The DPDP Act 2023 and the EU GDPR share principles like consent, rights and accountability, but differ in 2026: the DPDP Act is narrower (digital personal data only), uses different terminology (Data Fiduciary/Principal), emphasises Indian-language consent and data residency options, and is enforced by the Data Protection Board of India with penalties up to ₹250 Crore.
Shared DNA
Both laws require a lawful basis (consent being central), grant individuals rights, demand security and breach notification, and rest on accountability — so a mature GDPR programme is a strong head start.
Where they differ
The DPDP Act focuses on digital personal data, uses Indian terminology and roles, places strong emphasis on Indian-language notices and consent, and has its own penalty structure and regulator.
Running both
Global teams should build a harmonised programme to the strictest requirement and layer DPDP-specific elements — language, residency and Board notification — on top.
FAQ
No. While they share principles, the DPDP Act 2023 is narrower in scope, uses different terminology, emphasises Indian-language consent and data residency, and has its own regulator and penalty structure.