DPDP Act vs GDPR, an Indian SaaS compliance lead reviewing dual mapping at her Pune workstation, Sirius Star

DPDP Act vs GDPR: what Indian businesses should know in 2026

ByPriya Sharma

By , Compliance Lead, Sirius Star, Last updated 18 May 2026

DPDP Act vs GDPR, an Indian SaaS compliance lead reviewing dual mapping at her Pune workstation, Sirius Star

Last quarter we audited a 280-person Pune SaaS firm that ships analytics into both Indian fintechs and three EU logistics customers. Their CISO walked in with the line every Indian compliance lead is hearing right now: “We are GDPR-compliant, so DPDP is basically a copy-paste, no?” Two weeks later their counsel returned a 14-page gap memo. The headline number: approx Rs.62 lakh of remediation, and that was for a firm already running a mature GDPR programme. So no, your GDPR work does not auto-extend to DPDP. The two regimes overlap in approx 60 percent of controls and diverge in approx 25 percent in ways that change the operating model. This is the DPDP Act vs GDPR comparison Meera, our named Fred, would actually use on a Tuesday night when the Board memo is due Friday.

Table of contents

Here is the promise of this piece: how to map your existing GDPR programme onto DPDP in 8 to 10 weeks even if you are running a 280-person SaaS with a thin compliance team. By the end you will know where DPDP is stricter, where GDPR-style controls already cover you, and where you have to build something new from scratch.

If you only have GDPR, you are not DPDP-ready

This is the first thing to land. GDPR (the EU General Data Protection Regulation, in force since May 2018) and India’s DPDP Act (Digital Personal Data Protection Act 2023, passed August 2023, Rules in final-draft circulation as of May 2026) come from the same family. Both protect personal data, both put a fiduciary or controller on the hook, both let regulators slap penalties for non-compliance. So a CISO who runs a clean GDPR shop in 2026 has the bones of a privacy programme. The bones, not the body.

What changes under DPDP that your GDPR programme will not automatically cover:

  • DPDP introduces a category called Significant Data Fiduciary (SDF) that GDPR does not have. The criteria are still being notified by the central government but volume of data, sensitivity, and risk to data principals are the headline tests. An SDF must appoint a separately notified Data Protection Officer based in India, conduct periodic Data Protection Impact Assessments, and conduct independent data audits. Your GDPR DPO does not automatically inherit this if your firm is named an SDF.
  • DPDP’s consent regime is more restrictive in one specific way: it requires consent in clear and plain language with itemised purpose, and it allows withdrawal that is as easy as giving consent. GDPR has the same direction of travel but DPDP is more prescriptive on the consent notice form, which means your existing GDPR notices likely need a rewrite to include the Indian-language version and the specific itemisation DPDP demands. It feels like a small thing untill you realise your in-app consent flow needs a redesign across approx 14 customer touchpoints.
  • DPDP’s breach notification wording is “as soon as may be” with no explicit hour clock in the Act itself; the Rules draft circulating in May 2026 points to 72 hours as the safe operational default, plus a separate intimation to affected data principals. GDPR’s 72-hour clock to the supervisory authority is fixed in Article 33. So your runbook timing is similar in practice, but the audit trail expectation is different.

The honest answer to “GDPR covers us, right?” is: it covers about three out of every five DPDP controls. The remaining two require fresh build. For the deeper foundation, see the DPDP Act 2023 complete guide which is our long-form reference for Indian MSMEs.

DPDP Act vs GDPR: side-by-side that actually matters

Most “DPDP vs GDPR” comparisons online give you a 30-row table with academic distinctions. Here is the version that maps to what Meera needs to put in front of the Audit Committee.

