The most expensive assumption in Indian privacy right now
"We are GDPR compliant, so DPDPA is mostly done." I hear a version of this weekly, usually from companies with European customers and a mature privacy programme. It is roughly half true — and the false half is where the penalties live.
The Digital Personal Data Protection Act, 2023, operationalised by the DPDP Rules notified on 14 November 2025, borrows GDPR's vocabulary but not its architecture. Several core mechanics are genuinely different, and a GDPR programme transplanted unchanged into India will fail on exactly those mechanics. Here is the practitioner's view of what carries over, what does not, and what you must build fresh — with soft enforcement ending in November 2026 and hard enforcement landing on 13 May 2027.
Difference 1: Consent-first, with no legitimate-interests escape hatch
GDPR gives controllers six lawful bases, and in practice a huge share of routine processing rides on legitimate interests — analytics, fraud prevention, product improvement, much of B2B marketing.
The DPDPA has no legitimate-interests equivalent for most processing. Consent is the primary lawful basis, with a narrow set of legitimate uses defined in the Act itself. Every processing activity your GDPR ROPA justifies under legitimate interests needs to be re-examined for India: either it fits a defined legitimate use, or it needs consent, or it stops.
This is not a paperwork change. It is a product change. The Data Protection Board's first enforcement actions — against app developers in Q1 2026 — were about invalid consent. Consent that is bundled, pre-ticked, vague or hard to withdraw is the regulator's first target, and withdrawal must be as easy as giving consent.
Difference 2: Notices in all 22 scheduled languages
GDPR requires notices to be intelligible and accessible. The DPDPA requires them to be available in all 22 languages of the Eighth Schedule of the Constitution.
No European privacy programme has anything comparable. Operationally this means professional translation, a review workflow for legal accuracy in each language, and version control so you can prove which notice version — in which language — a given consent was collected against. This is a documentation-operations problem; we run it through Document Management with versioned notice libraries.
Difference 3: Consent Managers — an interoperability layer GDPR never built
The DPDPA introduces registered Consent Managers: platforms through which Data Principals can give, manage, review and withdraw consent across Data Fiduciaries. The framework is being operationalised between June and August 2026, built on interoperable APIs.
There is no GDPR equivalent. European consent lives inside each controller's own UX. In India, your consent architecture must be able to receive and honour consent and withdrawal signals arriving from outside your own properties. If your consent records sit in a marketing tool's database with no API surface, you have an integration project to scope now, before the framework goes live.
Difference 4: Breach notification with no risk threshold — and a second clock
GDPR's 72-hour notification carries a materiality filter: no notification where the breach is unlikely to result in risk to individuals. The DPDPA removes the filter — personal data breaches must be reported to the Data Protection Board regardless of risk threshold.
And India adds a second, separate duty that GDPR-trained teams routinely miss: CERT-In requires cyber incidents to be reported within 6 hours. One personal-data breach can trigger both the DPB and CERT-In clocks simultaneously, with different timelines and different content. Your incident runbook needs both tracks built in; Incident Management runs the dual clocks in a single workflow so neither deadline gets discovered mid-incident.
Difference 5: The SDF tier
GDPR applies one rulebook to everyone, scaled loosely by risk. The DPDPA creates an explicit tier: the Significant Data Fiduciary, designated based on factors like volume and sensitivity of processing. SDFs carry duties that other fiduciaries do not:
- An India-based Data Protection Officer
- Periodic Data Protection Impact Assessments
- Independent audits
- Algorithmic due diligence
If you are likely to be designated, these are standing operational programmes, not one-off projects. Note the localisation point: a GDPR DPO sitting in Dublin does not satisfy the India-based DPO requirement.
Difference 6: Penalties in rupees, not percentages — and they stack
GDPR penalties scale with global turnover (up to 4%). DPDPA penalties are fixed rupee amounts per breach category, up to ₹250 crore, with the highest tier attached to failure of reasonable security safeguards.
