GDPR for Indian Companies

This note is written after experience of more than 20 Indian Startups and small and mid sized companies.
So as we know it, GDPR is going to affect a lot of Indian companies in many ways, but the key ways in which it affects Indian companies is by restricting their growth and business potential.

The Indian culture is such that CEOs are just not ready to comply and GDPR is not a light regulation. It places enhanced obligations on all companies to consider privacy as a key risk and monitor it accordingly.

Another challenge facing Indian companies is that these are typically 50 to about 200 employee companies and they have very poor information security controls and GDPR requires under article 32 that company should have strong technical and organisational measures to ensure data protection.

In such a scenario small companies are forced to significantly improve their information security controls which means a lot of financial expenditure. At this juncture, companies evaluate the pros and cons of compliance. Should they spend and comply or rather lose that one client that is giving them the business.

Small Indian companies are generally concentrated and have businesses with a few large overseas clients these companies believe that if they are able to convince these few clients and win their confidence then there really isn't any requirement to comply. But as Riskpro India has seen, while consulting on several data protection consulting assignments with these companies, it is those few large clients that will make the push because the larger the clients you have, the more compliance oriented they tend to be.

So, a piece of advice is that GDPR is not a one-time activity but rather an ongoing compliance requirement. Unless the company's understand this key difference, compliance will be merely a tick box exercise and will result in large regulatory penalties for such companies. Just putting together a set of policies and papers procedures a few trainings here and there and then telling the world that you GDPR compliant does not help. Instead what the company should be doing is that they should be understanding the privacy risk, building a culture of improving data protection across the organisation and enhancing their information security controls.

Really if you look at it then the only real things that are very important are not many but a few. And many small companies can easily comply with these. The following are the key requirements for companies

• Need to have privacy policy that explains exactly what kind of information is collected how it is collected and that data subject have rights under the policy.

• This document called should also outline what type of minor’s data processing occurs and any cross-border transfers and recipients of data

• A robust and clearly articulated consent collection and consent storage evidencing process is absolutely critical small companies who tend to blast out emails and engage with customers and potential customers through direct marketing without realizing that there are multiple regulations that impact the organisation. It is not just GDPR that they have to comply with, but we also have regulation similar to PECR and E-privacy, so you can imagine trying to follow and comply with one regulation but ignoring the fact that these are parallel regulation out there.

• Such confusion totally impacts these companies and at the end, they are better off not complying at all rather than complying half heartedly and without realising the overall impact of their activities.

To conclude, under such circumstances, it is absolutely important that these Indian companies carry out a detailed GDPR gap assessment and identify the core and key areas of non-compliance. After that a project plan should be designed in which all the tasks and actions are outlined.

If you would like to learn more about how Riskpro India is helping Indian companies to meet GDPR compliance, drop an email to

Other Services of Interest

  • Core Banking Solution Upgradation or Migration

    A bank upgrading its Core Banking Solution (CBS) technology to a new version aims to provide significant enhancement in services to its esteemed customers. Data migration in core banking is all about...
  • Why Do Controls Fail? Webinar By Riskpro India

    As Risk Management and Audit Professionals, we spend most of our time emphasizing to Senior Management...
  • DSCI DPF Consulting Services & Training

    With accelerated advancement in the tech world, there is also an unconscious evolution to cyber-crimes. Continuous development of new attacks and techniques that not only allows attackers to...
  • DSCI Data Privacy Framework Certification

    Riskpro India is an accredited assessing organization to provide companies with DSCI’s data privacy framework. With the frequency and magnitude of cyber-crime attacks on the rise, data security and...
  • Overview of DSCI’s Data Privacy Framework- Webinar

    To protect the privacy of personal information from unauthorized use, disclosure, modification, or misuse, DSCI has conceptualized its approach towards privacy in the DSCI Privacy Framework (DPF©)...
  • Riskpro's AML/CFT Services

    Riskpro provides AML/CFT services that includes regulatory gap analysis, policies and procedures relating to AML. The services includes. Sanctions Processes Regulatory Requisites Conformity to...
  • Procurement Fraud - Riskpro can help

    If you suspect procurement fraud, do contact Riskpro India and we can help to unearth the suspicious activity. Following are some of the ways in which we can help. 1. Review of onboarding...
  • Riskpro's Service Verticals

    In today's world, risks are not few. An enterprise faces various risks and challenges and is subject to uncertainties and negative impacts from these risks. Managing risks is your key to untapped...
  • Privacy and Data Protection Services - General Data Protection Regulation (GDPR)

    The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. Riskpro India now offers Indian companies Data Protection assessments, GDPR...
  • Go to top