Three Regimes, One Organisation
For any organisation with operations, customers, or data subjects in the European Union, Brazil, and India, 2026 marks the first year in which three major data protection regimes are simultaneously in force and actively enforced. The General Data Protection Regulation (GDPR) has been applicable since May 2018 across the EU's 27 member states and the EEA. Brazil's Lei Geral de Protecao de Dados (LGPD) has been fully enforceable since August 2020. India's Digital Personal Data Protection Act (DPDP Act), passed in August 2023, had its Rules formally notified on November 13-14, 2025, with full enforcement expected by May 2027.
This convergence is not coincidental. Both India and Brazil explicitly modelled elements of their data protection frameworks on the GDPR. The structural similarities — consent-based processing, data subject rights, supervisory authorities, breach notification obligations — create a surface-level impression of alignment. But the divergences are significant, and they are precisely the points where multi-jurisdiction compliance programmes fail.
The LGPD introduced ten distinct legal bases for processing personal data, compared to the GDPR's six. India's DPDP Act took a fundamentally different approach by omitting legitimate interest as a legal basis entirely — a decision that forces organisations relying on that basis under GDPR to restructure their processing activities for the Indian market. Cross-border transfer mechanisms differ substantially across all three: the GDPR uses adequacy decisions and Standard Contractual Clauses, the LGPD relies on ad hoc contractual arrangements and standard clauses issued by the ANPD, and the DPDP Act adopts a negative list approach where transfers are permitted unless the Indian government specifically blocks transfers to a country.
Understanding these differences is not an academic exercise. It determines whether an organisation can operate a single compliance programme or must maintain three parallel ones.
Requirements Comparison
The table below compares the three regimes across their core requirements. The divergences highlighted here drive the architectural decisions in any unified compliance programme.
| Requirement | GDPR (EU) | LGPD (Brazil) | DPDP Act (India) |
|---|---|---|---|
| In force | May 2018 | August 2020 | Rules notified Nov 2025; full enforcement May 2027 |
| Territorial scope | EU/EEA establishments + extraterritorial reach | Brazil-based processing + extraterritorial reach | Processing of digital personal data in India + extraterritorial reach |
| Legal bases for processing | 6 bases (consent, contract, legal obligation, vital interests, public interest, legitimate interest) | 10 bases (adds credit protection, health protection, research, fraud prevention) | Consent and "certain legitimate uses" (no legitimate interest basis) |
| Consent requirements | Freely given, specific, informed, unambiguous; opt-in | Freely given, informed, unambiguous; can be granular | Free, specific, informed, unconditional; must be verifiable |
| Data subject rights | Access, rectification, erasure, portability, restriction, objection, automated decision-making | Access, rectification, erasure, portability, anonymisation, information on sharing | Access, correction, erasure, nomination of representative; no portability right |
| DPO requirement | Mandatory for public bodies and large-scale processing | Mandatory for all controllers (ANPD may set exceptions) | No DPO requirement; Consent Managers for managing consent |
| Breach notification | 72 hours to supervisory authority | Reasonable time (ANPD recommends 2 business days) | 72 hours to Data Protection Board of India |
| Cross-border transfers | Adequacy decisions, SCCs, BCRs, derogations | Standard clauses, specific contractual clauses, international cooperation | Negative list: transfers allowed unless government restricts to specific countries |
| Maximum penalties | EUR 20M or 4% global turnover | 2% of revenue in Brazil, capped at BRL 50M per infraction | INR 250 crore (~EUR 27M) per infraction; INR 500 crore for children's data breaches |
| Enforcement authority | National DPAs (e.g., CNIL, BfDI, Irish DPC) | ANPD (Autoridade Nacional de Protecao de Dados) | Data Protection Board of India (DPBI) |
Two entries in this table deserve particular attention. First, the absence of legitimate interest as a legal basis under the DPDP Act is not a minor gap — it fundamentally changes how organisations must justify processing activities that, under GDPR and LGPD, would rely on that basis. Second, the absence of a data portability right under the DPDP Act means that technical infrastructure built to fulfil GDPR Article 20 obligations has no corresponding requirement in India, though maintaining the capability does no harm.
GDPR in 2026: Mature Enforcement at Scale
Eight years after entering force, the GDPR remains the global benchmark for data protection regulation and the most actively enforced of the three regimes.
According to the DLA Piper GDPR Fines and Data Breach Survey published in January 2026, cumulative GDPR fines have reached approximately EUR 7.1 billion. Breach notifications across the EEA now average 443 per day, reflecting both the expanding attack surface and the growing maturity of supervisory authorities in processing and acting on notifications.
