India's data protection law borrows concepts from GDPR but has distinct requirements. For organisations already GDPR-compliant, here's what's different and what's new.
Organisations that have already invested in GDPR compliance have a head start with DPDPA, but assuming the two frameworks are interchangeable is a costly mistake. While DPDPA borrows foundational concepts like purpose limitation and consent-based processing from GDPR, it introduces distinct requirements that demand specific attention.
Key Differences
DPDPA takes a simpler, principle-based approach compared to GDPR's prescriptive rules. Where GDPR defines six lawful bases for processing, DPDPA primarily relies on consent and "certain legitimate uses" defined in the Act. DPDPA also does not distinguish between a data controller and data processor in the same way GDPR does, instead placing primary accountability on the Data Fiduciary.
Cross-border data transfer rules differ significantly. GDPR uses adequacy decisions and standard contractual clauses, while DPDPA employs a negative list approach: data can flow to any country except those specifically restricted by the government. This simplifies compliance for global organisations but introduces uncertainty about future restrictions.
What GDPR-Compliant Organisations Should Do
Start by mapping your existing GDPR controls to DPDPA requirements. Many controls like data mapping, consent management, and breach notification will carry over with modifications. Pay special attention to consent mechanisms, which must be restructured for DPDPA's specific requirements, and to data principal rights, which have different scope and timelines than GDPR's data subject rights.
Practical Recommendations
Maintain separate compliance documentation for each framework rather than trying to create a single unified program. Appoint someone with specific DPDPA expertise to your privacy team. Invest in automation tools that can manage compliance across multiple jurisdictions simultaneously, reducing the overhead of maintaining parallel programs.
