India finally has its data protection law. Europe has had one since 2018. If your organisation sits at the intersection of both, you are now subject to two comprehensive privacy regimes simultaneously, and the gaps between them are where the risk lives.
A New Privacy Reality for Indian Businesses
For years, Indian technology companies, IT services firms, and multinationals with Indian operations operated under a patchwork of legacy rules (primarily the IT Act of 2000 and its 2011 Rules) while serving European clients under GDPR obligations. That asymmetry is gone.
On 13 November 2025, India’s Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules 2025 under the DPDP Act, 2023, formally operationalising India’s first comprehensive data protection law. The Data Protection Board of India was established on the same date, and the phased enforcement timeline began ticking.
For CISOs and privacy leaders at Indian organisations with EU exposure (whether an IT services company processing EU employee data, a SaaS platform serving European enterprises, or an Indian conglomerate with EU subsidiaries), this moment changes the compliance equation fundamentally.
| THE CORE CHALLENGE: GDPR compliance does not automatically mean DPDP compliance. The two laws share a common philosophy but diverge materially in their mechanics. A compliance posture built for GDPR alone will have gaps, and those gaps carry penalties under both regimes. |
Where India Stands Right Now: The DPDP Timeline
Understanding exactly where India is in its enforcement journey is essential context before comparing the two regimes:
| Date | Milestone |
| Aug 11, 2023 | DPDP Act receives Presidential assent. India’s first comprehensive data protection law |
| Nov 13, 2025 | DPDP Rules 2025 notified by MeitY. Data Protection Board of India established. Enforcement clock starts. |
| Nov 13, 2026 | Consent Manager registration opens. DPB gains authority to investigate and penalise consent manager breaches. |
| May 13, 2027 | FULL ENFORCEMENT: All substantive provisions apply: consent systems, privacy notices, breach protocols, data rights, security safeguards. |
The phased structure gives organisations a window, but the window is closing. The full enforcement deadline of May 2027 is 14 months away. Given that building robust consent infrastructure, data mapping programmes, and breach response capabilities typically takes 12 to 18 months, organisations that have not started are already running behind.
GDPR vs. DPDP: The Side-by-Side Reality
Both laws protect individuals’ personal data. Both apply extraterritorially. Both carry serious financial penalties. But their mechanics are meaningfully different, and for a CISO managing dual compliance, those differences determine where you need distinct programmes versus where a unified approach works.
| Element | GDPR (EU) | DPDP Act (India) |
| Scope | All personal data (digital AND non-digital) of EU residents, regardless of where processing occurs | Digital personal data only. Applies within India, plus entities outside India offering goods/services to Indians |
| Legal Bases | Six lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests | Primarily consent-centric. ‘Legitimate uses’ permitted for limited situations. No equivalent to GDPR’s broad ‘legitimate interests’ |
| Sensitive Data | Explicit special categories: health, biometrics, religion, sexual orientation. Require enhanced protection | No separate sensitive data category defined. Strong restrictions on children’s data (age threshold: 18) |
| Cross-Border Transfers | Requires adequacy decision, SCCs, or BCRs. Each transfer mechanism must be actively established | Permissive by default. All transfers allowed unless Indian Government publishes a ‘negative list’ of restricted countries. No such list exists yet |
| Data Subject Rights | Access, rectification, erasure, restriction, portability, objection, automated decision safeguards | Access, correction, erasure, grievance redressal, consent withdrawal, nominee rights. No explicit portability right |
| Breach Notification | 72-hour notification to supervisory authority; notification to data subjects without undue delay | Mandatory notification to Data Protection Board AND affected individuals. No specific timeframe defined yet in Rules |
| Penalties | Up to €20 million or 4% of global annual turnover, whichever is higher | Up to ₹250 crore (~€27–28 million) per violation. DPB can also mandate urgent remedial measures |
| Enforcement Authority | 27 independent national Data Protection Authorities (one per EU member state) | Centralised: Data Protection Board of India (DPBI), established November 2025 |
| Data Protection Officer | Mandatory for high-risk processing, public authorities, and large-scale systematic monitoring | Mandatory only for ‘Significant Data Fiduciaries’ (SDFs); classification pending government notification |
Five Fault Lines Every Indian CISO Must Navigate
1. The Consent Gap
This is arguably the most operationally disruptive difference. Under GDPR, many common business activities (analytics, fraud prevention, employee monitoring, direct marketing) can be justified under ‘legitimate interests’ without obtaining explicit consent. Under the DPDP Act, this latitude largely does not exist.