The enforcement trajectory has been marked by increasingly large penalties targeting systemic failures rather than procedural missteps. Meta Platforms Ireland received a EUR 1.2 billion fine in May 2023 for unlawful transfers of personal data to the United States — the largest GDPR fine to date and a signal that cross-border data transfer compliance is a top supervisory priority. LinkedIn Ireland (Microsoft) was fined EUR 310 million in October 2024 for breaches of lawfulness, fairness, and transparency obligations.
Two developments in 2025-2026 are reshaping the GDPR enforcement landscape. First, procedural reforms for cross-border cases are streamlining the cooperation mechanism between lead supervisory authorities and concerned supervisory authorities, addressing the bottleneck that delayed several high-profile enforcement actions. Second, the European Commission's Digital Omnibus package proposals, announced in early 2026, seek to reduce administrative burden for SMEs while maintaining the substantive protections of the regulation.
For organisations building multi-jurisdiction programmes, the GDPR's maturity makes it the natural starting point. Its requirements are the most extensively interpreted through guidance, case law, and enforcement precedent, providing the clearest operational baseline.
LGPD Enforcement: ANPD Finding Its Teeth
Brazil's data protection authority, the Autoridade Nacional de Protecao de Dados (ANPD), has transitioned from an advisory body to an enforcement authority with meaningful sanctioning power. Cumulative fines under the LGPD reached approximately BRL 98 million (~EUR 18-19 million) across the 2023-2025 period, a figure that reflects both the ANPD's growing capacity and the relatively recent availability of its sanctioning powers.
The ANPD's enforcement posture differs from European DPAs in important respects. While European authorities tend to pursue large penalties against major technology companies, the ANPD has distributed enforcement actions more broadly across sectors, including telecommunications, financial services, and public administration. This pattern suggests that Brazilian organisations cannot assume enforcement will focus exclusively on large technology platforms.
The LGPD's ten legal bases for processing — four more than the GDPR — create both opportunities and compliance complexity for multi-jurisdiction organisations. The additional bases include credit protection (a reflection of Brazil's credit scoring ecosystem), health protection by healthcare professionals, research by research bodies, and fraud prevention. Organisations operating under both GDPR and LGPD must map their processing activities to the applicable bases under each regime, recognising that a processing activity lawful under one set of bases may require a different justification under the other.
A significant development for multi-jurisdiction compliance emerged in January 2026, when the European Commission and Brazil formally initiated mutual adequacy discussions. If concluded, an EU-Brazil adequacy decision would substantially simplify cross-border data transfers between the two jurisdictions, eliminating the need for Standard Contractual Clauses or other transfer mechanisms for covered transfers. The timeline for conclusion remains uncertain, but the initiation of formal talks is itself a signal that regulators on both sides see sufficient alignment to pursue the process.
The ANPD has also been active in issuing guidance on international data transfers, data protection impact assessments, and the role of the DPO — areas where practical implementation details had been lacking since the LGPD's enactment. For organisations designing unified compliance programmes, monitoring ANPD guidance is essential, as the authority is still defining the operational parameters of several LGPD obligations.
India's DPDP Act: From Legislation to Implementation
The Digital Personal Data Protection Act, 2023, reached a critical implementation milestone when the DPDP Rules were formally notified on November 13-14, 2025. This moved the framework from legislative text to operational regulation, establishing the specific procedural requirements that organisations must follow.
The DPDP Act's approach to data protection differs from both the GDPR and LGPD in several fundamental respects. Most significantly, the Act does not include legitimate interest as a legal basis for processing. Instead, it centres on consent as the primary basis, supplemented by a narrow set of "certain legitimate uses" — primarily covering state functions, legal obligations, medical emergencies, and employment. For organisations that rely on legitimate interest under GDPR Article 6(1)(f) for activities such as fraud prevention, network security, or direct marketing, the DPDP Act requires either obtaining explicit consent or determining whether the activity falls within one of the enumerated legitimate uses.
The Data Protection Board of India (DPBI) has been established as the adjudicatory body responsible for enforcement. Unlike the GDPR's supervisory authority model, the DPBI functions as a quasi-judicial body that adjudicates complaints and determines penalties rather than conducting proactive supervisory activities. This distinction affects how organisations should approach compliance monitoring — the enforcement trigger in India is more likely to be a complaint or breach report than a regulatory audit.
