The Digital Personal Data Protection Act (DPDPA) was enacted in 2023 and there have been conversations about the Act since. To provide further clarification, the Indian Government released rules on 13^th November 2025. Companies in India now have 16 months to comply with the DPDPA read with the rules.

While privacy professionals gear up to assist companies to comply with the Act, below are some of the key differences between the EU General Data Protection Act (GDPR) and the DPDPA that professionals and organisations should be aware of.

Some key terms that you can look out for if you are familiar with the GDPR are:

• Data Fiduciary is the equivalent of a Data Controller (An organisation or person that makes the decision of what to do with your data, the purpose of it, how it is stored and used). There is also a novel concept of Significant Data Fiduciary in the DPDPA, which the GDPR does not have.
• Data Principal is the same as Data Subject (which could be you or me).

Scope

Scope is one of the critical areas where the DPDPA can be seen to diverge from the GDPR. The DPDPA only applies to digital personal data. If an organisation is to process data in a physical form and have hard copies of the same, the DPDPA will not apply to such personal data. The GDPR, on the other hand applies to all personal data that is processed by the Data Controller. Equal importance is given to both physical and digital data and controls are to be in place to protect both.

Whilst I can understand the shift to digital personal data, this does expose some personal data vulnerabilities that people within India need to be aware of. A physical copy of my loan application form with my personal details lying on the desk of a bank employee will not have any protection under the DPDPA.

The DPDPA also does not apply to most business processing outsourcing (BPO). If Chanel was to outsource some parts of their payroll processing to Accenture in India, the DPDPA will apply only to Indian citizens whom they employ, although note that the GDPR would apply to all the outsourced processing.

Lawfulness

One of the fundamentals to data privacy legislation is the legal grounds under which an organisation can collect, use and store personal data. While the GDPR has six lawful bases for processing personal data, the DPDPA heavily relies on consent as the primary basis for processing personal data. There is a further set of certain legitimate uses (which include legal obligation, vital interest and employment purposes) but these do not map readily to GDPR’s lawful bases.

As a privacy professional, I foresee several challenges with this approach. Consent management for each purpose of processing will be a tedious task for companies. This is exceptionally challenging considering the large number of data principals that even smaller businesses cater to.

Businesses will find it impossible to do simple tasks if consent was withdrawn for a particular process. If I were to withdraw consent from an Indian bank to process my personal data, the bank would face a challenge to fulfil a transaction to move my money to another bank account.

Consent Management

The DPDPA mandates registration of a consent manager with the Data Protection Board of India by 13^th November 2026. The designated consent manager will be accountable to the individual to collect and manage consent for all those processes where personal data is collected. There is still a lack of clarity of who these consent managers will be (and who will pay for them).

Since the Act and the rules lack clarity around consent management and managers, companies are naturally a little confused about how consent management will play out.

Special Category Data

The DPDPA does not define special category or sensitive data and applies a uniform level of protection to all personal data, whereas the GDPR defines specific category data to be data that reveals racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, sexual orientation. Greater protection is required for special category data.

The concern for the DPDPA not providing greater protection to sensitive personal data exposes such categories of personal data to greater risks. As an individual I would be much more at ease knowing that my health information has higher protection and will not be accessed as easily as my name or email address.

Data Subject Rights

The DPDPA gives the individual the right to be informed of the personal data being processed. Individuals also have the right to correct, complete, update or delete their personal data processed by the data fiduciary.

Individuals will have the right to grievance redressal and the right to nominate another individual in the event of death of the data principal. Unlike the GDPR, the DPDPA does not give the individual the right to restrict data processing, the right to data portability, the right to object or the rights related to automated decision making and profiling.

If my personal data were to be processed solely by an AI system, under the DPDPA I would not be able to object to this processing. This is concerning as there would not be a human behind the system monitoring this process.

While the rules have provided some clarity in compliance dates, it will be very interesting to watch how aspects of the DPDPA play out, especially after the Data Protection Board is appointed. If you are intrigued and want to speak to us, drop us a line at info@securys.in.

If you are looking for more information regarding DPDPA compliance, visit our DPDPA resources page.