Why Global Data Protection Comparisons Matter
Multinational companies operating in India do not have the luxury of building a data protection programme from scratch for each jurisdiction. They need to understand how India's Digital Personal Data Protection Act, 2023 (DPDP Act) — and the DPDP Rules notified in November 2025 — compares to the frameworks they already comply with, particularly the EU's General Data Protection Regulation (GDPR).
If your company is already GDPR-compliant, the question is: how much additional work does Indian DPDP compliance require? If your company is entering India from the United States or Europe and you operate across Southeast Asia — perhaps routing foreign direct investment through Singapore — you need to know how India's framework compares with Singapore's PDPA. If you have operations in China, the comparison with PIPL is critical. And if your holding structure routes through Brazil or South Africa, LGPD and POPIA compliance intersections must be understood.
This article provides a structured, side-by-side comparison of India's DPDP Act with five major global data protection frameworks, focusing on the practical differences that affect compliance costs, system architecture, and operational processes. For a detailed compliance roadmap specific to India's DPDP Act, see our DPDP Act Phase 1 guide for foreign companies.
The Six Frameworks Compared
Before diving into the detailed comparison, here is a high-level overview of each framework's scope and status.
| Framework | Jurisdiction | Enacted | Fully Effective | Scope |
|---|---|---|---|---|
| DPDP Act | India | August 2023 | May 13, 2027 (phased) | Digital personal data only |
| GDPR | EU/EEA (27+3 countries) | April 2016 | May 25, 2018 | All personal data (digital and analogue) |
| PDPA | Singapore | October 2012 | July 1, 2014 (full force 2021) | Personal data in commercial context |
| PIPL | China | August 2021 | November 1, 2021 | All personal information |
| LGPD | Brazil | August 2018 | August 16, 2020 | All personal data |
| POPIA | South Africa | November 2013 | July 1, 2021 | All personal information |
Key Observation: India Is a Late Mover
India is the last major economy to enact comprehensive data protection legislation. The DPDP Act was passed in August 2023, with the implementing rules notified in November 2025 — seven years after the GDPR came into force and four years after China's PIPL. This means India had the benefit of learning from other frameworks' design choices and enforcement experiences. The result is a framework that is deliberately simpler than the GDPR but carries penalties that rival it.
Legal Bases for Processing: The Fundamental Difference
The most structurally important difference between India's DPDP Act and the GDPR lies in the legal bases available for processing personal data.
| Legal Basis | India DPDP | EU GDPR | Singapore PDPA | China PIPL | Brazil LGPD | South Africa POPIA |
|---|---|---|---|---|---|---|
| Consent | Primary basis | One of six bases | Primary basis | Primary basis | One of ten bases | One of seven bases |
| Contractual necessity | Not available | Available | Not available | Available | Available | Available |
| Legitimate interest | Not available | Available | Not available (deemed consent exists) | Not available | Available | Available |
| Legal obligation | Available (as "legitimate use") | Available | Available | Available | Available | Available |
| Vital interests | Medical emergency (limited) | Available | Not explicit | Available | Available | Available |
| Public interest | State functions (limited) | Available | Not explicit | Available | Available | Available |
| Employment purposes | Available (as "legitimate use") | Via other bases | Via deemed consent | Via other bases | Via other bases | Via other bases |
India's Consent-Heavy Approach
The DPDP Act recognises only two categories of lawful basis: (1) consent and (2) "certain legitimate uses." The legitimate uses are narrowly defined: voluntary provision of data for a specified purpose (provided the data principal does not object), compliance with law or court orders, employment purposes, medical emergencies, and state functions.
Critically, India's DPDP Act does not recognise contractual necessity or legitimate interest as independent legal bases — the two bases that GDPR-compliant companies rely on most heavily for everyday processing activities such as customer relationship management, fraud detection, analytics, and B2B marketing. Companies transitioning from GDPR compliance to DPDP compliance must restructure their processing basis for Indian data, typically by building granular consent mechanisms for activities that previously relied on legitimate interest or contractual necessity under GDPR.
