GDPR Vs India's DPDPA: Key Differences And Compliance Implications

This is the most asked and in demand topic right now among the cybersecurity and data privacy communities i.e. What is the comparison of GDPR and India's DPDPA and if we are GDPR compliant, do we still need to comply to DPDPA. Here I bring to you the comparison for your ease of use and understanding. The General Data Protection Regulation (GDPR) is a comprehensive data protection and privacy regulation that applies to the European Union (EU) and the European Economic Area (EEA). It came into effect on May 25, 2018, replacing the Data Protection Directive 95/46/EC. The GDPR is designed to harmonize data privacy laws across Europe, enhance the protection of individuals' personal data, and reshape the way organizations approach data privacy.

Key features and principles of the GDPR include:

Consent: Organizations must obtain clear and explicit consent from individuals before processing their personal data. The consent should be freely given, specific, informed, and easily revocable.
Territorial Scope: The GDPR applies to the processing of personal data of individuals in the EU, regardless of where the processing takes place. It also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals in the EU.
Data Protection Officer (DPO): Certain organizations are required to appoint a Data Protection Officer to ensure compliance with the GDPR.
Data Subject Rights: The GDPR grants individuals several rights, including the right to access their data, rectify inaccuracies, erase data (right to be forgotten), restrict processing, and data portability.
Privacy by Design and Default: Privacy considerations must be integrated into the design and operation of systems and processes from the outset.
Data Breach Notification: Organizations are obligated to report data breaches to the relevant supervisory authority without undue delay and, in some cases, notify affected individuals.
Cross-Border Data Transfer: The GDPR regulates the transfer of personal data outside the EU and EEA, with specific mechanisms (such as Standard Contractual Clauses and Binding Corporate Rules) to ensure adequate protection.
Data Protection Impact Assessment (DPIA): Organizations must conduct a DPIA for processing operations that are likely to result in high risks to individuals' rights and freedoms.
Penalties for Non-Compliance: The GDPR imposes significant fines for non-compliance, with penalties of up to 4% of the global annual turnover or €20 million, whichever is higher.

The GDPR aims to give individuals greater control over their personal data and establish a unified framework for data protection across the EU. Organizations that process personal data are required to comply with the GDPR's provisions to ensure the privacy and security of individuals' information.

What is India's Digital Personal Data Protection Act, DPDPA?

An Act to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. This act was enacted on 11th August 2023 after approval from President of India

Key Act Provisions on Data Protection & Disposal

Some of the key provisions, as highlighted by the Indian Digital Personal Data Protection Act, include:

The scope of the Indian Digital Personal Data Protection Act applies to processing personal data not only within India but also extends its jurisdiction to data processing activity outside India if it involves offering goods and services within the Indian market.
In Chapter II, Sec 8 – General Obligations of Data Fiduciary, Page 7, this law establishes the responsibility of data fiduciaries to safeguard personal data under its control and possession. They are entrusted with upholding data accuracy, ensuring data security, and erasing data securely once its intended purpose is fulfilled. It necessitates implementing sound data security measures to mitigate data breach risks.
In Chapter II, Sec 4- Obligations Of Data Fiduciary, Page 4, the act defines Data Fiduciary (someone who alone or jointly determines the purpose and means of processing personal data). It stresses on the importance of the consent of data principals (Individuals whose data is being collected, stored, and processed) for processing their personal data for legitimate purposes. However, specific legitimate applications, like voluntary sharing of individual data, and data processing by government entities for licenses, permissions, benefits, and services, might not necessitate consent.
Under Chapter II, Sec 9, Processing Personal Data of Children, Page 8, the law mandates businesses to obtain the consent of parents or guardians for collecting and processing the personal data of children below 18 years or persons with disabilities.
Chapter II, Section 8, Part 7, also obligates data fiduciaries to routinely monitor the data and erase the personal data of Data Principals after it is no longer necessary for retention in order to comply with various laws and regulations.
Chapter II, Section 8, Part 7, also obligates data fiduciaries to routinely monitor the data and erase the personal data of Data Principals after it is no longer necessary for retention in order to comply with various laws and regulations.
Chapter III, The Rights & Duties of Data Principals, Page 9, bestows the Data Principals with certain rights as mentioned below. 1. Right to access information,2. Right to correction and erasure of personal data3. Right of grievance redressal4. Right to nominate individuals in the absence of data principals to exercise their rights under this provision.
Chapter IV, Section 17- Exemptions, Page 1- mentions certain exclusions to government agencies from the rights of data principals and responsibilities of data fiduciaries for instances concerning national security, maintenance of public order, or the prevention of criminal activities. Government bodies are free from strict adherence to the provisions of the law.
In Chapter 5, Section 18, Establishment of Board, Page 12 – the law authorizes the establishment of ‘The Data Protection Board’ of India by the central government. This body will have the power to inquire and impose penalties on non-compliance as per the DPDP Act provisions. It will also be responsible for mitigating personal data breach instances.

How to ensure Data Disposal is happening in Compliance With The Indian Digital Personal Data Protection Act?

