-to-supervisory-authority notification. The DPDP Act's Section 8(6) says the Data Fiduciary shall "intimate" the Board and each affected data principal, without specifying an hour count in the Act itself.

The DPDP Rules published in 2025 lean toward fast notification (typically 72 hours for the Board, "without delay" for affected principals). In practice, treat the GDPR 72-hour clock as the ceiling, not the floor.

7. Penalties are structured differently

GDPR fines are calculated as a percentage of global turnover (up to 4%). The DPDP Act's Schedule sets fixed monetary penalties by category of breach — up to ₹250 crore for failure to prevent a personal data breach and up to ₹200 crore for failure to notify.

The absence of turnover-linked fines can feel less scary until you realise the Schedule caps apply per instance, and the Data Protection Board has discretion on quantum.

What this means for your migration plan

If you're porting a GDPR program:

  1. Revisit every processing activity relying on legitimate interests. Build a consent path or map to a Section 7 legitimate use.
  2. Rewrite your notices for Section 5. Include the itemised categories and add local-language versions where your user base warrants it.
  3. Retire your SCC-based transfer paperwork as your primary control. Replace it with sectoral compliance mapping (RBI/IRDAI/SEBI) and monitor the Central Government's Section 16 notifications.
  4. Assess your SDF exposure early. If you're at or approaching relevant thresholds, get a fractional DPO engaged before you're designated.

For a side-by-side migration workshop tailored to your product, see our GDPR-to-DPDP transition service.

Get help implementing this

Turn this reading into a compliance plan.

Book a free 30-minute consultation. We'll map your DPDP Act exposure and give you a prioritized 90-day action list — no obligation.

Book a free 30-minute consultation