GDPR for Indian Companies

This note is written after experience of more than 20 Indian Startups and small and mid sized companies.
So as we know it, GDPR is going to affect a lot of Indian companies in many ways, but the key ways in which it affects Indian companies is by restricting their growth and business potential.

The Indian culture is such that CEOs are just not ready to comply and GDPR is not a light regulation. It places enhanced obligations on all companies to consider privacy as a key risk and monitor it accordingly.

Another challenge facing Indian companies is that these are typically 50 to about 200 employee companies and they have very poor information security controls and GDPR requires under article 32 that company should have strong technical and organisational measures to ensure data protection.

In such a scenario small companies are forced to significantly improve their information security controls which means a lot of financial expenditure. At this juncture, companies evaluate the pros and cons of compliance. Should they spend and comply or rather lose that one client that is giving them the business.

Small Indian companies are generally concentrated and have businesses with a few large overseas clients these companies believe that if they are able to convince these few clients and win their confidence then there really isn't any requirement to comply. But as Riskpro India has seen, while consulting on several data protection consulting assignments with these companies, it is those few large clients that will make the push because the larger the clients you have, the more compliance oriented they tend to be.

So, a piece of advice is that GDPR is not a one-time activity but rather an ongoing compliance requirement. Unless the company's understand this key difference, compliance will be merely a tick box exercise and will result in large regulatory penalties for such companies. Just putting together a set of policies and papers procedures a few trainings here and there and then telling the world that you GDPR compliant does not help. Instead what the company should be doing is that they should be understanding the privacy risk, building a culture of improving data protection across the organisation and enhancing their information security controls.

Really if you look at it then the only real things that are very important are not many but a few. And many small companies can easily comply with these. The following are the key requirements for companies

• Need to have privacy policy that explains exactly what kind of information is collected how it is collected and that data subject have rights under the policy.

• This document called should also outline what type of minor’s data processing occurs and any cross-border transfers and recipients of data

• A robust and clearly articulated consent collection and consent storage evidencing process is absolutely critical small companies who tend to blast out emails and engage with customers and potential customers through direct marketing without realizing that there are multiple regulations that impact the organisation. It is not just GDPR that they have to comply with, but we also have regulation similar to PECR and E-privacy, so you can imagine trying to follow and comply with one regulation but ignoring the fact that these are parallel regulation out there.

• Such confusion totally impacts these companies and at the end, they are better off not complying at all rather than complying half heartedly and without realising the overall impact of their activities.

To conclude, under such circumstances, it is absolutely important that these Indian companies carry out a detailed GDPR gap assessment and identify the core and key areas of non-compliance. After that a project plan should be designed in which all the tasks and actions are outlined.

If you would like to learn more about how Riskpro India is helping Indian companies to meet GDPR compliance, drop an email to

Other Services of Interest

  • Celebrating 1 Year of GDPR - Webinars from Riskpro

    GDPR turns ONE on 25 May 2019. On this Anniversary, lets explore what the last 12 months meant for global companies as it relates to Data Protection and Privacy. Riskpro India has organised 6 GDPR...
  • Procurement Fraud - Riskpro can help

    If you suspect procurement fraud, do contact Riskpro India and we can help to unearth the suspicious activity. Following are some of the ways in which we can help. 1. Review of onboarding...
  • GDPR - Data Privacy Trainings - Six Webinar on GDPR Anniversary - Riskpro

    GDPR turns ONE on 25 May 2019. On this Anniversary, lets explore what the last 12 months meant for global companies as it relates to Data Protection and Privacy. Riskpro India has organised 6 GDPR...
  • HIPAA Awareness Training (Mandatory) - Riskpro India

    EVENT OVERVIEW: HIPAA stands for the Health Insurance Portability and Accountability Act and is a US regulation that deals with security measures for protecting patient’s medical records. Employees...
  • SEBI's Insider Trading Amendment - Free Webinar by Riskpro India

    Another important compliance topic that kicks off today. SEBI Amendment to Insider Trading Regulations. Join us for an hour to learn the important changes and how to deal with these. Register -...
  • Sox Training

    Our sox training covers the following points. 1. What is SOX? 2. The Act and its Sponsorors. 3. The background for bringing in this act. 4. Major Sections in the Act 5. Section 404 overview 6...
  • GDPR Countdown

    Riskpro is working hard so that clients can GDPR deadline as the clock ticks away.
  • EU-US Privacy Shield for Data Transfers

    Come GDPR (General Data Protection Act) and EU-US PRivacy shield will assume more importance. Privacy Shield Overview The Privacy Shield program, which is administered by the International Trade...
  • Reduce your GDPR implementation Costs - Hire GDPR Experts in India

    Reduce cost for GDPR Compliance - Remote Consulting from India GDPR readiness assessment and implementation can be costly. And time is short. Instead of paying premium fees to local GDPR consultants...
  • Go to top