Practical Impact for Multinationals
A European company processing employee data in India cannot rely on "performance of a contract" as a legal basis under the DPDP Act, even though it uses this basis for the same processing under GDPR. Instead, it must either obtain explicit consent from Indian employees or rely on the "employment purposes" legitimate use — which is limited to activities directly connected to the employment relationship. Marketing analytics, workforce planning tools, and performance benchmarking may require separate consent under DPDP that would not be needed under GDPR.
Consent Requirements: Quality and Withdrawal
Even where consent is the primary basis under multiple frameworks, the quality standards for valid consent differ.
| Consent Element | India DPDP | EU GDPR | China PIPL |
|---|---|---|---|
| Standard | Free, specific, informed, unconditional, unambiguous | Freely given, specific, informed, unambiguous | Voluntary, explicit, informed |
| Affirmative action | Required (clear affirmative action) | Required (clear affirmative action) | Required |
| Granularity | Purpose-specific consent required | Purpose-specific consent required | Separate consent for sensitive data |
| Withdrawal | Must be as easy as giving consent | Must be as easy as giving consent | Right to withdraw at any time |
| Bundled consent | Not valid (unconditional requirement) | Not valid (freely given requirement) | Not addressed explicitly |
| Consent records retention | 7 years (DPDP Rules) | No specified period (must demonstrate compliance) | Not specified |
India's Unique Requirements
The DPDP Act introduces two notable consent requirements not found in other frameworks:
- Unconditional consent: Consent must be "unconditional" — meaning a Data Fiduciary cannot make service delivery contingent on consent to processing beyond what is necessary for the service. While the GDPR has a similar principle (consent cannot be a condition where there is a power imbalance), India's explicit statutory requirement is stronger.
- Seven-year consent record retention: The DPDP Rules require Data Fiduciaries to retain records of consent for seven years. Neither the GDPR nor any other framework specifies such a long mandatory retention period for consent records. This creates a significant data management obligation — companies must implement systems to log, timestamp, and archive every consent interaction for seven years.
Consent Manager Framework
From November 2026, India will implement a registered Consent Manager system. Only India-incorporated entities with a minimum net worth of INR 2 crore can register as Consent Managers with the Data Protection Board of India. Foreign consent management platforms like OneTrust, TrustArc, and Cookiebot cannot serve as registered Consent Managers directly — they must operate through an Indian entity. This is a unique requirement not found in any other framework and creates additional infrastructure costs for multinational companies.
Individual Rights: Scope and Limitations
The rights granted to data subjects (or "Data Principals" in India's terminology) vary significantly across frameworks.
| Right | India DPDP | EU GDPR | China PIPL | Brazil LGPD |
|---|---|---|---|---|
| Access | Yes | Yes | Yes | Yes |
| Correction | Yes | Yes (rectification) | Yes | Yes |
| Erasure | Yes | Yes (right to be forgotten) | Yes | Yes |
| Data portability | No | Yes | Yes (where technically feasible) | Yes |
| Object to processing | No explicit right | Yes | Yes | Yes |
| Restrict processing | No | Yes | No explicit right | No explicit right |
| Not subject to automated decisions | No | Yes | Yes | Yes |
| Nomination (death/incapacity) | Yes (unique) | No | Yes (for deceased) | No |
| Grievance redressal officer | Yes (mandatory) | No (DPO not grievance-focused) | No | No |
India's Simpler but Narrower Rights Framework
India's DPDP Act grants fewer individual rights than the GDPR. The absence of data portability, the right to object, the right to restrict processing, and protection against automated decision-making represents a deliberate choice to simplify the framework. For companies, this means fewer data subject request types to handle — a compliance advantage. For individuals, it means less granular control over their data.
For a comparison of entity structures and their compliance implications, see our branch office vs subsidiary comparison. India compensates with two unique provisions: the right to nominate an individual to exercise data principal rights in case of death or incapacity, and the mandatory requirement for every Data Fiduciary to appoint a grievance redressal officer accessible to data principals. The grievance redressal obligation is operationally significant — companies must establish and staff a grievance mechanism within their Indian operations.