ThemeGDPR (EU)DPDP Act (India)Practical impact
ScopeAll EU residents’ personal data, wherever processedAll Indian residents’ personal data processed digitally, in India OR offered abroad to Indian residentsBoth have extra-territorial reach. If your SaaS serves Indian customers from a US datacentre, DPDP still applies.
Lawful basis6 lawful bases including legitimate interest, contract, consentConsent OR “certain legitimate uses” (employment, court orders, medical emergency, etc.)DPDP does NOT have a broad legitimate-interest basis. If your GDPR programme leans on legitimate interest for marketing, that lever goes away in India.
Data Principal rightsAccess, rectification, erasure (right to be forgotten), portability, restriction, objectionAccess, correction, erasure, grievance redressal, nominationDPDP gives a “nomination” right that GDPR does not (you can nominate someone to exercise rights on your behalf after death or incapacity).
Cross-border transferAdequacy decision OR SCCs OR BCRs OR derogationsPermitted by default UNLESS country is on a MeitY “negative list” (still being notified)DPDP is more permissive on transfer in principle, more uncertain in practice until the negative list is published.
DPO requirementMandatory if core activities involve regular and systematic monitoring or large-scale sensitive dataMandatory ONLY for Significant Data FiduciariesIf you are not an SDF, you can have a Grievance Officer (less senior) under DPDP but still need a DPO under GDPR.
Breach notification72 hours to supervisory authority, “without undue delay” to data principals if high risk“As soon as may be” to DPB (operationally 72 hours per draft Rules), intimation to data principalsTiming is converging but DPDP’s intimation to data principals is broader (not gated on high-risk).
Penalty capUp to EUR 20 million OR 4% of global annual turnover, whichever higherUp to Rs.250 crore per violation (schedule of separate caps per violation type)DPDP caps are per-violation; multiple violations compound. EUR 20 million is approx Rs.180 crore at May 2026 rates.
Children’s dataParental consent below 16 (member states can lower to 13)Verifiable parental consent below 18 (higher bar)If you have ed-tech or gaming products, DPDP is stricter.
Records of processingROPA required for controllers with 250+ employees or high-risk processingRecords required for SDFs and processors of specified volume; format prescribed by RulesYour GDPR ROPA gives you 70 percent of the DPDP record requirement; format conversion is the rest.

The takeaway: DPDP is not “GDPR-lite” and it is not “GDPR-plus.” It is its own regime that overlaps in spirit but diverges in 4 to 6 places that affect operating model. The 4 to 6 places are the consent notice, the lawful-basis menu, the SDF designation, the breach intimation scope, the children’s age threshold, and the cross-border negative list. Map each one in your gap analysis. Do not assume your GDPR controls cover them.

Where DPDP goes further than GDPR (and where it does not)

This is where most Indian boards get confused. The narrative in 2024 and early 2025 was “DPDP is lighter than GDPR, we will be fine.” That narrative is wrong on three specific axes. It does so you can stop the dismissive Board conversations early which means you save approx 2 to 3 cycles of “are we really exposed?” questioning.

DPDP is stricter than GDPR on:

  • Children’s data. GDPR cuts off at 16 (some member states 13). DPDP cuts off at 18 with verifiable parental consent. If you ship a product that any Indian under-18 uses, your consent flow needs a parent or guardian in the loop. This catches ed-tech, gaming, social, fitness apps. Plan a verification mechanism that does not just take a tick-box at face value.
  • Penalty per violation. GDPR’s 4 percent of global turnover sounds scarier in headlines, but DPDP’s per-violation cap of Rs.250 crore stacks. Three separate violations during the same audit cycle can produce three separate Rs.250 crore notices in principle. Counsel calculates the realistic ceiling at approx Rs.50-150 crore for a serious mid-size breach, which is fully in the same league as GDPR’s nominal cap.
  • Itemised consent notice form. GDPR requires “clear and plain language.” DPDP requires that PLUS the right to access the notice in any of the 22 official Indian languages. If your in-app consent flow is English only and you market in India, that is a build to add a language picker on the consent screen across every touchpoint.

GDPR is stricter than DPDP on:

  • Lawful basis options. GDPR’s six bases let you fall back to “legitimate interest” for analytics, fraud detection, and certain direct marketing. DPDP does not have an equivalent broad legitimate-interest basis. So if your marketing programme is consent-light in the EU, you need to redesign it for India.
  • Mandatory DPO. Under GDPR, regular and systematic monitoring at scale triggers a DPO requirement regardless of company size. Under DPDP, the DPO requirement is gated on Significant Data Fiduciary status. Most mid-size Indian companies will be Data Fiduciaries without the “Significant” tag.
  • Documented impact assessments. GDPR’s DPIA requirement triggers on high-risk processing for any controller. DPDP’s DPIA requirement triggers only on SDF designation. Counsel still recommends DPIAs as best practice for all DPDP-covered processing, but it is not legally required for non-SDFs.