The Consent Manager framework is a distinctive feature of the DPDP regime. Consent Managers are registered entities that act as intermediaries between data principals (data subjects) and data fiduciaries (controllers), enabling individuals to manage, review, and withdraw consent across multiple services through a single interface. This creates a new compliance interaction point that has no direct equivalent under GDPR or LGPD.
Cross-border data transfers under the DPDP Act follow a negative list approach: transfers to all countries are permitted unless the Indian government specifically restricts transfers to designated countries. This is structurally different from the GDPR's positive list (adequacy decisions) and the LGPD's mixed model. As of early 2026, no countries have been placed on the restricted list, meaning transfers are currently unrestricted — but this could change with limited notice.
Penalties under the DPDP Act can reach INR 250 crore (~EUR 27 million) per infraction, with enhanced penalties of up to INR 500 crore for breaches involving children's data. The Act also includes significant parental consent requirements for processing minors' data, including a prohibition on behavioural monitoring and targeted advertising directed at children.
Full enforcement is expected by May 2027, giving organisations approximately 14 months from today to achieve compliance. Given the structural differences from GDPR and LGPD, this timeline is aggressive for organisations that have not begun their DPDP compliance programmes.
Where They Align
Despite the divergences, the three regimes share a common philosophical foundation that makes a unified compliance programme feasible. Identifying the areas of alignment is the first step in designing that programme.
Consent as a primary basis. All three regimes treat consent as a central legal basis for processing, with broadly similar requirements: it must be freely given, specific, informed, and unambiguous. While the operational details differ (particularly around withdrawal mechanisms and the DPDP Act's verifiability requirement), the core consent architecture is compatible across all three.
Data minimisation and purpose limitation. Each regime requires that personal data be collected for specified, explicit purposes and not processed beyond those purposes. The principle of collecting only the data necessary for the stated purpose is common to all three, though the DPDP Act frames this as data being "adequate and relevant" rather than using the GDPR's more detailed minimisation language.
Breach notification obligations. All three regimes require notification of data breaches to the supervisory authority, with broadly similar expectations around content and timing. The GDPR and DPDP Act specify 72-hour notification windows; the LGPD's "reasonable time" standard, with ANPD guidance suggesting two business days, produces a comparable practical requirement.
Data subject access rights. The right of individuals to access their personal data held by an organisation is common to all three regimes. The specific scope and modalities of access differ, but the underlying infrastructure requirement — maintaining the ability to locate, extract, and deliver an individual's data upon request — is consistent.
Controller-processor distinction. All three regimes distinguish between the entity that determines the purposes and means of processing (controller/data fiduciary) and the entity that processes data on the controller's behalf (processor/data processor). The terminology varies — the DPDP Act uses "data fiduciary" and "data processor" — but the conceptual framework and the requirement for contractual arrangements between them is consistent.
Security safeguards. Each regime requires appropriate technical and organisational measures to protect personal data. The specific measures are not prescribed in detail by any of the three, leaving organisations to determine appropriate controls based on risk — a principle that enables a single security framework to satisfy all three regimes.
Where They Diverge
The divergences between the three regimes are where compliance programmes succeed or fail. Each divergence point requires a specific architectural decision.
Legitimate interest. The GDPR and LGPD both include legitimate interest as a legal basis, though with different balancing tests. The DPDP Act omits it entirely. This is the single most consequential divergence for multi-jurisdiction programmes. Processing activities that rely on legitimate interest under GDPR — including fraud detection, network security monitoring, and certain forms of direct marketing — must be re-evaluated for India. In many cases, this means obtaining explicit consent or restructuring the processing activity.
Data portability. The GDPR (Article 20) and LGPD both grant data subjects the right to receive their personal data in a structured, commonly used format and to transmit it to another controller. The DPDP Act includes no such right. Organisations should maintain portability capabilities regardless, as they serve GDPR and LGPD compliance, but should not expect portability requests from Indian data principals.
DPO requirements. The GDPR requires a DPO for public bodies and organisations engaged in large-scale processing or monitoring. The LGPD requires every controller to appoint a DPO (though the ANPD may establish exceptions for small enterprises). The DPDP Act has no DPO requirement, instead introducing the Consent Manager framework. A unified programme should appoint a DPO to satisfy GDPR and LGPD requirements while separately addressing Consent Manager interactions for India.
Cross-border transfer mechanisms. The three regimes take fundamentally different approaches. The GDPR's positive list model (adequacy decisions, SCCs, BCRs) places the burden on the exporting controller to establish an adequate level of protection. The LGPD follows a broadly similar model but with its own standard clauses and adequacy assessments. The DPDP Act's negative list model inverts the default — transfers are permitted unless restricted — but introduces regulatory uncertainty, as countries can be added to the restricted list without extended notice periods.