Penalties and Enforcement
The penalty structures vary dramatically across frameworks, both in quantum and calculation methodology.
| Framework | Maximum Penalty | Calculation Method | Enforcement Body |
|---|---|---|---|
| India DPDP | INR 250 crore (~USD 30M) | Fixed maximum per violation type | Data Protection Board of India |
| EU GDPR | EUR 20M or 4% of global turnover | Higher of fixed amount or turnover % | National supervisory authorities |
| China PIPL | CNY 50M or 5% of annual revenue | Higher of fixed amount or revenue % | Cyberspace Administration of China |
| Brazil LGPD | BRL 50M (~USD 10M) per violation | Fixed maximum per violation | ANPD |
| Singapore PDPA | SGD 1M or 10% of annual turnover | Higher of fixed amount or turnover % | PDPC |
| South Africa POPIA | ZAR 10M (~USD 540K) + imprisonment | Fixed maximum; criminal sanctions possible | Information Regulator |
India's Penalty Structure in Context
India's maximum penalty of INR 250 crore (approximately USD 30 million) for failure to take reasonable security safeguards is significant but capped. Unlike the GDPR (4% of global turnover) and China's PIPL (5% of annual revenue), India uses fixed maximums per violation type rather than turnover-based calculations. For a large multinational with USD 10 billion in revenue, the GDPR's maximum penalty would be USD 400 million — more than 13 times India's cap.
However, India's penalty framework has no concept of a warning or grace period. Penalties can be imposed from the first instance of non-compliance once the relevant phase is in effect. The DPDP penalty schedule by violation type is:
- Failure to take reasonable security safeguards: INR 250 crore (~USD 30M)
- Failure to notify breach within 72 hours: INR 200 crore (~USD 24M)
- Non-compliance with children's data obligations: INR 200 crore (~USD 24M)
- Failure to comply with Significant Data Fiduciary obligations: INR 150 crore (~USD 18M)
- Any other non-compliance: INR 50 crore (~USD 6M)
Enforcement Maturity
The GDPR has the most mature enforcement ecosystem, with over EUR 4 billion in cumulative fines issued since 2018 by data protection authorities across the EU/EEA. Brazil's ANPD issued USD 12 million in fines in Q1 2025 alone for improper biometric data handling. India's Data Protection Board was established on November 13, 2025, and is still building its operational capacity. Full enforcement of the DPDP Act's penalty framework begins on May 13, 2027, giving companies 14 months to prepare from the time of writing.
Breach Notification Requirements
The speed at which data breaches must be reported varies across frameworks and significantly affects incident response planning.
| Framework | Notification Deadline | Notify Whom | Threshold |
|---|---|---|---|
| India DPDP | 72 hours (strict) | Data Protection Board + affected individuals | Any personal data breach |
| EU GDPR | 72 hours (where feasible) | Supervisory authority + individuals (if high risk) | Risk to rights and freedoms |
| China PIPL | Immediately (no specific timeframe) | Authorities + affected individuals | Any breach likely to cause harm |
| Brazil LGPD | Reasonable time | ANPD + affected individuals | Relevant risk or damage |
| Singapore PDPA | 3 calendar days | PDPC + affected individuals | Significant harm or 500+ individuals |
| South Africa POPIA | As soon as reasonably possible | Information Regulator + affected persons | Reasonable grounds to believe breach occurred |
India's Strict 72-Hour Window
India's 72-hour notification deadline is aligned with the GDPR's timeline but is stricter in two ways: (1) there is no "where feasible" qualifier — the deadline is absolute, and (2) both the Data Protection Board and affected individuals must be notified within the same 72-hour window, whereas the GDPR only requires authority notification within 72 hours and gives additional time for individual notification.
For multinational companies, this means the Indian incident response playbook must be faster than the GDPR playbook. The 72-hour clock starts from the moment the breach is discovered, not from the moment it occurred. Companies must have pre-built notification templates, escalation protocols, and communication channels ready before a breach occurs. Our compliance services include incident response advisory for data protection obligations.
