Does GDPR-Compliant Automatically Mean DPDPA-Compliant?
While GDPR is often regarded as a global benchmark, the DPDPA introduces India-specific obligations that cannot be addressed through a direct transposition of existing GDPR or PDPA compliance frameworks.
Introduction
India formally enforced the Digital Personal Data Protection Act, 2023 (DPDPA) on November 14, 2025. The Act applies horizontally to all entities operating in India across both B2B and B2C contexts where personal data is processed, irrespective of the scale of such processing.
For multinational companies (MNCs), compliance with India’s DPDPA requires special attention. Many MNCs already operate under well-established privacy regimes such as the EU’s GDPR (in force since 2018) or Singapore’s Personal Data Protection Act (PDPA) (applicable since 2012). As a result, it is common for MNCs to assume that their existing GDPR- or PDPA-aligned frameworks can be seamlessly extended to India.
This assumption, however, is misplaced. While GDPR is often regarded as a global benchmark, the DPDPA introduces India-specific obligations that cannot be addressed through a direct transposition of existing GDPR or PDPA compliance frameworks. MNCs must design and implement a compliance approach that is calibrated to the Indian law.
Consent as the primary basis for processing
The fundamental divergence between the GDPR and the DPDPA lies in the legal basis for processing personal data. GDPR permits processing of personal data on multiple grounds, including consent, contractual necessity, legal obligation, protection of vital interests, public interest, official authority, or legitimate interests of the controller.
Under the DPDPA, however, consent is the sole legal basis for processing personal data. As a result, consent management becomes a central compliance obligation, requiring substantive changes to system architecture and auditability.
Organizations will need to embed consent management directly into their digital systems and maintain detailed metadata logs, including timestamps, user identifiers, purpose identifiers, and the status of consent (grant, withdrawal, or revocation). In practice, organizations need to have a granular, traceable, and auditable consent management process under DPDPA.
The Government of India’s Business Requirement Document (BRD) for Consent Management (2025)1 makes it clear that consent artefacts must be capable of being logged, retrieved, and produced on demand. This will require changes to organizations’ backend systems, mobile applications, and websites, especially for organizations that currently rely on static privacy notices or region-agnostic consent tools.
For many global MNCs, India-specific consent flows covering purpose-wise consent, layered notices, and withdrawal mechanisms will need to be designed and built separately rather than reused from their other jurisdictions. Consent under DPDPA is therefore not just a policy exercise, but an IT and product design (UI/UX)2 challenge.
Children’s data processing
The treatment of children’s personal data presents another key divergence. Under the GDPR, a child is generally defined as someone between 13 and 16 years of age, with EU Member States having discretion to set the precise threshold within this range. Processing children’s data typically requires verifiable parental consent, and platforms often implement age-gating mechanisms accordingly.
In contrast, the DPDPA defines a child as any individual below 18 years of age. This will require the implementation of verification tools, age-detection mechanisms, and parental consent workflows, which must all be adjusted to align with the Indian standard.
From a practical standpoint, organizations will need to implement India-specific age-gating mechanisms, particularly for platforms offering digital services such as apps, gaming, ed-tech, and content services. Under the DPDP framework, age determination primarily operates on a self-declaratory model, typically through user or parent declarations captured at the interface level. Once a user is identified as a child through such self-declaration, Rule 10 of the DPDP Rules, 2025 becomes operative, triggering the requirement to obtain verifiable parental consent in the manner prescribed under the DPDP Rules, 2025.
From an implementation perspective, this means that organisations must design systems where a self-declaration is not the endpoint but the trigger for downstream compliance workflows, including parental consent capture, backend tagging of child accounts, and automated restrictions on prohibited processing such as profiling, behavioural tracking, or targeted advertising. For global platforms, this necessitates redesigning India-facing user journeys and consent architectures to ensure that child-specific protections are activated seamlessly once verifiable parental consent compliance is triggered.
Breach management and reporting
Breach management under the DPDPA is more expansive in certain respects. The GDPR follows a risk-based approach, requiring notification only where a breach is likely to result in a risk to the rights and freedoms of individuals. In practice, this allows some low-impact or internal incidents to be documented without external reporting.
The DPDPA, on the other hand, defines a personal data breach broadly, which raises the compliance threshold for organizations. Organizations will be required to appoint India-based personnel responsible for initial breach assessment, internal escalation, and front-ending communication with the Data Protection Board of India. Delays in assessing the criticality of the issue in India by the global headquarters could compromise timelines and lead to regulatory penalties in India.
Organizations should therefore prepare India-specific breach notification templates both for the Data Protection Board and affected data principals and align internal timelines with Indian regulatory expectations, which may differ from EU or APAC processes. Equally important is defining ownership for remedial actions prescribed by the Data Protection Board and ensuring local teams/personnel are empowered to execute them swiftly as required under the Rules.
Breach management under the DPDPA is not just a policy exercise; it is about clear accountability, local decision-making, and execution readiness.
Conclusion
MNCs should not assume that compliance with GDPR or other established data protection regimes automatically translates into compliance with India’s DPDPA. Despite being technology-agnostic, the DPDPA differs in several material respects from consent architecture, children’s data thresholds, and breach reporting obligations.
MNCs that rely exclusively on existing global templates risk regulatory non-compliance and potential penalties. Organizations need to consider a deliberate, India-focused compliance strategy, one that reassesses business processes, technical systems, and implements DPDPA-specific governance frameworks rather than treating Indian compliance as a peripheral extension of the global framework.
Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.