The DPDP Act is consent-centric. If you cannot justify processing under one of the Act’s narrow ‘legitimate uses’ (which covers things like legal compliance, government services, and employment-related processing), you need free, specific, informed, unconditional, and unambiguous consent from the data principal.
| PRACTICAL IMPACT: Indian IT services companies processing EU client employee data for HR analytics or workforce tools often rely on GDPR’s legitimate interests basis. That same processing, when it involves Indian employees or Indian data subjects, will require explicit consent under DPDP, and the two consent architectures cannot be identical. You need both, built separately. |
2. The Cross-Border Transfer Puzzle
Cross-border data flows are where the two regimes are most structurally different, and where Indian companies operating in the EU face the most complexity.
Under GDPR, transferring personal data from the EU to India requires an active transfer mechanism. India does not currently hold an adequacy decision from the European Commission. This means Standard Contractual Clauses (SCCs) are the primary mechanism Indian companies use to receive EU personal data, and those SCCs must be accompanied by a Transfer Impact Assessment evaluating Indian surveillance law.
Under DPDP, the direction reverses: transferring personal data from India to the EU is currently permissive by default. The DPDP Act permits outbound transfers to all countries unless the Indian Government publishes a ‘negative list’ of restricted jurisdictions. As of March 2026, no such list has been published. The EU is unlikely to appear on it.
| THE ASYMMETRY: The asymmetry is real: EU → India requires active GDPR safeguards (SCCs + Transfer Impact Assessment). India → EU is currently unrestricted under DPDP. But this could change if a restricted list is published. Monitor this actively and maintain transfer documentation in both directions. |
3. Sensitive Data: A Structural Blind Spot
This does not mean India treats health or biometric data casually. India’s sectoral regulators (RBI for financial data, IRDAI for insurance, MoHFW for health) impose separate obligations. But the DPDP Act itself does not distinguish sensitive from non-sensitive personal data.
For CISOs, the risk is under-protection. A company that applies standard processing procedures to health data of Indian employees or customers, on the assumption that ‘India doesn’t have a sensitive data category’, is likely violating both sectoral regulations and the spirit of the DPDP Act, and would be completely exposed if GDPR-level scrutiny were ever applied.
| BOARD-LEVEL GUIDANCE: The practical guidance is clear: apply GDPR-level sensitivity treatment to health, biometric, financial, and religious data regardless of which jurisdiction’s law applies. Your GDPR programme sets the floor. The gap in Indian law is not a permission to do less; it is a gap that will likely be filled in future Rules. |
4. Breach Notification: Two Regulators, One Clock
Both laws require you to notify authorities and affected individuals when a personal data breach occurs. The mechanics differ enough to warrant separate response playbooks, but the clock starts at the same moment.
- GDPR requires notification to the relevant national supervisory authority within 72 hours of becoming aware of a breach. Notification to affected individuals is required ‘without undue delay’ when the breach is likely to result in high risk.
- DPDP requires notification to the Data Protection Board of India and to affected data principals. The DPDP Rules 2025 require reporting but do not specify an exact timeframe; regulatory guidance on this is anticipated. The Board can also mandate urgent remedial or mitigation measures immediately upon being notified.
For an Indian IT company that processes both EU client data and Indian employee data, a single security incident can simultaneously trigger GDPR’s 72-hour clock to a European DPA and DPDP’s reporting obligation to the DPBI. Without a unified incident response plan that accounts for both, you will almost certainly miss one of them.
5. Regulatory Structure: Two Different Conversations
Under GDPR, enforcement is decentralised. Each EU member state has its own Data Protection Authority. A German company files with the Bundesbeauftragter. An Irish breach involving Meta goes to the Irish DPC. For Indian companies with EU clients spread across multiple member states, the ‘lead supervisory authority’ concept helps, but navigating multiple DPAs is still a reality.
DPDP’s enforcement is centralised under the Data Protection Board of India, established in November 2025. The Board is a four-member adjudicatory body that handles complaints, conducts inquiries, and imposes penalties. It was constituted as a body under the Digital Personal Data Protection Act, with the appointment process for its members underway as of early 2026.
The implication: your regulatory relationship management strategy needs to account for two distinct enforcement cultures, two distinct complaint processes, and two distinct sets of regulatory expectations, even where the underlying data event is the same.
Understanding the Penalty Exposure
Both laws carry meaningful financial consequences. The profiles differ in structure:
| Violation Type | GDPR Maximum | DPDP Maximum |
| Core obligations breach | €20 million or 4% of global annual turnover | ₹250 crore (~€27–28 million) per violation |
| Inadequate security safeguards | €10 million or 2% of global annual turnover | ₹200 crore (~€22 million) |
| Consent manager violations | Varies by DPA | ₹150 crore (~€16 million); applicable from Nov 2026 |
FINANCIAL RISK FRAMING: GDPR’s turnover-linked penalty is more severe for large global organisations. Four percent of global annual turnover for a company with ₹10,000 crore revenue could easily reach ₹400 crore. DPDP’s per-violation cap of ₹250 crore is significant but fixed. For an organisation with large-scale Indian data processing, multiple simultaneous DPDP violations could stack. Budget for both risk profiles.