Cross-Border Data Transfers
The rules governing international transfer of personal data vary from permissive (India) to highly restrictive (China).
| Framework | Transfer Mechanism | Default Position |
|---|---|---|
| India DPDP | Blacklist approach | Permitted to all countries unless specifically restricted by government notification |
| EU GDPR | Whitelist + safeguards | Restricted unless adequacy decision, SCCs, BCRs, or other approved mechanism |
| China PIPL | Security assessment + contracts | Restricted; government security assessment required for large-scale transfers |
| Singapore PDPA | Comparable protection | Permitted if receiving country has comparable protection or contractual safeguards |
| Brazil LGPD | Multiple mechanisms | Restricted unless adequacy, SCCs, binding corporate rules, or specific consent |
| South Africa POPIA | Comparable protection | Restricted unless adequate protection or consent |
India's Permissive Approach
India's blacklist approach is the most permissive among the six frameworks. Personal data can flow to any country unless the Central Government specifically restricts transfers to that country. As of early 2026, no countries have been blacklisted. This is in stark contrast to the GDPR's whitelist approach, where transfers outside the EU are restricted by default and require specific legal mechanisms (adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules).
For multinational companies, India's permissive transfer regime is a significant compliance advantage. Data can flow freely between Indian operations and global headquarters without the complex transfer impact assessments and contractual safeguards required under GDPR. However, two caveats apply: (1) the Central Government can add countries to the restricted list at any time, and (2) Significant Data Fiduciaries may face data localisation requirements that override the general transfer permission.
China: The Most Restrictive
China's PIPL requires a government-administered security assessment for cross-border transfers involving: (a) critical information infrastructure operators, (b) personal information handlers processing data of 1 million+ individuals, or (c) cumulative transfers of 100,000+ individuals' data or 10,000+ individuals' sensitive data since January 1 of the preceding year. This makes China the most restrictive major jurisdiction for data transfers and creates significant operational challenges for companies with Chinese operations that need to share data with Indian or global systems.
Significant Data Fiduciary vs. GDPR Controllers: Structural Differences
India's DPDP Act introduces the concept of "Significant Data Fiduciaries" (SDFs) — entities designated by the Central Government based on data volume, sensitivity, and risk. SDFs face additional obligations beyond standard Data Fiduciaries.
SDF Obligations vs. GDPR Large Controller Obligations
| Obligation | India SDF | GDPR (Large Controllers) |
|---|---|---|
| Data Protection Officer | Must be based in India; reports to Board of Directors | Must be designated; can be shared across group entities; no residency requirement |
| Impact Assessment | Annual DPIA mandatory | DPIA required for high-risk processing only |
| Independent audit | Annual independent data audit | No mandatory independent audit requirement |
| Data localisation | Government may restrict specific data categories to India-only processing | No data localisation requirement |
The SDF designation creates a higher compliance burden than the GDPR imposes even on the largest data controllers. The annual DPIA and independent audit requirements, combined with a DPO who must be physically based in India, mean that SDF-designated companies face recurring compliance costs that companies subject only to GDPR do not. Foreign companies with large Indian subsidiaries or branch offices — particularly in financial services, e-commerce, and technology — should plan for SDF designation and the associated compliance infrastructure.
Children's Data Protection
The treatment of children's data varies significantly across frameworks, with India taking one of the strictest approaches.
| Element | India DPDP | EU GDPR | China PIPL |
|---|---|---|---|
| Age of consent | 18 years | 16 years (member states can lower to 13) | 14 years |
| Parental consent | Verifiable parental consent required | Parental consent for under-16 (or lower threshold) | Parental consent for under-14 |
| Behavioural tracking | Prohibited for children | Not explicitly prohibited (subject to consent) | Not explicitly addressed |
| Targeted advertising | Prohibited for children | Not explicitly prohibited (subject to legitimate interest or consent) | Not explicitly addressed |
India's 18-year threshold for children's data protection is the highest among major frameworks. Combined with the absolute prohibition on behavioural tracking and targeted advertising directed at children, this creates significant operational requirements for companies with platforms accessible to Indian minors — including gaming, social media, educational technology, and e-commerce companies. Age-gating mechanisms and parental consent verification systems must be implemented before May 2027.