Now the polarising bit. Most Indian privacy programmes in 2026 are doing two things wrong: they are either pretending GDPR is the ceiling (and getting blindsided by the children’s-data clause), or they are pretending DPDP is the ceiling (and missing the GDPR DPO and DPIA gates for their EU pipeline). The lazy assumption that one regime covers the other is exactly why mid-size firms end up paying for two parallel programmes accidentally. The L1 consulting firms know this. The Big-4 audit firms know this. The buyer is the only one who often doesn’t.

Cross-border data transfer: the bit your EU customer will ask about

This is where the 8:10pm-Tuesday conversation gets sharp, and where DPDP Act vs GDPR comparison stops being academic. Meera’s EU logistics customer is renewing in March 2027 and their procurement team will ask for a Standard Contractual Clauses (SCC) refresh, plus a Transfer Impact Assessment, plus increasingly a DPDP attestation as a parallel disclosure. The Indian SaaS provider needs both legs of the transfer covered.

GDPR’s transfer rules are well-worn by now. EU to India: India is NOT on the EU adequacy list (only 14 countries are, India is not one as of May 2026). So you fall back to SCCs, plus a Transfer Impact Assessment, plus supplementary measures (encryption at rest, key management in EU, etc.). This is what your existing GDPR work already does if you serve EU customers.

DPDP’s transfer rules go the other direction. India is permissive by default: transfer is allowed UNLESS the receiving country is on a MeitY “negative list” (the central government will notify which countries are off-limits). As of May 2026 the negative list has not been published. The operational position is: assume transfer is permitted, but document your processor relationships and your security controls so that when the list drops, you can swap quickly without a customer-impacting outage. See the MeitY DPDP framework page for the latest notification status.

What this means for the dual-compliance shop:

  • Your DPA template needs BOTH an SCC annex (for EU-to-India flows) AND a DPDP processor clauses block (for Indian-to-India and Indian-to-anywhere flows). Reference Article 28 of the GDPR for the processor obligations spine, then layer the DPDP language on top.
  • Your data map needs to flag every flow that crosses a border in either direction, even if both endpoints are intra-EU or intra-India, because once the MeitY negative list publishes, you will need to triage which flows to re-route fast.
  • Your security questionnaire needs to ask vendors about residency, key control, sub-processor list, and breach notification timelines that satisfy BOTH 72-hour clocks.

By the way, did you know we built a one-page DPDP-GDPR mapping checklist that maps every clause in a typical SaaS DPA to its DPDP and GDPR equivalent? It is the same checklist we use on every dual-compliance audit. The full Indian privacy stack including device-side controls is covered in our Device Lifecycle Management programme when the conversation extends to endpoint residency and BYOD policy. Reply MAPPING on WhatsApp and we will send the checklist plus the parallel-quote offer below.

What to do if you sell to BOTH Indian and EU customers

Here is the 8-step playbook we use for SaaS firms in the Meera situation, mapping DPDP Act vs GDPR control by control. It does so you can hit one operating model instead of two which means you save approx Rs.40-80 lakh in duplicate spend over the first 18 months.

  1. Map your existing GDPR controls to the DPDP control matrix. A 60-control matrix takes approx 2 weeks. Use the 9-row side-by-side above as the spine, then layer in the SOC 2 controls if you already have them.
  2. Identify your Data Fiduciary status under DPDP. Are you a Significant Data Fiduciary or a regular Data Fiduciary? The answer drives DPO requirement, DPIA cadence, and audit obligation.
  3. Rewrite your consent notice for India. Multi-language picker, itemised purpose list, easy withdrawal, prominent positioning. Build version control so a notice update logs the prior version for audit.
  4. Audit your lawful basis stack. Any place you rely on legitimate interest under GDPR needs a consent or legitimate-use migration plan for India. Marketing is usually the biggest hit.
  5. Build a unified DPA template. One template, SCC annex for EU, DPDP processor block for India. Counsel review approx Rs.3-6 lakh. Worth it.
  6. Name a Grievance Officer (and DPO if SDF). Publish contact on the website, set up a ticketing flow that meets the DPDP redressal timeline. Worth doing even if you are not SDF because it builds the muscle for when you scale into one.
  7. Refresh your breach runbook. Single runbook that satisfies BOTH the 72-hour GDPR clock and the operationally-72-hour DPDP clock. One escalation tree, two notification destinations.
  8. Refresh your vendor questionnaire. Add residency questions, sub-processor disclosure, breach notification SLA, security certification list. Re-survey your top 20 vendors first.

