GDPR Compliance

The author is Head of Compliance at Bellwether. At Bellwether, he has been advocating 'privacy by design and by default' principle to clients. He leads the GDPR compliance consulting practice with a team of experienced consultants in the fields of internet privacy, compliance, digital transformation and litigation.


What is GDPR?

GDPR is abbreviated form of the European Commission‘s newly enforced privacy protection law – General Data Protection Regulation. Before hiring a GDPR Consultant or considering to outsource your GDPR compliance, GDPR training or GDPR audit, you need to understand why GDPR compliance is important to your organization.


What you need to know before hiring a GDPR Consultant

During the last two decades, many countries across the world have enacted information privacy laws or data protection laws to protect their citizens’ personally identifiable information (PII). However, the EU-GDPR law is significantly different than previous ones due to it’s aggressive rules and restrictions on the organizations that collect and process the data of citizens of the European Union. What is Privacy, anyways? Read more here.

What is Personally Identifiable Information / PII?

GDPR tries to protect the personally identifiable information of it’s citizens. A PII is any data that can individually recognize a person with great accuracy. For example, Name of a person combined with the date of birth is a PII. Similarly, Address, email id, phone number are PII. Apart from these, an individual’s health information, political and religious beliefs are all declared as personal information and come under the purview of EU-GDPR regulation.

Since, you have visited this website, your IP address is recorded in our web server logs which can be used to identify you as a person. Hence IP addresses are also included in the definition of PII.

Bellwether has developed a world-class Enterprise Risk Management framework by combining functional, information security and legal expertise. Our GDPR consulting clients range from large enterprises to start-ups.

GDPR Compliance for Indian Companies

Hey, we are an Indian business entity! And, we don’t have our business operations in EU. So, we don’t need to be GDPR Compliant

It may sound logical that GDPR for Indian companies does not apply, at least for business entities that are operating only from India or employing only Indian citizens or those that are not engaged in business with European businesses or citizens. However, the reality is different.

For Indian companies (or companies operating outside European Union), even if they do not have business presence in EU, but serve a client in EU, then GDPR Compliance is necessary, as the regulation mandates.

The dilemma, whether GDPR compliance for Indian companies is needed or not, can be eliminated by answering two questions:

  1. Are you an Indian company and have a business office in European Union?
  2. Are you an Indian company and have a client anywhere in the world that does business with EU entities?

If you have answered yes for any of the above questions, then you need to hire a GDPR compliance consultant in India, to talk about next steps.

Non-compliance with GDPR, after 25th of May 2018, could result in devastating impact for businesses not just operating or having presence in European Union, but also for Indian companies who process information of citizens of European Union

GDPR impact on Indian Companies

For Indian Companies that do data processing viz, analytics, data mining, big data firms, GDPR compliance has become a business development issue as much as legal issue, since European clients now want to confirm that their vendors are GDPR compliant too.

Personally, I have seen a lot of companies looking for GDPR consulting because their new prospects or customers started asking if they are GDPR compliant.

The Indian mainstream media is already abuzz with news about the hardships being faced by Indian outsourcing companies who are not prepared for GDPR yet.

GDPR for Indian Companies
The unforeseen impact is felt by many functions of Indian Companies. Marketing managers of Indian companies are questioning if their teams can contact prospects in their marketing funnels and email lists. Sales managers want to understand if their sales reps can do cold-calling to EU citizens. HR teams are concerned about the personal information, in the form of resumes, they hold from the prospective employees of EU region. IT Heads are worried about the type of access control they need to have to comply with GDPR. Inspired by EU-GDPR, An Indian version of the Privacy regulation – Personal Data Protection bill has been drafted and waiting for the parliament’s nod to become an act. Read more about the Indian Personal Data Protection Bill 2018. Becoming GDPR compliant now, will be beneficial when the Indian Personal Data Protection Bill becomes a legally enforced Act making it mandatory for the Indian Tech Industry to abide by the privacy laws. If your website has visitors from European Union, despite having no business operations in EU, your business is liable to pay penalties up to 20 million Euro or up to 4% of your company’s global turnover, for non-compliance. It may sound too harsh but that’s what the regulation says. You can read Article 84 of GDPR, which discusses the penalties for non-compliance.

Looking for GDPR Compliance Consulting?
Our GDPR consultants can drive your Enterprise Risk Management

Bellwether has developed a world-class Enterprise Risk Management framework by combining functional, information security and legal expertise. Our GDPR consulting clients range from large enterprises to start-ups.