Compliance Cost Comparison
The operational cost of compliance differs across frameworks based on the number of obligations, the complexity of individual requirements, and the enforcement risk.
For a Mid-Size Multinational (500-2,000 Indian Employees)
- GDPR compliance (already in place): Baseline cost; company has DPO, consent management, DPIA processes, SCCs for transfers
- Incremental DPDP compliance: An estimated 40-60% of GDPR compliance infrastructure can be repurposed. Additional costs include: restructuring legal bases from legitimate interest/contract to consent (high effort), implementing 7-year consent record retention (moderate), establishing India-based DPO if SDF-designated (INR 15-40 lakh/year), setting up registered Consent Manager entity or partnership (one-time + annual), building 72-hour breach notification system with Indian regulatory reporting (moderate), implementing children's data protections with 18-year threshold (high for platform companies)
- Estimated incremental annual cost: INR 50 lakh to INR 2 crore depending on SDF designation and data volume
For a Company Starting from Zero (No Prior Data Protection Programme)
A company with no existing data protection programme — for example, an Indian company expanding internationally or a company from a jurisdiction without comprehensive privacy law — faces the full cost of building consent management, rights infrastructure, breach notification systems, and governance frameworks. The costs are separate from GST registration and other regulatory compliance. Estimated first-year cost: INR 1-5 crore, with ongoing annual costs of INR 50 lakh to INR 2 crore.
For companies registering a new entity in India, building DPDP compliance into the private limited company setup from day one is significantly cheaper than retrofitting later. Our company registration services include privacy compliance advisory as part of the incorporation package.
DPDP Implementation Timeline and Compliance Milestones
The phased rollout of India's DPDP Act gives companies specific deadlines to target for different compliance obligations.
| Stage | Date | What Becomes Effective | Action Required |
|---|---|---|---|
| Stage 1 | November 13, 2025 | Data Protection Board established; penalty framework active | Establish breach response team; begin data mapping |
| Stage 2 | November 13, 2026 | Consent Manager registration; DPBI inquiry powers for consent breaches | Establish or partner with registered Consent Manager entity |
| Stage 3 | May 13, 2027 | Full compliance: privacy notices, consent systems, security safeguards, breach protocols, data retention, children's protections, data principal rights | Full operational compliance across all obligations |
Companies handling annual compliance obligations for their Indian entity should coordinate DPDP compliance with existing regulatory calendars. Companies already compliant with GDPR have a 14-month window from now (March 2026) to May 2027 to build the incremental DPDP compliance infrastructure. The critical gaps to close are: legal basis restructuring (from legitimate interest to consent), 7-year consent record retention systems, India-based DPO appointment (if SDF), registered Consent Manager entity, and children's data protections with the 18-year threshold.
Practical Recommendations for Multinational Companies
1. Conduct a Gap Analysis Against GDPR
If you are GDPR-compliant, map every DPDP obligation against your existing GDPR compliance programme. The gaps will typically be: legal basis restructuring, consent record retention (7 years), Consent Manager entity requirement, children's age threshold (18 vs. 16), and the absence of data portability (which simplifies your obligations).
2. Restructure Legal Bases for Indian Data
The highest-effort task is moving processing activities that rely on legitimate interest or contractual necessity under GDPR to explicit consent under DPDP. Prioritise: HR/employee data processing, customer relationship management, analytics and profiling, and B2B marketing. Ensure your India entity’s digital signature certificates are current for regulatory filings. Build granular, purpose-specific consent flows that meet the DPDP's "free, specific, informed, unconditional, unambiguous" standard.
3. Plan for the Consent Manager Requirement
From November 2026, registered Consent Managers must be India-incorporated entities with INR 2 crore minimum net worth. If you use global consent management platforms (OneTrust, TrustArc, Cookiebot), identify or establish an Indian entity to serve as the registered Consent Manager. The global platform can provide the technology backend, but the registered entity must be Indian.