Eight steps, approx 8 to 10 weeks if you have a focused compliance lead and counsel support. Approx 12 to 14 weeks if compliance is a fractional role.

FAQ

Q: Is GDPR compliance enough to make me DPDP compliant in India? A: No. GDPR covers approx 60 percent of DPDP controls but DPDP diverges on consent notice form, Significant Data Fiduciary designation, children’s data threshold, lawful-basis menu, and cross-border negative list. Plan a gap assessment, not a rebrand.

Q: Do I need two Data Protection Officers if I am subject to both DPDP and GDPR? A: Not necessarily one human per regime. You need a DPO under GDPR if your core activities involve regular and systematic monitoring at scale. You need a DPO under DPDP only if you are designated a Significant Data Fiduciary. If both apply, one named DPO based in India who satisfies both regimes is acceptable. Cleaner reporting, single board memo.

Q: Which is worse, the Rs.250 crore DPDP cap or the GDPR 4 percent of turnover? A: For a mid-size Indian firm with turnover under Rs.5,000 crore, the DPDP per-violation cap is in the same league. Both can stack across multiple findings. Counsel models a realistic worst-case at approx Rs.50-150 crore for a serious breach under either regime.

Q: What changes for cross-border data transfer between EU and India? A: GDPR (EU outbound) still requires SCCs because India is not on the EU adequacy list. DPDP (India outbound) is permissive UNLESS the receiving country is on the MeitY negative list, which is not yet published as of May 2026. Plan a DPA template with both legs and a data map ready to triage when the list drops.

Q: When does DPDP fully enforce? A: Schedule is in phases. The Act is in force; the Rules are in final-draft circulation; the Data Protection Board is being constituted. Industry consensus for full enforcement is by May 2027. Build for May 2027 readiness now, not after.

PERSONA’S TAKE

Priya’s take: Honestly, the firms that get this wrong are the ones whose CISO says “we are GDPR-compliant, we are fine.” We have seen four of those in the last six weeks. Every one of them was missing the DPDP consent notice rewrite and the children’s-data clause. Theek hai, GDPR gives you the bones; DPDP demands the body. If you serve customers on both sides, run one privacy programme, not two. The dual operating model is paisa-vasool for a 250 to 500 person company; we have mapped it for clients in Pune, Bangalore, and Vashi this year. The single biggest waste in Indian mid-size privacy spend in 2026 is paying twice because no one mapped the overlap. We do this audit through Secure Data Guard and the parallel device-side residency control belongs in your DLM programme.

VALUE-STACK CTA

Book a DPDP and GDPR mapping audit, free for SaaS firms serving both regimes.

200+ businesses trust Sirius Star. Response within 4 working hours.

Risk reversal: if we do not find at least Rs.15 lakh of duplicate or missed privacy spend in your current programme, the audit is free.

The audit covers: (a) gap assessment against DPDP and GDPR, (b) the DPDP-GDPR mapping checklist (one-pager PDF), (c) a unified DPA template review, (d) a peer benchmark from three comparable Indian SaaS firms, (e) a parallel quote against your current counsel.

Book your DPDP and GDPR mapping audit on WhatsApp → or contact us via the form.

P.S. The one-page DPDP-GDPR mapping checklist we use on every SaaS audit is a single A4 PDF that lists 60 controls and shows DPDP coverage, GDPR coverage, and the recommended bridge clause for each. Reply MAPPING on WhatsApp and we will send it. It includes the children’s-data flow, the consent notice rewrite template, and the unified DPA SCC-plus-DPDP annex skeleton.

About the author

Priya Sharma is Compliance Lead at Sirius Star Enterprise Technologies, where she runs data protection and DPDP / GDPR readiness programmes for Indian mid-size firms across SaaS, BFSI, healthcare and ITES. She has led approx 25 DPDP gap assessments in the last 18 months, including dual DPDP plus GDPR mappings for SaaS firms serving EU customers, and works out of Vashi, Navi Mumbai.

Profile: /author/priya-sharma/

Similar Posts