As per Chapter II, Section 8, Part 7, the law mandates data fiduciaries to regularly monitor and erase the personal data of Data Principals after it has served its purpose. Upon failing to do so not only do the data fiduciaries aka organizations decline a major right of data principals- The Right to Data Correction and Data Erasure but also fall under the radar of non-compliance. To ensure compliance with the Indian DPDP Act 2023, and provide adequate data protection an organization must follow the below checklist:

Implement Data Disposal Policies: Chalk out a relevant and effective data disposal process aligned with the requirements of data disposal that complies with the law and helps avoid legal repercussions.
Data Identification, Classification, and Labeling: Determine what data falls under the scope of the Indian Digital Personal Data Protection Act (DPDPB). Label data on account of the nature of sensitivity and determine the purpose of processing.
Implement Data Retention Policies: Implement clear data retention policies that dictate the duration for which data can be stored before disposal.
Perform Secure Erasure: Consider secure erasure methods such as data wiping or encryption to ensure data is permanently destroyed beyond recovery.
Transparency with Data Principals: Notify the data principals whose information you process and are going to dispose of about the data disposal process.
Ensure compliance with Third-party vendors: If your organization uses third-party services for data disposal, ensure they too follow the DPDP Act guidelines.
Frequently Review Data Disposal Process: Regularly review and update data disposal processes to align with any changes in DPDPA regulations.

Penalties of the DPDP Act

Under Section 33, the law summarizes the various penalties and consequences regarding the breach of this DPDP Act or its rules. If found that organizations are mishandling or neglecting to protect individuals’ digital data or fail to inform the authoritative body about the breach, they can be penalized with monetary fines of up to ₹250 crore ($30.1 million). Upon violation of any other provision of this Act or its associated regulations, organizations can face a penalty of up to ₹50 crore. The monetary penalty will be imposed by the Data Protection Board after giving the person an opportunity to be heard. The penalty amount depends on crucial factors like breach severity, personal data impact, repetition, gains or losses due to the breach, mitigation efforts, and proportionality.

Now let us see the comparison between GDPR and DPDPA

	EU GDPR	India’s DPDP Act
Scope	Applies to: Organizations that have an establishment in the EU and process personal data "in the context of" the EU establishment. Organizations that are not established in the EU but process personal data related to either offering goods or services in the EU or monitoring the behavior of individuals in the EU.	Applies to digital personal data processed: Within the territory of India. Outside India, in connection with the offering of goods or services in India.
Regulatory Framework	GDPR (General Data Protection Regulation) is a data protection regulation in the European Union that sets comprehensive rules for the protection of personal data.	DPDPA (Digital Personal Data Protection Bill) is India's data protection legislation that focuses on regulating the processing of personal data within India.
Data Fiduciaries	GDPR distinguishes between data controllers and data processors, with specific obligations for each.	DPDPA uses the term "data fiduciaries" to refer to entities that hold data on behalf of data principals (similar to data subjects under GDPR), and these fiduciaries are expressly responsible for the actions of data processors they engage.
Treatment of Personal Data	GDPR differentiates between personal data and sensitive personal data, imposing stricter requirements on the latter.	DPDPA treats all personally identifiable data in the same way, eliminating the distinction between personal and sensitive personal data.
International Data Transfer	GDPR mandates additional safeguards for international data transfers.	DPDPA does not specify additional measures for international data transfers but allows for further regulations and government specifications.
Lawful Basis of Processing	GDPR provides a range of lawful bases for processing personal data, including contract performance and legitimate interests of data controllers.	DPDPA permits processing of personal data only with the data principal's consent or for a "legitimate use," which is narrower than GDPR's lawful bases.
Consent Requirement	Imposes a number of requirements for obtaining valid consent: Consent must be freely given, specific and informed. It must be granted by an unambiguous affirmative action. Generally, the provision of a service cannot be made conditional on obtaining consent for processing that is not necessary for the service. A request for consent must be distinct from any other terms and conditions. Consent for separate processing purposes must be provided separately. Individuals have the right to withdraw consent at any time "without detriment" and it should be as easy to withdraw consent as it was to give it.	Requires consent to be: Freely given, specific and informed. Unconditional. This possibly implies the provision of a service cannot be conditioned on providing consent for collecting any unnecessary data. Unambiguous. Capable of being withdrawn with comparable ease to which consent was given. In clear and plain language. Accessible in English as well as in all the official languages as prescribed in the Indian Constitution.
Data Principal Rights	Sets out seven principles in Article 5: Lawfulness, fairness and transparency. Purpose limitation. Data minimization. Accuracy. Storage limitation. Integrity and confidentiality. Accountability.	Sets out following principles Lawfulness Fairness Data minimization Purpose limitation Confidentiality Accountability
Enforcement	GDPR has national supervisory authorities with regulatory mandates, rulemaking powers, and administrative functions.	DPDPA establishes the Data Protection Board with a focus on adjudicating grievances and penalizing data breaches, and all rule-making powers lie with the Indian government.
Penalties	GDPR fines can be substantial but are not as high as DPDPA's penalties, and they vary based on the specific violation.	DPDPA includes significantly higher penalties, with fines of up to INR 250 crores or around GBP 25 million.
Governance	GDPR draws on the Charter of Fundamental Rights of the EU and has strong oversight by supervisory authorities.	DPDPA relies on the fundamental right of privacy established by the Supreme Court of India in 2017 and focuses on simpler, business-friendly regulations, potentially leading to greater interpretation and uncertainty.

In summary, both GDPR and DPDP Act are important regulatory requirements and are required to be enacted by the respective organizations. Though there are some commonalities between both the regulatory requirements for protecting the personal data there are some key differences too which needs to be noted and implemented accordingly.