BlogArrowLegal ExplainersArrow
GDPR v DPDP

Difference between DPDP Act & GDPR

Anahad Narain

Founder's Office
December 19, 2023

Summary

  • The Digital Personal Data Protection Act applies to only digital data, while GDPR includes some offline data too.
  • DPDP primarily relies on Consent for data processing, whereas GDPR has a broader range of lawful bases.
  • DPDP places all compliance responsibility on Data Fiduciaries, in contrast to GDPR's direct obligations on Data Processors.
  • DPDP offers fewer individual rights compared to GDPR, which includes rights like data portability and protection against automated decision-making.
  • DPDP uniquely introduces 'Consent Managers' for streamlined consent management, not present in GDPR.
  • Breach notification is stricter under DPDP, requiring reporting of all breaches, unlike GDPR's less comprehensive requirement.

Introduction

At the forefront of the global data protection regimes  is the European Union’s General Data Protection Regulation (GDPR), a trailblazer in establishing robust norms on data protection. Entering this dynamic landscape is India’s first proper data protection law, the DPDP Act.

This new law signifies India's commitment to aligning with global standards of data privacy while addressing its unique socio-economic context. 

For corporations that are subject to both GDPR and DPDP, comprehending the similarities and distinctions between these two regimes is crucial to ensure seamless compliance. Equally, for Indian enterprises that are relatively new to comprehensive data protection frameworks, this article offers practical insights. 

What is the Scope and Applicability of DPDP Act?

GDPR applies to any organization processing personal data of EU residents, regardless of whether the company is physically based in the EU. Its scope covers both online and offline personal data when part of a structured filing system.

DPDP Act also has extraterritorial application, covering entities outside India that process data of Indian residents. However, it focuses only on digital personal data. Offline personal data is excluded unless it is digitized.

Key difference: GDPR covers broader types of personal data, while DPDP is limited to digital data.

Definition of Personal Data under DPDP Act

GDPR: Defines personal data broadly and introduces “special categories” such as racial origin, political beliefs, and health data, which require stricter compliance.Personal Data

DPDP Act: This applies to all personal data in the digital space, without differentiating between sensitive or critical categories. This means the DPDP Act does not impose varied compliance standards for different data types, leading to a consistent standard across all personal data classes.

How is consent differentiated in DPDP Act?

In GDPR, Consent must be freely given, it should be specific, a well informed consent, and unambiguous.

In DPDP Act, definition of Consent is almost identical in the two laws both requiring Consent to be free, specific, informed and unambiguous with a clear affirmative action. The DPDP Act uniquely adds the word ‘unconditional’ in the definition making consent slightly more robust. However, the understanding is largely the same across the two laws.

Both DPDP and GDPR prioritize user choice, though DPDP goes a step further with explicit unconditionality.

Role of Stakeholders under DPDP Act

The individual whose personal data is being processed is called 'Data subject' under the GDPR. The DPDP Act refers to them as 'Data Principals,' maintaining the individual-centric approach of GDPR. 

Both laws grant rights to these individuals over their data such as right to correction, erasure, information, grievance redressal etc. Notably, the GDPR grants more rights that are not expressly offered by the DPDP including the ‘right to data portability’ and ‘right against automated decision making’.

Under the GDPR, the entity that determines the purposes and means of processing personal data is known as the 'Data Controller.' Similarly, the DPDP Act introduces the concept of a 'Data Fiduciary,' mirroring the role of a data controller in GDPR.

The DPDP Act further distinguishes some fiduciaries as 'Significant Data Fiduciaries' based on criteria such as the volume and nature of data processed.

Entities that process data on behalf of the controller without determining the means and purpose are called Data Processors under both laws. 

The GDPR places direct compliance obligations on data processors also subjecting them to penalties for non-compliance. The DPDP Act does not impose obligations on data processors. Instead, the responsibility lies with the Data Fiduciaries (controllers) to ensure compliance by the processors they engage. 

What are grounds of processing under DPDP Act?

Both the GDPR and the DPDP Act establish specific grounds under which personal data can be processed, forming the legal basis for operations involving personal data.

