Same principle, different DNA
The GDPR emerged from a European tradition that treats privacy as a fundamental human
right, codified in the EU Charter of Fundamental Rights. It is expansive, prescriptive, and gives
individuals sweeping control through six lawful bases and a broad menu of rights.
The DPDPA, by contrast, frames data protection as a fiduciary relationship, the Data
Fiduciary holds data in trust for the Data Principal. India’s law is digital-only, consent-centric,
and deliberately lean in its compliance architecture to balance privacy with the country’s
booming digital economy
GDPR says: here are six ways you can process data — justify which one. DPDPA says: get consent, or fall within narrow legitimate uses. The starting presumption is different.”
| Aspect | GDPR — EU 2018 | DPDPA — India 2023 |
|---|---|---|
| Regulatory Model | Rights-first model | Fiduciary-trust model |
| Legal Bases for Processing | 6 lawful bases for processing | 2 bases: consent + legitimate use |
| Sensitive Personal Data | Sensitive data categories with extra protection | No separate sensitive data category |
| Key Rights | Right to portability + right to be forgotten | Right to nomination (unique to India) |
| Regulatory Structure | Decentralized — 27 national DPAs | Centralized — Data Protection Board of India |
| Penalties | Fines up to €20M or 4% global revenue | Fines up to ₹250 crore (~€28M) fixed cap |
| Scope of Coverage | Covers all personal data (digital + physical) | Covers digital personal data only |
How the architectures diverge?
- Lawful basis for processing – GDPR offers flexibility for consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. DPDPA narrows this sharply, it is predominantly consent based, with a closed list of “legitimate uses” (employment, medical emergency, state welfare,
court orders). There is no open-ended “legitimate interest” catch-all. - Cross-border data transfers – This is a fundamental structural inversion. GDPR uses a whitelist / adequacy model, transfers are blocked unless the destination country is approved or specific safeguards (SCCs, BCRs) are in place. DPDPA uses a blacklist model, transfers are permitted to all countries except those specifically blocked by the Central Government. This makes India’s approach
more permissive by default. - Children’s data – GDPR sets the consent threshold at 16 (or 13 in member states). DPDPA sets it higher at 18 or requiring verifiable parental consent for all minors, making it stricter in this specific
dimension. - Enforcement structure – GDPR is enforced by 27 independent supervisory authorities (one per EU member state), creating variation in enforcement vigor across borders. DPDPA routes all enforcement through a single, centralized Data Protection Board of India, more uniform, but also more
susceptible to executive influence given wide government exemptions. - Unique to DPDPA: Consent Manager – India introduced a novel intermediary, the Consent Manager — a registered entity that helps individuals manage consent across multiple data fiduciaries. There is no equivalent in GDPR. This is analogous to India’s Account Aggregator framework in fintech
Side-by-side comparison
| Aspect | GDPR (EU) | DPDPA (India) |
| Enacted | May-18 | August 2023 (fully in force May 2027) |
| Territorial Scope | Any organization worldwide processing EU residents’ data | Processing of digital data in India; extraterritorial if goods/services offered to Indians |
| Data Covered | All personal data (digital + physical) | Digital personal data only |
| Lawful Bases | 6 bases including legitimate interest | 2 bases: consent + specified legitimate uses |
| Sensitive Data | Defined special categories (health, race, biometrics) with extra rules | Not separately defined; treated uniformly |
| Consent Standard | Free, specific, informed, unambiguous | Free, specific, informed, unconditional, unambiguous – with notice requirement |
| Right to Portability | Yes | No |
| Right to Erasure | Broad (right to be forgotten) | Partial – 30 days from primary systems |
| Right to Nomination | No | Yes (unique to India) |
| Data Protection Officer | Mandatory for certain organizations | Required only for Significant Data Fiduciaries (SDFs) |
| Breach Notification | 72-hour mandatory timeline to supervisory authority | “As soon as possible” – no fixed timeline yet |
