If your Indian product touches a single EU resident — a SaaS user in Berlin, a fintech customer flying through Frankfurt, a learner enrolled from Dublin — you are simultaneously a Data Fiduciary under India's DPDP Act 2023 and a Data Controller under GDPR. Two regulators, two penalty regimes, two breach clocks, two consent regimes. This is the clause-by-clause 2026 walk-through for Indian CIOs, DPOs and product counsel.
- Regulator: Data Protection Board of India
- Scope: Digital personal data of Data Principals in India + offshore processing for offering goods/services to India
- Lawful bases: Consent + certain legitimate uses (narrowly defined)
- Breach reporting: 'As soon as possible' (Rules 2025 draft: 72 hours)
- Max penalty: ₹250 crore per instance (Schedule)
- DPO: Mandatory only for Significant Data Fiduciaries
- Transfer regime: Permitted except to notified restricted countries
- Regulator: National DPAs (BfDI, CNIL, DPC etc.) + EDPB
- Scope: Personal data of EU/EEA residents wherever processed
- Lawful bases: 6 grounds incl. legitimate interest balancing test
- Breach reporting: 72 hours to DPA; without undue delay to data subject if high risk
- Max penalty: €20M or 4% global annual turnover, whichever higher
- DPO: Mandatory for public bodies, large-scale monitoring, special-category data
- Transfer regime: SCCs / adequacy decision / BCRs only
Why the comparison matters for Indian companies in 2026
The DPDP Act was notified in August 2023; the operational Rules were placed for public consultation in January 2025 and are expected to be finalised through 2025-26. As Indian fiduciaries operationalise DPDP, the natural temptation is to either (a) port their existing GDPR programme wholesale, or (b) treat DPDP as a lighter-weight cousin. Both approaches break. DPDP and GDPR overlap on principles (purpose limitation, minimisation, accountability) but diverge sharply on consent mechanics, legitimate interest, DPO triggers, and cross-border transfer. The cost of getting this wrong shows up as parallel investigations from the DPB and an EU DPA on the same incident.
Clause-by-clause comparison
| Topic | DPDP Act 2023 | GDPR | Practical implication |
|---|---|---|---|
| Definition of personal data | Any data about an identifiable individual in digital form | Any info relating to identified/identifiable natural person | DPDP excludes non-digital records; GDPR covers manual filing systems |
| Sensitive categories | Not separately defined | Article 9 special categories (health, biometrics, etc.) | Indian privacy notices still need to flag sensitive data under sectoral law (HIPAA-equivalent for health) |
| Consent standard | Free, specific, informed, unconditional, unambiguous — clear affirmative action | Free, specific, informed, unambiguous — affirmative action | Functionally similar — DPDP wording is slightly stricter ('unconditional') |
| Children's consent age | Below 18 — verifiable parental consent | Below 16 (member state may lower to 13) | DPDP is significantly stricter — material redesign for ed-tech and gaming products |
| Legitimate interest | Not recognised; replaced by 'certain legitimate uses' (narrow list) | Article 6(1)(f) — broad with balancing test | DPDP forces consent-by-default for marketing, analytics, profiling |
| DPO requirement | Only Significant Data Fiduciaries | Public authorities + large-scale monitoring + special-category data | DPDP threshold is volume + sensitivity; GDPR threshold is activity-based |
| Breach notification window | Rules 2025 draft: 72h to DPB + affected principals | 72h to DPA; affected subjects without undue delay if high risk | Practically aligned once Rules are notified |
| Right to erasure | Yes, with retention exceptions | Yes (Art 17), with legal-basis exceptions | Aligned |
| Data portability | Not explicitly granted | Yes (Art 20) | DPDP gap for cross-border products |
| Right to object / automated decisions | Limited; significant ADM not separately regulated | Article 22 explicit rights against automated decisions | GDPR is stricter for AI-driven services |
| Cross-border transfer | Permitted except to blacklisted countries (negative list) | Adequacy / SCCs / BCRs (positive whitelist) | DPDP is more permissive — but EU side still binds Indian exporters |
| Max penalty | ₹250 crore per breach (Schedule) | €20M or 4% global turnover | GDPR meaningfully larger for global enterprises |
Side-by-side mapping of the most operationally relevant clauses
The Significant Data Fiduciary trigger
The DPDP Act lets the Government notify certain fiduciaries as 'Significant Data Fiduciaries' (SDFs). SDFs face additional obligations — mandatory DPO based in India, annual DPIA, annual data audit, and tighter algorithmic accountability. The criteria include volume and sensitivity of data, risk to electoral democracy, risk to sovereignty, and risk to the security of the State. Indian fintechs and large SaaS players assume they are SDFs by default and budget accordingly — ₹40-90 lakh/year incremental compliance cost is the band we see across our BFSI and fintech customers in Mumbai and Bengaluru.
