Multinational compliance teams make a consistent error. They assume DPDPA compliance can be derived from existing GDPR programmes. It cannot. India did not copy GDPR. India built a sovereign data protection architecture that shares GDPR's philosophical ancestry but diverges in structure, enforcement, and operational requirements at nearly every critical juncture.
Architectural divergence: rights-based vs. obligation-based
GDPR is fundamentally a rights-based regulation. It codifies data subject rights and constructs obligations around protecting those rights. DPDPA is fundamentally an obligation-based statute. It codifies Data Fiduciary obligations and constructs data principal rights around those obligations. The difference is not semantic. It determines where compliance effort must concentrate.
Under GDPR, the compliance programme begins with mapping data subject rights and building processes to fulfil them. Under DPDPA, the compliance programme begins with mapping Data Fiduciary obligations under Sections 4 through 10 and building evidence that each obligation is operationalised.
Consent: the critical divergence
GDPR provides six lawful bases for processing under Article 6: consent, contract, legal obligation, vital interests, public interest, and legitimate interests. DPDPA provides two: consent under Section 6 and certain legitimate uses under Section 7. There is no legitimate interests basis under DPDPA.
This single difference invalidates a significant portion of GDPR-based processing architectures when applied to Indian data. If your GDPR programme processes Indian customer data under the legitimate interests basis — marketing analytics, fraud prevention beyond contractual obligation, employee monitoring — that processing has no lawful basis under DPDPA. It must be restructured around consent or discontinued.
Provision-by-provision mapping
Lawful Processing: GDPR Article 6 provides six bases. DPDPA Section 6 (consent) and Section 7 (certain legitimate uses) provide two. Gap: legitimate interests, public interest, and vital interests processing under GDPR has no equivalent DPDPA basis.
Consent Requirements: GDPR Article 7 requires demonstrable consent. DPDPA Section 6 requires consent that is "free, specific, informed, unconditional and unambiguous" with an itemised notice under Section 5. Gap: DPDPA's "unconditional" requirement means consent cannot be bundled with terms of service — a practice common under GDPR.
Children's Data: GDPR Article 8 sets the age at 16 (member states may lower to 13). DPDPA Section 9 sets the age at 18 with verifiable parental consent required. Gap: any processing of 13-17 year olds' data that is lawful under GDPR may be unlawful under DPDPA without parental consent.
Data Principal Rights: GDPR provides eight rights (access, rectification, erasure, restriction, portability, objection, automated decision-making, withdrawal). DPDPA Section 11-14 provides five rights (access, correction, erasure, grievance redressal, nomination). Gap: no data portability right under DPDPA, but India adds a unique nomination right for deceased individuals.
Breach Notification: GDPR Article 33 requires notification to supervisory authority within 72 hours. DPDPA Section 8(6) requires notification to both the Data Protection Board and affected Data Principals "without delay" — the Rules specify the form and manner. Gap: DPDPA mandates direct notification to Data Principals in all cases; GDPR only requires this when the breach is "likely to result in a high risk."
Cross-Border Transfers: GDPR Chapter V uses adequacy decisions, SCCs, BCRs, and derogations. DPDPA Section 16 uses a blacklist approach — transfers to all jurisdictions are permitted unless specifically restricted by government notification. Gap: entirely different architectural approach requiring different compliance mechanisms.
Penalty Structure: GDPR uses revenue-based penalties: up to 4% of global annual turnover or €20 million. DPDPA uses absolute caps: up to ₹250 Crores for security safeguard failures. Gap: for large multinationals, GDPR penalties are typically higher; for Indian mid-market companies, DPDPA penalties can be existentially threatening.
DPO Requirement: GDPR Article 37 requires DPO appointment for public authorities and entities conducting large-scale monitoring or processing sensitive data. DPDPA Section 10 requires DPO only for Significant Data Fiduciaries as notified by the government. Gap: GDPR DPO obligations are broader in scope; DPDPA DPO obligations are deeper in accountability.
The dual-compliance architecture
For multinationals operating in both jurisdictions, the compliance programme must be dual-track. A single unified programme will create gaps in one jurisdiction or the other. The consent architecture must satisfy both GDPR's demonstrability standard and DPDPA's unconditional standard. Breach notification must satisfy both GDPR's 72-hour supervisory authority window and DPDPA's dual-notification mandate. Children's data processing must apply the higher threshold — age 18 with verifiable parental consent — globally, unless jurisdiction-specific processing can be architecturally segregated.
"The multinational that treats DPDPA as a GDPR derivative will discover the gaps during enforcement, not during compliance planning. By then, the cost of remediation includes the penalty."
— Anandaday Misshra
Build two programmes. Run them in parallel. Map the gaps between them quarterly. That is the only architecture that survives dual-jurisdiction scrutiny.