The GDPR offers a wider list of lawful bases for data processing. These include:

a) consent of the data subject

b) performance of a contract

c) compliance with legal obligations

d) protection of vital interests

e) performance of a task carried out in the public interest, and

f) legitimate interests pursued by the data controller or a third party.

This variety provides flexibility for organizations to choose the most appropriate basis for different processing activities.

The DPDP Act provides a much narrower list. The primary ground is Consent of the data principal which is essential for most activities. Only in certain exceptional scenarios known as ‘certain legitimate uses’ will other grounds be allowed other than consent. These include activities necessary for the performance of State functions, compliance with law, response to medical emergencies, and employment related purposes. 

GDPR has a wider range of grounds for processing than the DPDP Act

Consent Managers under the DPDP Act

The streamlined focus of the DPDP on Consent is reflective of the Indian regime’s objective of putting user choice and empowerment at the very forefront. Since Consent is the most significant and common ground for processing under the DPDP Act, it uniquely provides for the concept of “Consent Managers”.

Consent Managers are entities registered with the Data Protection Board, responsible for managing and overseeing the consents given by data principals. They serve as a centralized platform for individuals to grant, review, and withdraw their consent, simplifying consent management in the digital ecosystem. Consent Managers may play a central role in not just enabling individuals but also easing the compliance burden of businesses.

What are compliance obligation under the new DPDP Act?

The GDPR and DPDP Act establish a range of obligations for businesses, focusing on:

a) notice requirements

b) handling of data breaches, and

c) the role of data processors. Here’s how these obligations differ between the two regulations.

Notice for Personal Data

GDPR: GDPR is mandatory in all cases of personal data collection. It must include controller identity, purposes, legal basis, and rights to data subjects.

DPDP: The DPDP Act stipulates that notices must be provided to data principals ONLY when consent is the basis for processing. This means if the data is being collected/processed for a certain legitimate use where consent is not required, there is no obligation to give a notice.

Breach Notice

GDPR: Under the GDPR, breaches that may pose a risk to the rights and freedoms of data subjects must be reported to the relevant authorities. Affected data subjects must be notified only if the breach is likely to lead to a high risk to their rights.

DPDP: The DPDP has a stricter notice requirement mandating data fiduciaries to report ALL personal data breach regardless of their risk assessment, to the Data Protection Board and to the affected individuals.

Cross-Border Data Transfer

GDPR: The transfer of personal data outside the EU is subject to strict regulations under the GDPR. It allows data transfer to countries deemed to have adequate data protection measures or through mechanisms like Standard Contractual Clauses or Binding Corporate Rules.

DPDP: The DPDP Act allows the Central Government to restrict the transfer of personal data to certain notified countries or territories outside India. The Act's approach is expected to be less prescriptive than GDPR, focusing more on governmental discretion to determine safe data transfer jurisdictions. 

Children’s Data

GDPR: The GDPR imposes strict conditions on processing children's data, especially in the context of commercial services and profiling. The GDPR follows a more flexible approach and sets the age of consent at 16, which can be lowered to 13 by member states. 

DPDP: The DPDP Act defines individuals below 18 years as children, requiring verifiable parental consent for processing their data. It specifically prohibits processing that is likely to cause harm to children, including targeting advertising. 

Data Protection Officers

DPOs play a crucial role in advising on, monitoring, and ensuring compliance.

Both regulations mandate appointing Data Protection Officers for entities handling significant data volumes. The DPDP's specific requirements for DPOs will be detailed in upcoming rules.

Penalties and Enforcement

GDPR: Penalties can reach up to €20 million or 4% of global turnover

DPDP: Penalties up to ₹250 crore (~€28 million) per violation.