Get in touch today to talk to a GDPR Compliance Consultant and explore the ways to manage your enterprise risk and uncover value.

GDPR penalties

Every month, since 25th of May, 2018, law suits are being filed on organizations of all sizes. Most notably, a few tech giants are facing GDPR legal suits for allegedly not complying with the European Union’s privacy regulation.

An Austrian non-profit, led by privacy activist and attorney Max Schrems, has filed a suit against Amazon,Apple,Youtube, Netflix, Spotify, and three more tech companies alleging that they have violated the terms of GDPR.

It comes as a surprise that companies like Google have failed to get things right with regards to GDPR compliance. The French Data Protection Authority had fined Google 50 million Euros, recently. Read more about GDPR Penalties.

GDPR compliance requirements

GDPR compliance requirements are the steps you have to take and processes you have to adapt in your organization that help to protect personal data of individuals.

Before you hire a GDPR Consultant

Create awareness:

Awareness is the first step towards compliance. The leadership team should understand the importance of data protection and the same has to be effectively communicated to the entire team down to the associate level. In fact, training and awareness is mandated by GDPR under article 47 & article 39

Conduct an in-house audit:

Conducting an in-house audit about all the data your organization holds – how it is generated, stored, transferred and used will give you a high level overview of the potential data risks you are currently sitting on. This in-house audit report can be of great help when you want to prepare your RFP to send to GDPR consultants.

After you hire a GDPR Consultant

Gap analysis:

A gap analysis is the first step in identifying what is non-compliant in your organization. Your GDPR consultant needs to interact with all the departments in your company, to understand the status-quo of your processes and establish benchmarks to be met in order to transform non-compliance into compliance.


DPIA or Data Protection Impact Assessment is the process of identifying the risks to privacy and finding solutions to address them. A DPIA many not be needed for your organization if the data processing you are doing is simple and not inherently risky for the privacy of your data subjects.

Other GDPR compliance requirements:

Several other requirements are to met to be GDPR complaint. A few of them are:

  • Documenting Data Flow Mapping
  • Protecting Data Subject Rights
  • Lawful bases for processing
  • Privacy policy drafting
  • Tweaking your website

GDPR compliance checklist

While a GDPR compliance checklist is exhaustive and beyond the scope of this article, the following pointers will help you understand the basic requirements to be compliant before outsourcing GDPR compliance.

Data Controller’s Checklist:

If you are a Data Controller (Who is a data controller? Read here), then you might need to look into the following

  1. Conduct an information audit to map data flows
  2. Create an appropriate data protection policy
  3. Identify your lawful bases for processing and documented the data you have collected from individuals.
  4. Review how you ask for consent and record the same thoroughly in a way that can be retrieved and presented to the European Union authorities / GDPR Law Enforcement officers, when asked for.
  5. Have internal systems to record and manage ongoing consent of the individuals, to be GDPR compliant
  6. If your business relies on consent to offer online services directly to children, you have systems in place to manage it
  7. Most importantly, protect individual’s legitimate rights and interests and fulfil GDPR’s aim
  8. Pay the Data protection fee to ICO. More details here
  9. Data Processor’s Checklist:

If you are a Data Processor (Who is a data processor? Read here), then you might need to look into the following

  1. Conduct an information audit to map data flows
  2. Documented below personal data questions:
  3. – what data you hold
  4. – where it came from
  5. – who you share it with and
  6. – what you do with it
  7. Have a Data protection Policy
  8. Nominate a Data Protection Officer
  9. Communicate with your team about Data Protection compliance commitment
  10. Understands the business impact of personal data breach and have a contingency plan
  11. Implement technical and organisational measures to integrate data protection into your processing activities
  12. Provide data protection awareness training to all your employees
  13. Appoint a representative within the EU (if applicable)
  14. Set up processes to monitor and report any personal data breaches to your controller
  15. Set up a process to respond to a controller’s request for information (arising from an individuals’ request to access their personal data)
  16. Have processes to ensure personal data of individuals remains accurate and up to date
  17. Have a process to routinely and securely dispose of personal data that is no longer required, in line with the agreed timescales as stated in your contract with the controller
  18. Have specific procedures to fulfil to a data controllers’ request to stop/cease the processing of specific personal data
  19. Ensure your business can respond to a request from the controller to supply the personal data you process in electronic format
  20. Create information security policy supported by robust security processes.
Happy Clients
GDPR implementations

Understand your Privacy risk. Evaluate your Personal data security processes. Stay compliant. Avoid penalties.