Two practical consequences. First, for very large multinationals the rupee caps may look smaller than GDPR exposure — but for mid-market Indian companies, ₹250 crore is existential. Second, penalties stack across categories: one incident involving weak safeguards, late notification and invalid consent can attract multiple penalties. The risk model is different, so the prioritisation should be too: security safeguards carry the single largest number, which is why mapping DPDPA onto an existing ISO 27001 control set — verified through Audit Management — is the highest-leverage move for certified companies.
Difference 7: Children's data — verification, not assertion
GDPR requires parental consent for children below member-state age thresholds, but enforcement of how that consent is obtained has been uneven, and age assurance is largely left to controllers' judgement.
The DPDPA is blunter on both counts. Processing a child's personal data requires verifiable parental consent — a self-declared checkbox is an assertion, not verification. And behavioural advertising directed at minors is prohibited outright, which means your ad stack, analytics SDKs and personalisation logic need an explicit answer to the question "how do we know this user is not a child, and what do we switch off if they are?" For consumer apps, this is often the largest single engineering item in the entire DPDPA programme, and it is not something a GDPR compliance binder addresses.
What does carry over from GDPR
To be fair to the half of the assumption that is true, a mature GDPR programme gives you real assets:
- Data mapping discipline. Your ROPA methodology transfers directly; only the lawful-basis column needs rework. Privacy Management supports ROPA and PIA workflows operationally today.
- DSR operations. Access, correction and erasure machinery is conceptually similar, though SLAs and grievance-redressal expectations need India-specific configuration.
- DPIA muscle. GDPR DPIA experience maps well onto DPDPA DPIAs for SDFs.
- Security controls. ISO 27001 or SOC 2 controls substantially cover reasonable security safeguards — the work is mapping and evidencing, not rebuilding.
- Privacy culture. Staff who already think before collecting data are the asset hardest to buy. Top up with India-specific modules in Security Awareness Training.
Side-by-side summary
| Dimension | GDPR | DPDPA |
| Primary lawful basis | Six bases incl. legitimate interests | Consent-first; no legitimate-interests equivalent for most processing |
| Notice languages | Intelligible and accessible | All 22 scheduled languages |
| Consent infrastructure | Controller's own UX | Interoperable registered Consent Managers (live June–August 2026) |
| Breach notification | 72 hours, risk-based threshold | To the DPB regardless of risk; CERT-In 6-hour duty runs in parallel |
| Enhanced-obligation tier | None explicit | Significant Data Fiduciary: India-based DPO, DPIAs, independent audits, algorithmic due diligence |
| Penalties | Up to 4% of global turnover | Up to ₹250 crore per category, stacking across categories |
| Children's data | Parental consent below age thresholds | Verifiable parental consent; no behavioural advertising to minors |
The sequencing for GDPR-mature companies
Re-base your lawful-basis register first — it determines how much consent work exists, and it is the single analysis everything else depends on. Then fix consent flows (already enforced as of Q1 2026), start the 22-language notice effort, and scope Consent Manager integration before the framework operationalises in August 2026. Legacy-data consent scrutiny begins when soft enforcement ends in November 2026; full enforcement of the complete obligation set — consent, notices, security safeguards, breach protocol, DSR infrastructure, SDF duties, DPIAs and the DPO — arrives on 13 May 2027.
One organisational note: do not hand the India programme to the European privacy team as a side project. The differences above are mostly operational and technical — API integrations, translation pipelines, dual breach clocks, India-based DPO staffing — and they need local ownership with engineering capacity attached, not a memo from headquarters mapping DPDPA articles to GDPR articles.
On tooling: DPDPA point solutions focused on consent management are pricing at ₹15–40 lakh per year, and they cover one of the differences above, not all six. Our DPDPA Operations Suite — consent registry, DSR SLA clocks, SDF obligation tracker — is rolling out ahead of the November 2026 deadline, on top of the privacy, incident, document, training and audit modules that are operational today.
Where to go from here
Start with the DPDPA framework guide for the obligation-level detail, or book a demo and bring your GDPR ROPA — the gap conversation goes much faster with it on the table.
This is general information, not legal advice.