GDPR for Indian Companies

This note is written after experience of more than 20 Indian Startups and small and mid sized companies.
So as we know it, GDPR is going to affect a lot of Indian companies in many ways, but the key ways in which it affects Indian companies is by restricting their growth and business potential.

The Indian culture is such that CEOs are just not ready to comply and GDPR is not a light regulation. It places enhanced obligations on all companies to consider privacy as a key risk and monitor it accordingly.

Another challenge facing Indian companies is that these are typically 50 to about 200 employee companies and they have very poor information security controls and GDPR requires under article 32 that company should have strong technical and organisational measures to ensure data protection.

In such a scenario small companies are forced to significantly improve their information security controls which means a lot of financial expenditure. At this juncture, companies evaluate the pros and cons of compliance. Should they spend and comply or rather lose that one client that is giving them the business.

Small Indian companies are generally concentrated and have businesses with a few large overseas clients these companies believe that if they are able to convince these few clients and win their confidence then there really isn't any requirement to comply. But as Riskpro India has seen, while consulting on several data protection consulting assignments with these companies, it is those few large clients that will make the push because the larger the clients you have, the more compliance oriented they tend to be.

So, a piece of advice is that GDPR is not a one-time activity but rather an ongoing compliance requirement. Unless the company's understand this key difference, compliance will be merely a tick box exercise and will result in large regulatory penalties for such companies. Just putting together a set of policies and papers procedures a few trainings here and there and then telling the world that you GDPR compliant does not help. Instead what the company should be doing is that they should be understanding the privacy risk, building a culture of improving data protection across the organisation and enhancing their information security controls.

Really if you look at it then the only real things that are very important are not many but a few. And many small companies can easily comply with these. The following are the key requirements for companies

• Need to have privacy policy that explains exactly what kind of information is collected how it is collected and that data subject have rights under the policy.

• This document called should also outline what type of minor’s data processing occurs and any cross-border transfers and recipients of data

• A robust and clearly articulated consent collection and consent storage evidencing process is absolutely critical small companies who tend to blast out emails and engage with customers and potential customers through direct marketing without realizing that there are multiple regulations that impact the organisation. It is not just GDPR that they have to comply with, but we also have regulation similar to PECR and E-privacy, so you can imagine trying to follow and comply with one regulation but ignoring the fact that these are parallel regulation out there.

• Such confusion totally impacts these companies and at the end, they are better off not complying at all rather than complying half heartedly and without realising the overall impact of their activities.

To conclude, under such circumstances, it is absolutely important that these Indian companies carry out a detailed GDPR gap assessment and identify the core and key areas of non-compliance. After that a project plan should be designed in which all the tasks and actions are outlined.

If you would like to learn more about how Riskpro India is helping Indian companies to meet GDPR compliance, drop an email to

Other Services of Interest

  • Corporate Training Ideas - Risk Management and Compliance

    The following training options are appropriate for Banks, NBFC and small banks. • Basic fundamentals of Risk Management (half day) o Including Fraud, Reputational Risk issues also apart from...
  • Third Party Risk Management (TPRM) - Webinar

    EVENT OVERVIEW: TPRM or Third Party Risk Management is not a new concept, but something that needs to be addressed today. With Cybersecurity, Privacy issues emerging every day, often we find that...
  • Global Compliances - Free Webinar on key Global Regulations

    EVENT OVERVIEW: Riskpro India is conducting a free webinar on how to be future ready with respect to Global Compliances. Alleviate risk and strengthen your control on global compliance with this...
  • Sarbanes Oxley (SOX) Compliance - Free Webinar

    EVENT OVERVIEW: Riskpro India is conducting a free webinar on SOX (Sarbanes Oxley) Compliance which will take you through the applicability and requirements of the SOX 404 and 302 Act. The...
  • Auditing EUC - Free Webinar

    EVENT OVERVIEW Uncontrolled and untested spreadsheet models pose significant business risks. These risks include: lost revenue and profits; mis-pricing and poor decision making due to prevalent but...
  • India: Data Protection Services

    The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. Now India has its own version of Data protection regulation that will change...
  • Fire Safety Assessments and Training

    Some of our features of Fire Safety Assessments and Training • Fire Science • The common causes of fire • Identify fire hazards • Types of fires and extinguishers • Fire...
  • Data Protection Officer (DPO) Services

    Why a DPO The General Data Protection Regulation (GDPR) makes it compulsory for certain companies to appoint a DPO. this is a mandatory position that is expected to carry out certain defined tasks....
  • Go to top