What this topic covers
GDPR was the model and DPDP is the answer — Indian-adapted. The two share the consent-based architecture, the role definitions, the Data Principal rights and the breach-notification window. They diverge on cross-border transfers (DPDP permissive default + negative list, GDPR strict adequacy), children's data age threshold (DPDP 18, GDPR 16 with Member-State variation), legitimate-interest carve-outs (DPDP very narrow, GDPR broad) and on penalty math (DPDP per-default ceiling, GDPR turnover-based).
A useful video on this topic should not just list differences — it should explain operational implications for an Indian startup serving both regions. Most startups can run a single privacy programme that satisfies both laws if they treat DPDP as the controlling regime for India users and overlay GDPR-only obligations (turnover-based penalties, DPO threshold, Article 30 RoPA) where applicable.
Where a single overlay fails: children's data. The age gap (18 vs 13–16) forces region-specific verification logic. Cross-border defaults: India's permissive Section 16 means Indian users' data can ship to AWS us-east-1 by default; GDPR requires SCCs or adequacy. These are the two places where a 'one programme to rule them all' approach genuinely doesn't work.
Points a complete video on this topic should cover
- Shared architecture — consent, roles, rights, breach notification
- Cross-border: permissive default (DPDP) vs adequacy decisions (GDPR)
- Children's data: 18 (India) vs 13–16 (EU)
- Penalty math: per-default ceiling vs turnover-based
- Legitimate-interest carve-outs (narrow vs broad)
- How to run a single privacy programme that satisfies both
- Where region-specific logic is unavoidable
Relevant sections of the DPDP Act / Rules
- Whole Act vs GDPR Articles 1–99