4. Build India-Specific Breach Response
India's strict 72-hour notification window, with no "where feasible" qualifier, requires a dedicated Indian incident response playbook. Pre-build notification templates for the Data Protection Board and affected individuals. Ensure your Indian operations can independently detect, assess, and report breaches within 72 hours without waiting for global headquarters approval.
5. Coordinate Cross-Border Transfer Risk
While India's permissive blacklist approach currently allows unrestricted data transfers, companies should monitor for changes. The Central Government can restrict transfers to specific countries at any time. Build contractual safeguards (similar to GDPR SCCs) into vendor and intercompany agreements as a precaution, even where not currently required. For companies managing cross-border financial flows alongside data transfers, understanding FEMA compliance is equally important.
Key Takeaways
- India's DPDP Act is consent-heavy, recognising only consent and narrow "legitimate uses" as legal bases — unlike the GDPR's six bases including legitimate interest and contractual necessity. This is the single largest compliance gap for GDPR-compliant companies entering India.
- India's penalty maximum of INR 250 crore (~USD 30M) per violation is significant but capped, unlike the GDPR (4% of global turnover) and China's PIPL (5% of annual revenue), which scale with company size.
- India's cross-border data transfer regime is the most permissive among major frameworks, using a blacklist approach where data flows to all countries unless specifically restricted. No countries have been blacklisted as of early 2026.
- The 7-year consent record retention requirement and the registered Consent Manager framework (India-incorporated entities only, from November 2026) are unique obligations not found in any other global framework.
- Companies already GDPR-compliant can repurpose 40-60% of their existing infrastructure for DPDP compliance, with the primary gaps being legal basis restructuring, consent record retention, and the India-specific Consent Manager entity requirement. Full compliance is required by May 13, 2027.
Frequently Asked Questions
How is India's DPDP Act different from the GDPR?
The most fundamental difference is in legal bases for processing. India's DPDP Act recognises only consent and narrow 'legitimate uses' (employment, legal obligation, medical emergency, state functions). The GDPR provides six legal bases including legitimate interest and contractual necessity. India also has a 7-year consent record retention requirement, a registered Consent Manager framework, and uses a permissive blacklist approach for cross-border transfers.
Can a GDPR-compliant company easily comply with India's DPDP Act?
Approximately 40-60% of GDPR compliance infrastructure can be repurposed for DPDP compliance. The main gaps are: restructuring legal bases from legitimate interest to consent, implementing 7-year consent record retention, establishing an India-based registered Consent Manager entity, and adjusting children's data protections to the 18-year threshold.
What are the maximum penalties under India's DPDP Act?
The maximum penalty is INR 250 crore (approximately USD 30 million) per violation for failure to take reasonable security safeguards. Unlike the GDPR (4% of global turnover), India uses fixed maximums per violation type. Other violation categories carry penalties of INR 50 crore to INR 200 crore.
Does India's DPDP Act restrict cross-border data transfers?
India uses a permissive blacklist approach — data can flow to any country unless the Central Government specifically restricts transfers to that country. As of early 2026, no countries have been blacklisted. This is in stark contrast to the GDPR's restrictive whitelist approach and China's PIPL security assessment requirements.
When is the full compliance deadline for India's DPDP Act?
Full compliance is mandatory by May 13, 2027. The implementation is phased: Stage 1 (November 2025) established the Data Protection Board and penalty framework, Stage 2 (November 2026) activates the Consent Manager registration, and Stage 3 (May 2027) requires full operational compliance across all obligations.
Can foreign consent management platforms operate as registered Consent Managers in India?
No. Only India-incorporated entities with a minimum net worth of INR 2 crore can register as Consent Managers with the Data Protection Board. Foreign platforms like OneTrust, TrustArc, and Cookiebot can provide the technology backend but must operate through an Indian registered entity.
How does India's breach notification deadline compare to the GDPR?
Both require notification within 72 hours, but India's is stricter. India requires notifying both the Data Protection Board and affected individuals within 72 hours, with no 'where feasible' qualifier. The GDPR only requires authority notification within 72 hours ('where feasible') and gives additional time for individual notification if the risk is high.