| Cross-border Transfers | Whitelist model – blocked unless approved (adequacy/SCCs/BCRs) | Blacklist model – permitted to all except notified restricted countries |
| Children’s Threshold | 16 years (or 13 in some member states) | 18 years – verifiable parental consent mandatory |
| Consent Manager | No equivalent | Yes – registered intermediary |
| Supervisory Authority | 27 national DPAs (decentralized) | Data Protection Board of India (centralized) |
| Maximum Penalty | €20M or 4% global annual turnover | ₹250 crore (~€28M) – fixed cap, not revenue-linked |
| Criminal Penalties | Yes (in some member states) | No – monetary penalties only |
| Government Exemptions | Narrow – proportionality and judicial oversight required | Wide – national security, sovereignty, public order; no explicit judicial review |
| DPIA Requirement | Required for high-risk processing | Annual DPIA required for SDFs only |
| Data Localization | Not mandated (free flow within EU) | Government can designate restricted countries; India-based backups may be required |
| Penalty on Complainants | No | Yes – penalty for frivolous complaints |
Compliance activity matrix
| Activity | GDPR Required | DPDPA Required | Priority | Notes |
| Privacy Notice / Consent Collection | Yes | Yes | High | DPDPA notice must include grievance redressal mechanism |
| Record of Processing Activities (RoPA) | Yes | Partial | High | GDPR mandates detailed RoPA; DPDPA expects it for SDFs |
| Appoint Data Protection Officer | Conditional | SDFs only | Medium | Both apply to high-volume or sensitive data handlers |
| Register Consent Manager | Not required | If applicable | Medium | Unique to India; must register with Data Protection Board |
| Data Breach Notification | 72 hours | ASAP | High | DPDPA timeline TBD in rules; build 72-hour capability anyway |
| Data Protection Impact Assessment | High-risk | SDFs – annual | Medium | GDPR is risk-triggered; DPDPA is calendar-triggered |
| Cross-border Transfer Mechanisms | SCCs/BCRs | Avoid blacklist | High | India not GDPR-adequate; SCCs still needed for EU-India transfers |
| Grievance Redressal Officer | Not required | Yes | Medium | Contact details must be published; 7-day response to requests |
| Parental Consent for Minors | Under 16 | Under 18 | High | DPDPA is stricter; verifiable consent mechanism required |
| Data Deletion / Erasure Process | Broad | 30-day primary | Medium | GDPR is more absolute; DPDPA exempts backups from deletion |
| Data Portability Mechanism | Yes | Not required | Low (India) | Only required when serving EU residents |
| Annual Compliance Audit | Recommended | Mandatory (SDFs) | Medium | SDFs must appoint an independent auditor under DPDPA |
| Legitimate Interest Assessment | Yes (LIA) | Not applicable | Low (India) | DPDPA has no legitimate interest basis – not a valid ground |
| Nomination Rights Process | Not required | Yes | Low (novel) | Allow principals to nominate someone to exercise rights on death/incapacity |
What this means for organizations
GDPR-compliant organizations have a strong foundation for DPDPA compliance, but cannot simply port their existing frameworks. The key gaps to address are: building a consent manager integration, setting up a grievance redressal officer, reviewing cross-border transfer assumptions (the blacklist model is inverted from GDPR’s whitelist), and ensuring parental consent mechanisms extend to age 18 rather than 16.
Conversely, the absence of a legitimate interest basis in DPDPA means Indian companies expanding into Europe will need to revisit their legal basis strategies from scratch for EU-resident data
About Concur – Harmonizing Data Compliance
Concur is a technology company that provides a suite of enterprise solutions to help organizations manage their data compliance and other business operations. Our solutions include consent management, digital policy management, legacy customer notice guidelines, data principal rights solutions, and more. With a focus on innovation and the use of blockchain technology, Concur helps enterprises to stay compliant with various regulations such as DPDPB, while streamlining their operations and enhancing overall efficiency. Additionally, they offer dedicated support through their Support Center to ensure customers have the assistance they need to achieve their compliance goals.