Consent: where DPDP diverges from GDPR most
GDPR allows you to lean on legitimate interest for many B2B data uses, fraud prevention, security telemetry and even some marketing. DPDP does not. Apart from a narrow 'certain legitimate uses' list (employment, public interest, medical emergency, court order), every other processing in India requires explicit consent through a Consent Manager (a new licensed entity under DPDP). For Indian SaaS firms used to running A/B tests and feature analytics under legitimate interest, this is a significant product rework — telemetry pipelines need consent-gating, defaults need flipping, and Consent Managers need API integration.
Cross-border transfer in practice
DPDP flips the GDPR model. Under GDPR, transfers out of the EU/EEA are blocked unless a positive lawful mechanism applies — adequacy decision, SCCs, BCRs, or a derogation. Under DPDP, transfers out of India are permitted everywhere except countries the Government places on a negative list. The catch: even if DPDP allows you to transfer EU-resident data from India to a third country, GDPR still binds because the data originated from EU subjects. In practice, Indian fiduciaries with EU exposure run a 'GDPR-conservative + DPDP-permissive' transfer model — apply SCCs to EU-originated data, apply DPDP rules to India-originated data, and document both flows in a single transfer impact assessment.
Breach response — running both clocks
- Hour 0: Detect — ensure your SIEM has data-classification tagging so privacy-impacting events are tagged distinctly
- Hour 0-6: CERT-In direction requires reporting within 6 hours regardless of DPDP/GDPR status
- Hour 0-72: Parallel filing — DPB (DPDP) + EU lead DPA (GDPR) + sectoral regulators (RBI/SEBI/IRDAI)
- Hour 0-72: Notify affected principals/subjects 'without undue delay' if high risk to rights
- Day 7-30: Post-incident report — both regimes expect a remediation update; GDPR is typically more demanding on technical detail
- Day 30-90: External audit / regulator examination — pre-stage forensic evidence and chain-of-custody
What an Indian fiduciary with EU exposure should actually do
- Build a unified Record of Processing Activities (RoPA) — single source covering both GDPR Art 30 and DPDP Notice/Purpose register
- Map every processing activity to lawful basis under both regimes — consent under DPDP, Art 6 ground under GDPR
- Implement a Consent Management Platform that can talk to a DPDP Consent Manager API and serve GDPR cookie/consent flows in EU geographies
- Run one DPIA template that satisfies DPDP Rules + GDPR Art 35 — risk language and likelihood tiers need to match both
- Designate one DPO with India residency (DPDP SDF requirement) who also meets GDPR Art 37 independence requirements
- Update vendor / processor contracts — DPDP requires DF-DP contractual chain; GDPR requires Art 28 DPA. One contract addendum covering both is the norm.
- Test breach notification across both timelines using tabletop exercises every six months
Penalty math: which one will hurt more?
For an Indian SaaS firm with ₹500 crore revenue and 5% EU revenue exposure: DPDP ceiling is ₹250 crore per incident; GDPR ceiling is 4% of global turnover (i.e. ₹20 crore). Below ~₹6,000 crore global revenue, DPDP is the larger headline penalty. Above that, GDPR overtakes. In practice both regulators look at the same incident, both impose, and cyber insurance must cover both — most standard Indian cyber policies still exclude regulatory penalty in totality, so re-read your wording.
Macksofy's DPDP + GDPR readiness sprint is one of several hands-on tracks Macksofy delivers across India and the UAE. CERT-In empanelled, OffSec/EC-Council authorized, with weekend cohorts and corporate batches.