Summary

Feature GDPR DPDP Act Summary & Business Implication
Scope & Applicability Applies globally to entities processing EU citizen data. Covers physical data that forms part of a filing system. Applies globally to entities processing data of Indian customers. Covers personal data only in digitized format. Difference: DPDP's narrower focus on digital data. Implication: Businesses may need to reassess data categories and adjust data processing protocols to ensure compliance with DPDP's digital focus.
Definitions of Personal Data Personal data further classified  into special categories requiring varied compliance measures. Has a single uniform standard of digital personal data. Difference: DPDP's uniform approach to personal data. Implication: Simplifies compliance for businesses but requires a review of data handling practices to ensure all digital personal data is adequately protected.
Consent Free, specific, informed, and unambiguous. Adds 'unconditional' to the definition, emphasizing robust consent. Difference: DPDP's emphasis on 'unconditional' consent. Implication: Consent mechanisms may need to be revisited to meet DPDP's stringent standards, ensuring clarity and absence of conditions.
Stakeholders Data subjects and data controllers. Obligations on both controllers and processors Data principals and data fiduciaries. No obligations on data processors Difference: No obligations on Processors under DPDP Implication: Data Fiduciaries must be careful in aligning with Processors as all obligations are on Fiduciaries.
Grounds of Processing Multiple lawful bases including consent, contract, legal obligation, etc. Primarily consent-based, with exceptions for state functions and emergencies. Difference: DPDP's stronger emphasis on consent. Implication: Businesses must ensure consent is the primary basis for data processing, with clear protocols for exceptions.
Compliance & Obligations Comprehensive privacy notices for collection of personal data breach notification only on high risk Notices required only when consent is the basis. All breaches must be reported Difference: DPDP's broader breach notification requirement. Implication: Implement a more comprehensive breach notification system and ensure data processors meet DPDP standards.
Cross-Border Data Transfer Strict regulations, adequacy decisions, SCCs, BCRs. Government discretion in determining safe transfer jurisdictions. Difference: DPDP's reliance on governmental discretion for safe data transfer. Implication: Monitor and adapt to evolving guidelines on international data transfers to ensure compliance with DPDP.
Children’s Data Flexible age of consent (13-16), strict conditions for processing. Uniform age of consent under 18, prohibits harmful processing. Difference: DPDP's higher age of consent and strict rules. Implication: Review and potentially adjust data processing policies related to children to align with DPDP's stricter standards.
Data Protection Officers Mandatory for large-scale data processors. Mandatory for Significant Data Fiduciaries, specifics to be detailed. Difference: DPDP's forthcoming specifics on DPO roles. Implication: Anticipate and prepare for potential new requirements for Data Protection Officers under DPDP.
Enforcement Decentralized via Data Protection Authorities in each EU country. Centralized through the Data Protection Board of India. Difference: Centralized enforcement in DPDP. Implication: Understand and adapt to the centralized enforcement mechanism of the DPDP for streamlined compliance processes.
Penalties Up to €20 million or 4% of global turnover for serious violations. Up to INR 250 crores for non-compliance, representing a significant increase from previous laws. Difference: DPDP's significant penalty for non-compliance. Implication: Prioritize robust compliance strategies to avoid hefty penalties under DPDP.

Explore Leegality Consent Manager for your Business

Schedule a Demo Call
Download Blog as PDF
Content

Related Articles

Legal Explainers

DPDP Act 2023 Summary

Blog avatar image

Anahad Narain

Legal Explainers

What is Personal data under DPDP Act?

Blog avatar image

Anahad Narain

Industry Use Case

How does the DPDP Act affect Telemarketing?

Blog avatar image

Pushkal Dubey

Consentin Logo
Plot No. 444, Udyog Vihar Phase 3, Gurugram,
Haryana, 122008
For enquiries - enquiry@consent.in
For support - support@consent.in
About
Who are we?Contact UsCareersPrivacy centerCookie preferenceT&C
Products
Consent ManagementData Life Cycle ManagementCompliance & PrivacyThird Party Risk Management
Compliance Handbooks
Data Retention GuideCompliance ChecklistData Mapping GuideData Compliance GuideData Retention Guide
Industry Solutions
BFSIEcommerceTelemarketing
Resources
Consent FAQProduct FAQDPDP FAQBlogs
Quick links
Whats DPDP Act in IndiaGDPR vs DPDPDPDP draft rulesWhat is Cookie ConsentExemptions in DPDP ActPenalties in DPDP Act
Other Leegality Products
Document InfrastructureAadhaar eSigneSignDigital StampingNeSLElectronic Bank GuarenteesDeal Collaboration
2025 Copyright consent.in