The CISO’s Dual Compliance Action Plan
Running a programme that satisfies both regulators is achievable, but it requires deliberate design, not bolt-on adjustments to an existing GDPR compliance stack. Here is where to focus:
| Area | What Your Team Must Do |
| Data Mapping | Map every personal data flow: what you collect, where it lives, who can access it, and which jurisdiction’s law governs it. GDPR and DPDP have different scope triggers; your map is the starting point for both. |
| Consent Architecture | GDPR permits processing on legitimate interest; DPDP largely does not. Any system relying on GDPR’s ‘legitimate interests’ basis for Indian data subjects needs rethinking. Build granular, revocable, documented consent for both. |
| Cross-Border Transfers | Under GDPR, EU-to-India data transfers need active safeguards (SCCs or similar). Under DPDP, India-to-EU transfers are currently permissive, but a government ‘negative list’ could change this. Document your transfer mechanisms now. |
| Breach Response | GDPR requires 72-hour regulatory notification. DPDP requires notification to the DPB and affected individuals (timeline TBC in Rules). Build a single breach playbook that satisfies both regimes simultaneously. |
| DPO / Governance | GDPR may require a DPO for your EU operations. DPDP will require a DPO in India if you are classified as a ‘Significant Data Fiduciary’. Plan for both roles; they may not be the same person. |
| Vendor Contracts | Review contracts with EU processors and Indian sub-processors. GDPR-compliant Data Processing Agreements and DPDP-compliant obligations (audit rights, breach notification, retention limits) need to exist in all agreements. |
| Language & Notices | DPDP mandates that notices to data principals be available in the 22 scheduled Indian languages. GDPR requires clear, plain language in the EU language of the data subject. Two different notice frameworks; both must be maintained. |
What GDPR-Compliant Indian Companies Get Wrong About DPDP
Many Indian IT and technology companies have invested heavily in GDPR compliance to win and retain EU clients. That investment is valuable, but it creates a dangerous false confidence about DPDP readiness. Here are the most common misconceptions:
- Misconception 1: ‘Our GDPR privacy notices work for India.’
DPDP requires notices to be available in all 22 languages listed in India’s Eighth Schedule. Your English-only privacy policy does not satisfy this. Additionally, DPDP uses distinct terminology (‘Data Principal’ and ‘Data Fiduciary’), and the notice must be standalone and precede the consent request.
- Misconception 2: ‘We don’t need to worry about children’s data. That’s covered under GDPR.’
GDPR sets the threshold at 16 (with member states able to lower this to 13). DPDP sets it at 18, a significantly higher bar. DPDP also explicitly prohibits behavioural monitoring and targeted advertising directed at children, and mandates verifiable parental/guardian consent. If your product has any Indian users under 18, your GDPR children’s data framework is not sufficient.
- Misconception 3: ‘Our DPA covers DPDP as well.’
GDPR Data Processing Agreements between EU controllers and Indian processors govern the EU-to-India transfer. But the DPDP Act places separate obligations on Indian Data Fiduciaries directly, including breach notification to the DPBI, data principal rights management, and security safeguards. These cannot be contracted away and are in addition to your GDPR DPA.
- Misconception 4: ‘Legitimate interests covers our analytics use cases in India.’
It does not. DPDP has no equivalent to GDPR’s legitimate interests basis. Analytics, profiling, and direct marketing that you run for Indian users require either explicit consent or must fall within the narrow ‘legitimate uses’ defined in the Act. This affects every Indian-targeted marketing campaign and every internal people analytics initiative.
Why This Matters Beyond the Compliance Checkbox
The convergence of GDPR and DPDP is not just a legal compliance story. It represents a structural shift in how Indian businesses are perceived, and how they operate, on the global stage.
Indian IT services companies that handle EU personal data are already under intense scrutiny from European enterprise clients. Post-Schrems II, every data transfer from the EU to India is legally required to be supported by an SCA and a Transfer Impact Assessment that evaluates India’s surveillance framework. Demonstrating robust DPDP compliance (not just GDPR pass-through compliance) will increasingly become a differentiator in competitive enterprise sales situations.
At the same time, India’s DPDP Act signals that the Indian Government views strong data protection as essential to the country’s ambition to be a trusted global technology partner. Companies that invest in genuine dual compliance now are positioning themselves ahead of what is likely to be a tightening regulatory environment on both sides.
| CLOSING THOUGHT FOR THE BOARD: The organisations that will navigate this landscape most effectively are those that build a unified data governance capability, not two separate compliance functions. A single data map, a unified consent platform, an integrated breach response playbook, and a cross-border transfer register that accounts for both directions. This is a programme investment, not a legal filing. |
