India’s Digital Personal Data Protection Act (DPDP Act 2023) and the DPDP Rules 2025 represent the country’s first comprehensive privacy framework.
Many Indian companies already follow GDPR or have implemented ISO/IEC 27701, leading to a common question:
“If we are GDPR-compliant, how much more do we need to do for DPDP?”
The short answer: You have a strong foundation, but DPDP introduces India-specific rules that require re-designing notices, consent UX, retention logic, breach processes, and contractual language.
DPDP vs GDPR — Detailed Comparison Table
| Category | DPDP Act 2023 & Rules 2025 | GDPR | Key Impact for Organisations |
| Legal Bases | Consent + Limited “Legitimate Use” grounds only | 6 legal bases incl. Legitimate Interest | All GDPR legitimate-interest processing must be re-mapped. |
| Concept of Legitimate Interest | Not recognised | ✔ Recognised and widely used | Companies must shift to consent or specific Legitimate Use. |
| Notices | Must be itemised, simple, purpose-specific, bilingual | Broader notices allowed | Rewrite notices to Rule-3 format. |
| Consent | Unambiguous, unconditional, affirmative action; equal ease withdrawal | Affirmative action; withdrawal required but no “equal ease” mandate | Rebuild UX to support simple opt-out & audit-proof logs. |
| Rights (DSR/DSAR) | Access, correction, updating, erasure, grievance, nomination; 90-day SLA | Access, rectification, erasure, portability, objection; 30 days | Extend SLA; add nomination; adjust verification. |
| Children’s Data | No tracking, profiling, behavioural ads; strict parental verification (Schedule IV) | Parental consent required, ads allowed in some cases | Rebuild flows for minors + PWD verification. |
| PWD (Persons with Disability) | Guardian verification required; specific rules | No equivalent detailed requirement | Create specialised flows. |
| Retention & Erasure | Purpose completion → erase; Third Schedule (3-year inactivity + 48hr notice); Seventh Schedule (1-year mandatory retention) | Retain only as long as necessary | Fully re-map retention schedule. |
| Breach Notification | Immediate to users + immediate to DPB + detailed 72-hour follow-up | 72 hours to supervisory authority; user notification risk-based | Build dual notification workflows. |
| Cross-Border Transfers | Blacklist model (Schedule V); sector localisation unchanged | Free flow if safeguards exist | Review hosting, cloud vendors & contracts. |
| Processor Contracts | Must use DF/DP terminology; DPDP-specific clauses | Controller/Processor clauses | Rewrite contracts + add DPDP-specific obligations. |
| Log Retention | 1 year (default); 3 years for large platforms (Schedule VI) | No fixed duration | Update logging & SIEM retention. |
| SDF (Significant Data Fiduciary) | DPO to Board, DPIA, audits, algorithmic due diligence | No equivalent designation | Assess SDF likelihood early. |
| Enforcement | DPB (digital-first), penalties up to ₹250 crore | Supervisory authorities, GDPR fines | Strengthen evidence, templates, timelines. |
Already GDPR or ISO 27701 Compliant? Here’s What You Still Need to Fix for DPDP Act 2023 & Rules 2025
Many organisations assume that having GDPR compliance—or even a mature ISO/IEC 27701 PIMS—means they are largely ready for the DPDP Act. Unfortunately, that’s not true.
DPDP introduces India-specific duties, formats, notices, UX expectations, retention rules, breach timelines and record-keeping requirements that do not exist under GDPR. What you already have becomes a helpful foundation, but not a substitute.
Here is the exact list of what GDPR-aligned organisations must change before DPDP deadlines.
1. Re-map All Legal Bases (No “Legitimate Interest” in DPDP)
Under GDPR, many processes rely on Legitimate Interest.
DPDP does not recognise this concept at all.
India uses strict “Legitimate Use” grounds (Section 7) that only apply when:
- the individual voluntarily gives data for a specific purpose
- processing is required by law
- employment situations
- emergencies
- judicial orders
- fraud prevention
Everything else — including analytics, personalisation, marketing, tracking, profiling — must go under explicit consent.
