India's Digital Personal Data Protection Act (DPDP) is finally in force. If you're an Indian health tech company eyeing the European market — or a European company expanding to India — you're now navigating two major data privacy regimes simultaneously.
The good news: GDPR and DPDP share DNA. Both are consent-driven, both protect individual rights, and both carry serious penalties.
The bad news: the differences are exactly where health tech companies get tripped up. Consent mechanisms, health data categorization, cross-border transfer rules, and children's data protections all diverge in ways that can block your launch or trigger enforcement.
Here's what actually matters for health tech founders expanding between India and Europe.
Also download our free HIPAA Compliance Checklist if you also operate in the US market.
The Quick Comparison
| Area | GDPR (EU) | DPDP Act (India) |
|---|---|---|
| Scope | All personal data (digital + some offline) | Digital personal data only |
| Lawful Basis | 6 bases: consent, contract, legal obligation, vital interests, public interest, legitimate interests | Primarily consent + "certain legitimate uses" |
| Health Data | Special category — requires explicit consent + extra safeguards | No special category — uniform rules for all personal data |
| Children's Data | Parental consent under 16 (member states can lower to 13) | Parental consent under 18 — no behavioral profiling or targeting allowed |
| Data Portability | Explicit right to receive and transfer data | No data portability right |
| Cross-Border Transfers | Restricted — requires adequacy decisions, SCCs, or BCRs | Allowed by default, except to government-blacklisted countries |
| DPO Requirement | Required for health data processors at scale | Required for "Significant Data Fiduciaries" only |
| Breach Notification | 72 hours to supervisory authority | "Without delay" to Data Protection Board + affected individuals |
| Penalties | Up to 4% of global turnover or €20M | Up to &rupee;250 crore (~$30M) per violation |
| Compliance Deadline | In force since 2018 | Full compliance by May 13, 2027 |
Key deadline: Organizations must achieve full DPDP Act compliance by May 13, 2027. GDPR has been enforceable since May 2018. If you serve users in both jurisdictions, GDPR compliance is already overdue and DPDP implementation should start now.
1. Health Data Gets Different Treatment
This is the biggest divergence for health tech companies. Under GDPR, health data is a "special category" that triggers enhanced protections — you need explicit consent (not just regular consent), must conduct a Data Protection Impact Assessment (DPIA), and face stricter processing limitations.
India's DPDP Act does not categorize health data separately. All personal data receives the same level of protection. This sounds simpler, but it creates a trap: if you build your India compliance around DPDP's uniform standards and then expand to Europe, your health data handling won't meet GDPR's enhanced requirements.
What to do: Build to the higher standard. Design your health data processing around GDPR's special category requirements from the start. You'll be over-compliant for India and ready for Europe without a retrofit. If you're also subject to US regulations, read What Health Tech Founders Get Wrong About HIPAA.
2. Consent Mechanisms Don't Translate Directly
Both frameworks are consent-heavy, but GDPR gives you more flexibility. Under GDPR, you can process personal data under six lawful bases — including legitimate interests, which is a powerful basis for B2B health tech operations like analytics, fraud detection, and service improvement.
The DPDP Act relies primarily on consent. There's no broad "legitimate interests" basis. The "certain legitimate uses" provision is narrow and unlikely to cover the same scope.
For health tech companies, this means your EU consent flow and your India consent flow may need to collect consent at different points and for different purposes.
What to do: Build a consent management system that can serve both regimes. In practice, this means granular, purpose-specific consent that satisfies DPDP's requirements while also meeting GDPR's explicit consent standard for health data. Use one consent architecture, configured per jurisdiction.
3. Children's Data Is Stricter in India
If your health tech product touches pediatric users — child development apps, pediatric telehealth, family health platforms — India's requirements are significantly stricter than GDPR's.
DPDP sets the age threshold at 18 (GDPR allows member states to set it as low as 13). And India goes further: behavioral profiling and targeted advertising to children is outright prohibited, not just restricted.
For a child health AI app, this means you cannot use a child's usage data to personalize recommendations in India the way you might in Europe — even with parental consent.
What to do: If you serve users under 18, implement verifiable parental consent for India and strip all behavioral profiling features for Indian users. Consider a feature-flag approach that adjusts your product's data processing based on the user's jurisdiction.
4. Cross-Border Transfers Work Differently
This is where DPDP is actually more permissive than GDPR. Under GDPR, transferring personal data outside the EU requires adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other approved mechanisms. This has been a major compliance burden for companies operating between India and Europe.
