The General Data Protection Regulation (GDPR) came into force in May 2018 and remains the world's most influential data privacy law. While it is a European regulation, it has direct implications for Indian companies — and the consequences of non-compliance include fines of up to €20 million or 4% of global annual turnover, whichever is higher.

Does GDPR Apply to Your Indian Company?

GDPR has extra-territorial reach under Article 3. It applies to your organisation if you:

Offer goods or services to individuals in the EU — even if those services are free
Monitor the behaviour of individuals in the EU — including website analytics, cookies, or tracking
Process personal data of EU residents on behalf of a European company (as a data processor)

If any of these apply, GDPR applies to you — regardless of where your company is incorporated or where your servers are located. Indian IT services companies, SaaS providers, BPOs, and e-commerce businesses serving EU markets are particularly exposed.

India now also has its own Digital Personal Data Protection (DPDP) Act 2023, which shares many principles with GDPR. Getting GDPR-compliant now will give you a significant head start on DPDP compliance as well.

GDPR Compliance Checklist for Indian Companies

1. Conduct a Data Mapping Exercise

Identify every category of personal data your organisation collects, processes, and stores. Document: what data you collect, why you collect it (the legal basis), where it is stored, who has access to it, how long you retain it, and whether it is shared with third parties. This becomes your Record of Processing Activities (RoPA) — a requirement under Article 30.

2. Establish a Legal Basis for Every Processing Activity

GDPR requires a lawful basis for every personal data processing activity. The six bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For most Indian companies, the relevant ones are consent (with a proper consent mechanism) and legitimate interests (which requires a balancing test to document).

3. Update Your Privacy Notices

Your privacy policy must clearly explain what data you collect, why, how long you keep it, and what rights individuals have. It must be written in plain language — not legal jargon. If you use cookies or tracking, a separate cookie policy and consent banner are required.

4. Implement a Data Subject Rights Process

Under GDPR, EU individuals can exercise rights including: access (receive a copy of their data), rectification (correct inaccurate data), erasure ('right to be forgotten'), restriction, portability, and objection. You must be able to respond to these requests within 30 days. This requires a process — not just a policy.

5. Sign Data Processing Agreements With All Third Parties

If you share personal data with third-party vendors, cloud providers, or subprocessors, Article 28 requires a Data Processing Agreement (DPA) with each of them. Review all your vendor contracts and add GDPR-compliant DPA clauses where they are missing.

6. Implement a Breach Notification Procedure

Under Article 33, you must notify the relevant supervisory authority within 72 hours of discovering a personal data breach. If the breach is likely to result in high risk to individuals, you must also notify the affected individuals. You need a documented incident response process that includes this notification procedure.

7. Conduct a Data Protection Impact Assessment (DPIA) for High-Risk Activities

Article 35 requires a DPIA before you begin any processing that is likely to result in high risk to individuals. This includes systematic profiling, large-scale processing of sensitive data, and monitoring of public spaces. The DPIA must identify the risks and document the measures you are taking to mitigate them.

8. Appoint a Data Protection Officer (DPO) If Required

A DPO is mandatory under Article 37 if you are a public authority, if your core activities involve large-scale systematic monitoring, or if you process special categories of data at scale. For many Indian SMEs, a DPO is not mandatory but is strongly advisable.

International Data Transfers From India to the EU

If personal data of EU individuals is stored on servers in India, this constitutes an international data transfer. Chapter V of GDPR restricts transfers to countries that do not have an adequacy decision. India does not currently have adequacy status, so transfers must rely on Standard Contractual Clauses (SCCs), Binding Corporate Rules, or another approved mechanism.

The Cost of Non-Compliance

Tier 1 violations (e.g., breach notification failures): up to €10 million or 2% of global turnover
Tier 2 violations (e.g., core data protection principles): up to €20 million or 4% of global turnover
Reputational damage and loss of EU client contracts
Personal liability for directors in some jurisdictions

Cybrotech's GDPR team helps Indian companies achieve compliance with gap analysis, DPA drafting, policy implementation, and ongoing advisory support.

Talk to Our GDPR Specialists