Action:
Create a DPDP-specific Legal Basis Register and re-map every processing activity.
2. Rewrite All Privacy Notices (Rule 3)
DPDP notices must be short, specific, itemised and bilingual.
GDPR-style broad or multi-purpose notices do not work.
Your new notices must include:
- identity & contact of the Data Fiduciary
- itemised list of personal data collected
- a single, specific purpose
- rights under DPDP
- easy consent withdrawal
- grievance officer details
- language options (English + 8th Schedule language)
Action:
Rewrite all web/app notices, banners, onboarding messages and data capture journeys.
3. Tighten Consent UX (Section 6)
DPDP requires consent to be:
- free
- specific
- informed
- unambiguous
- unconditional
- recorded
- withdrawal-friendly (“equal ease”)
This invalidates GDPR practices like:
- pre-ticked boxes
- “by continuing you agree” banners
- bundled consent
- vague consent buried in T&C
Action:
Design simpler consent and withdrawal UX, backed by audit-ready logs.
4. Build New DPDP-Specific Records & Registers
GDPR RoPA is not enough.
You need to add:
A. Section-7 Legitimate Use Register
Must track:
- purpose
- voluntary provision
- absence of refusal
- data minimisation
- safeguards applied
B. Updated Processing Inventory
Include:
- DF/DP roles
- India-territory link
- retention + schedule mapping (Third, Sixth, Seventh)
- SDF indicators
Action:
Extend your RoPA to include DPDP fields.
5. Update Breach Governance (Dual Notification)
DPDP breach rules differ significantly from GDPR:
- Immediate notice to affected individuals
- Immediate notice to DPB, followed by a detailed report within 72 hours
- Log retention:
- 1 year for all
- 3 years for large platforms (Schedule VI)
Action:
Rewrite breach runbooks + templates + escalation matrix.
6. Implement India’s Retention & Erasure Logic (Rule 6 + Schedules)
GDPR uses “store as long as necessary”.
DPDP is much more specific.
You must implement:
- Purpose completion logic (Section 8(7))
- 1-year log retention (Schedule VI)
- 3-year inactivity + 48-hour pre-erasure notice for large e-commerce, gaming, and social media platforms (Third Schedule)
- 1-year mandatory retention for sovereign/statutory functions (Seventh Schedule)
Action:
Rebuild your retention policy to include Act + Rules + Schedules.
7. Build Special Workflows for Children & Persons With Disability (PWD)
India imposes stricter requirements than GDPR:
- verifiable parental consent
- no behavioural tracking
- no profiling
- no targeted advertising
- exceptions only for real-time safety (Schedule IV)
- guardian verification for PWD under RPwD / National Trust rules
Action:
Implement standalone flows for child and PWD data.
8. Update DSAR (Rights) Workflows for India
DPDP rights differ from GDPR:
- 90-day SLA (not 30)
- nomination right (post-death or incapacity)
- local verification requirements
- erasure subject to statutory retention
Action:
Re-map your DSAR workflows to DPDP’s rights and timelines.
9. Rewrite Vendor / Processor Contracts (DF/DP Roles)
GDPR-style DPA clauses are insufficient.
Add DPDP-specific clauses:
- DF/DP terminology
- 1-year log retention
- DPDP-aligned breach cooperation
- DF support for rights + erasure
- limits on sub-processing
- cross-border transfer limits (Schedule V)
- sectoral localisation (RBI/IRDAI rules still continue)
Action:
Update all vendor contracts, cloud/SaaS agreements, and DPAs.
10. Prepare for SDF Designation (High Volume / High-Risk Entities)
If your organisation is likely to be designated an SDF, you must add:
- DPO reporting directly to the Board
- annual independent privacy audit
- DPIA
- algorithmic due-diligence (for AI/ML)
- possible localisation directives