The DPDP Act takes a blacklist approach: data can flow freely to any country unless the Indian government specifically restricts it. As of now, no countries have been blacklisted.
However, health tech companies moving data from Europe to India still need to comply with GDPR's transfer mechanisms. India does not yet have an EU adequacy decision, so you'll need SCCs or another approved mechanism.
What to do: For India-to-EU data flows, you're largely fine under DPDP. For EU-to-India flows, implement Standard Contractual Clauses and conduct Transfer Impact Assessments. Document both directions in your data processing agreements. If you also handle US health data, see Why Your BAA Template Is Probably Not Enough.
5. Breach Response Timelines Differ
GDPR gives you a specific timeline: 72 hours to notify your supervisory authority after becoming aware of a breach. The DPDP Act says "without delay" — which is arguably stricter because there's no defined window to work within.
For a health tech company operating in both jurisdictions, a single breach could trigger dual notification requirements with different authorities, different timelines, and different formats.
What to do: Build your breach response plan for the strictest standard. Target notification within 48 hours to satisfy both regimes. Maintain pre-drafted notification templates for both the EU supervisory authority and India's Data Protection Board.
6. The Compliance Timeline Is Now
GDPR has been in force since 2018 — there's no grace period left. If you're serving EU users today, you must be fully compliant today.
India's DPDP Act gives organizations until May 13, 2027 for full compliance with core obligations. But "full compliance by 2027" doesn't mean "start in 2027." Organizations need to implement consent mechanisms, establish grievance redressal processes, appoint Data Protection Officers (for Significant Data Fiduciaries), and conduct Data Protection Impact Assessments.
What to do: If you're expanding to Europe, start GDPR compliance immediately — it's already enforceable. For DPDP, begin implementation now so you're not scrambling in 2027. The consent architecture, DPO appointment, and DPIA processes take months to build properly.
7. Compliance Timeline
- May 2018: GDPR enforcement begins
- August 2023: India DPDP Act enacted
- 2024–2025: DPDP Rules finalized and published
- May 13, 2027: Full DPDP compliance deadline
If you're building for both markets today, you need GDPR compliance immediately and a DPDP implementation roadmap that gets you ready well before 2027.
The Unified Approach
The smartest health tech companies don't build two separate compliance programs. They build one framework designed around the strictest requirements from each regime, with jurisdiction-specific configurations where the laws diverge.
This means:
- GDPR-level health data protections applied globally
- A consent management platform that serves granular, purpose-specific consent for both regimes
- India-level children's data protections (age 18, no profiling) as the baseline
- Standard Contractual Clauses for EU-to-India data flows
- A single breach response plan built to the tightest timeline
- Documentation that satisfies both GDPR's accountability principle and DPDP's compliance requirements
Build once, comply everywhere. That's the advantage of working with one attorney who understands both frameworks from the inside.
Frequently Asked Questions
Can I use my GDPR compliance to cover India's DPDP Act?
Partially. GDPR compliance gives you a strong foundation, but DPDP has unique requirements — particularly around consent as the primary lawful basis, children's data (age 18 threshold), and the grievance redressal mechanism. You'll need to layer India-specific provisions on top of your GDPR framework.
Does India's DPDP Act apply to companies outside India?
Yes. The DPDP Act applies to any organization processing digital personal data of individuals in India, even if the processing occurs outside India — similar to GDPR's extraterritorial reach.
What are the penalties under the DPDP Act?
Penalties can reach up to Rs 250 crore (approximately $30 million USD) per violation. The Data Protection Board of India will adjudicate complaints and impose penalties.
Do I need a Data Protection Officer for DPDP compliance?
Only if you're classified as a "Significant Data Fiduciary" by the Indian government. However, appointing a DPO or equivalent is best practice for any health tech company handling sensitive data.
How do cross-border data transfers work under DPDP?
The DPDP Act takes a permissive approach — data can flow freely to any country unless the Indian government specifically blacklists it. As of 2026, no countries have been blacklisted. However, if you're also subject to GDPR, you still need Standard Contractual Clauses for EU-to-India transfers.
Expanding between India and Europe?
Book a free 15-minute discovery call. I'll map your data flows across jurisdictions and tell you exactly what dual compliance looks like for your product.
Get My Free Discovery Call →Ankita (Ann) Srivastava is the founder of Gavel Speaks Inc., a cross-border healthcare compliance practice. With an LL.M. from Harvard Law School and active practice across the US, EU, India, and UAE, she advises health tech companies on multi-jurisdictional data privacy compliance.