Start OneTrust-to-PrivacyEngine migration today 🔁 Effortless switch now available Learn More!

Podcast

What the DPDPA Means for GDPR Businesses: Key Differences

Consent-first processing, children’s safeguards, blacklist-style transfers, and what GDPR compliance still doesn’t cover.

India’s DPDP Act 2023: What Changed, What’s Enforced, and How It Compares to GDPR

Welcome to the first episode in our Global Data Protection Regulations podcast series. Dr Maria Maloney, Head of Research, and Katie Barch, Data Protection Legal Specialist, explain the India Digital Personal Data Protection Act, 2023 (DPDP Act), and what it means for organisations processing digital personal data linked to individuals in India.

The episode begins with the “why now”. Key provisions started taking effect in November 2025, with phased milestones through 2026 and 2027. Maria and Katie translate DPDP terminology into familiar concepts, including data principals (similar to data subjects) and data fiduciaries (similar to controllers). They also clarify the Act’s digital-only scope, compared with the GDPR’s broader coverage that can include certain paper-based records.

You will get a practical walkthrough of DPDP’s core building blocks: lawful processing, notices and consent, data principal rights, fiduciary obligations, breach notification, and enforcement. The discussion highlights differences from GDPR, including no “legitimate interests” basis and no special category data framework. Instead, DPDP applies a consistent standard across personal data, while additional duties can apply based on risk and scale through the concept of a significant data fiduciary.

Children’s privacy is a standout focus. DPDP sets a uniform under-18 threshold, requires verifiable parental or guardian consent, and restricts tracking, behavioural monitoring, and targeted advertising directed at children. Cross-border transfers are another key divergence. DPDP follows a blacklist model that generally permits transfers unless a destination is prohibited by the government.

Finally, the episode offers guidance for GDPR mature organisations. You may be partway there, but you still need a DPDP gap analysis covering lawful basis mapping, consent language, children’s safeguards, significant fiduciary duties, grievance handling, vendor contracts, and transfer governance. The goal is to be ready early and avoid rushed compliance when enforcement powers activate across products, teams, and regions.