Penalty structures. The GDPR's percentage-of-turnover model (up to 4% of global annual turnover) can produce penalties that dwarf the fixed caps under LGPD (BRL 50 million per infraction) and the DPDP Act (INR 250 crore per infraction). However, the DPDP Act's enhanced penalties for children's data breaches (INR 500 crore) and the per-infraction structure mean that aggregate exposure can be substantial.
Processor obligations. The GDPR imposes direct obligations on processors, including maintaining records of processing, appointing a DPO where required, and notifying the controller of breaches. The LGPD similarly imposes obligations on processors, though with less specificity. The DPDP Act's obligations on data processors are narrower, focusing primarily on processing data only as instructed by the data fiduciary and implementing security safeguards.
Building a Unified Compliance Programme
A multi-jurisdiction data protection programme that attempts to maintain three separate compliance streams will be operationally unsustainable for most organisations. The more effective approach is to build from a common baseline and layer jurisdiction-specific requirements where the regimes diverge.
Start from the Highest Common Denominator
The GDPR, as the most mature and most extensively interpreted of the three regimes, provides the strongest foundation. An organisation that is fully GDPR-compliant has already implemented the majority of controls required by the LGPD and a substantial portion of those required by the DPDP Act. The key principle is to design for the most stringent requirement in each category and then verify that the design satisfies the requirements of the other two regimes.
Conduct Unified Data Mapping
A single, comprehensive data mapping exercise should identify all processing activities across all three jurisdictions, documenting the legal basis relied upon under each regime. This is where the legitimate interest gap under the DPDP Act becomes operationally visible: processing activities mapped to legitimate interest under GDPR must be mapped to an alternative basis (typically consent) for India. The data map should be structured to support the Record of Processing Activities (ROPA) required under GDPR, the equivalent documentation under LGPD, and the processing transparency requirements under the DPDP Act.
Harmonise Breach Response
Where breach notification timelines differ, the shortest deadline governs the unified response. The GDPR's 72-hour notification requirement and the DPDP Act's matching 72-hour requirement set the effective deadline, with the LGPD's "reasonable time" standard falling within the same window if the ANPD's two-business-day guidance is followed. A single breach response procedure should be designed to meet all three notification requirements simultaneously, with jurisdiction-specific notification templates prepared in advance.
Layer Jurisdiction-Specific Requirements
After establishing the GDPR baseline, the unified programme must address specific requirements unique to each regime:
- LGPD-specific legal bases: Map processing activities that rely on credit protection, health protection, or the other additional LGPD bases. These require documentation separate from the GDPR legal basis assessment.
- DPDP consent architecture: For processing activities directed at Indian data principals, implement consent collection that meets the DPDP Act's verifiability requirement and integrate with the Consent Manager framework.
- LGPD DPO appointment: Ensure the appointed DPO satisfies the LGPD's broader appointment requirement (all controllers, not just those meeting the GDPR's thresholds).
Prepare Cross-Border Transfer Assessments
Each cross-border data transfer must be assessed under the applicable regime's transfer mechanism. In practice, this means maintaining current SCCs for EU-origin transfers, monitoring the EU-Brazil adequacy discussions and maintaining interim transfer mechanisms, and tracking the DPDP Act's negative list for any restrictions on transfers from India. The potential EU-Brazil adequacy decision, if concluded, would simplify one leg of this triangle significantly.
Implement Continuous Monitoring
The regulatory landscape across all three jurisdictions is actively evolving. The GDPR's procedural reforms, the ANPD's expanding guidance programme, and the DPDP Act's phased enforcement create a dynamic compliance environment. Organisations should establish a regulatory monitoring function that tracks developments across all three regimes and assesses their impact on the unified programme.
The goal is not perfect alignment — the three regimes are too different for that. The goal is a single programme architecture that accommodates all three regimes without duplicating the foundational work of data mapping, security controls, and governance structures.
Sources
- DLA Piper, GDPR Fines and Data Breach Survey, January 2026
- India Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023)
- India DPDP Rules, formally notified November 13-14, 2025
- Brazil Lei Geral de Protecao de Dados Pessoais (Law No. 13,709/2018)
- ANPD enforcement reports 2023-2025
- European Commission, EU-Brazil adequacy discussions announcement, January 2026
- Regulation (EU) 2016/679 (General Data Protection Regulation)