GDPR Compliance

The author heads the practice of Cybersecurity and Data Privacy Compliance at Bellwether. At Bellwether, he has been advocating the core principles of EU-GDPR like data minimization, purpose limitation, explicit consent and privacy by design and default. He leads the GDPR compliance consulting practice with a team of experienced consultants in the field of global data privacy regulations.

LinkedIn: https://in.linkedin.com/in/balu0103

Balasubramanyam Gopatipalyam - Bellwether - Director of Cybersecurity & Data Privacy
Balasubramanyam Gopatipalyam - Bellwether - Director of Cybersecurity & Data Privacy

GDPR Compliance in 2025

GDPR is the European Commission‘s privacy law – the General Data Protection Regulation, that came into enforcement on 25th May 2018. GDPR Compliance refers to an organization's adaption of the principles of data privacy and its restriction of processing of personal data in line with the mandates set forth in the regulation.

Before hiring a GDPR Consultant or considering to outsource GDPR compliance, GDPR training or GDPR audit, you need to understand why GDPR compliance is important to your organization.

GDPR Consulting
GDPR Consulting

Hiring a GDPR Consultant - what you need to know?

The European Parliament and the council of EU has adopted the GDPR in 2016. Since then, several organizations across the globe have have started implementing data privacy mandates as per the EU data protection law to protect the personally identifiable information (PII) processed by them. Even before 2016, several data protection Acts were in force in the USA. However, the European Union's GDPR is significantly different than those data privacy acts due to GDPR's aggressive mandates and restrictions on the organizations that collect and process the data of the citizens of the European Union.

What is Privacy? Click here. Privacy is not data privacy alone!

What is PII - Personally Identifiable Information

A PII is any data that can individually recognize a person with great accuracy. For example, Name of a person combined with the date of birth is a PII. Similarly, Address, email id, phone number are PII. Apart from these, an individual’s health information, political and religious beliefs are all declared as personal information and come under the purview of EU-GDPR regulation. GDPR is intended to protect the personally identifiable information of the citizens of the EU member states.

Since, you have visited this website, your IP address is recorded in our web server logs which can be used to identify you as a person. Hence IP addresses are also included in the definition of PII.

GDPR - What is PII?
GDPR - What is PII?

Bellwether has developed a world-class Enterprise Risk Management framework by combining functional, information security and legal expertise. Our GDPR consulting clients range from start-ups to large enterprises.

Talk to a GDPR Consultant today

GDPR Compliance for Indian companies

... but we are a business entity incorporated in India. And, we do not have our business registered in the EU. So, we don’t need to be GDPR Compliant

It may sound logical that GDPR for Indian companies does not apply, at least for business entities that are operating only from India or employing only Indian citizens or those that have not registered a business entity in the European Union. However, the reality is different.

For Indian companies (or companies operating outside European Union), even if they do not have business presence in EU, but serve a client in EU, then GDPR Compliance is necessary, as the regulation mandates.

The dilemma, whether GDPR compliance for Indian companies is needed or not, can be eliminated by answering two questions:

  1. Are you an Indian company and have a business office in European Union?

  2. Are you an Indian company and have a client anywhere in the world that does business with EU entities?

  3. Are you an Indian company and process personal data of EU citizens?

If you have answered yes for any of the above questions, then you need to hire a GDPR compliance consultant in India and may also need to create a role for Data Protection Officer/DPO in your organization. Does my company need to have a DPO? Click here to understand the circumstances under which you an Indian company needs to appoint a DPO.

Non-compliance with GDPR could result in devastating impact for businesses not just operating or having presence in European Union, but also for Indian companies who process information of citizens of European Union.

GDPR impact on Indian companies

For Indian Companies that do data processing for their customeers (viz, CRM, data analytics, data mining, big data and other SaaS/ IT services firms) GDPR compliance has become a business development issue as much as legal issue, since European buisnesses now want to confirm that their vendors are GDPR compliant too.

In the recent past, there is a surge in vendor due diligence questionnaires being sent to Indian service providers to assess their ability to protect personal data as well as benchmark their information security and business resilience processes. Indian businesses are looking for GDPR consulting because their new prospects or existing customers are now asking if they are GDPR compliant.

The Indian mainstream media is already abuzz with news about the hardships being faced by Indian outsourcing companies who are not prepared for GDPR yet.

The unforeseen impact is felt by many functions of Indian Companies.

  • Marketing managers of Indian companies are questioning if their teams can contact prospects in their marketing funnels and email lists.

  • Sales managers want to understand if their sales reps can do cold-calling to EU citizens.

  • HR teams are concerned about the personal information, in the form of resumes, they hold from the prospective employees of EU region.

  • IT Heads are worried about the type of access control and encryption mechanisms they need to have to comply with GDPR.

  • Legal counsels are worried about drafting new data processing addendums with standard contractual clauses

Inspired by EU-GDPR, An Indian version of the Privacy regulation – Digital Personal Data Protection Act, 2023 has been passed. Becoming GDPR compliant is beneficial in two ways as the Indian DPDP Act aligns closely with the principles of GDPR.

If your website has visitors from European Union, despite having no business operations in EU, your business is liable to pay penalties up to 20 million Euro or up to 4% of your company’s global turnover, for non-compliance. It may sound too harsh but that’s what the regulation says. You can read Article 84 of GDPR, which discusses the penalties for non-compliance.

Our GDPR consultants can drive your Enterprise Risk Management
Talk to a GDPR Expert today

Looking for GDPR Compliance Consulting?

Bellwether has developed a world-class Data Risk Management framework by combining functional, information security and legal expertise. Our GDPR consulting clients range from start-ups to large enterprises.

Get in touch today to talk to a GDPR Compliance Consultant and explore the ways to manage your enterprise risk and uncover value.

GDPR compliance requirements

GDPR compliance requirements are the mandates you have to comply with and, the processes you have to adapt in your organization that help to protect personal data of individuals.

Before you hire a GDPR Consultant

Create Data privacy awareness

Creating awareness about the implications of data privacy among all the internal and external stakeholders aka. employees, contractors, freelancers, vendors and business partners is the first step towards GDPR compliance. The leadership team should understand the importance of data protection and the same has to be effectively communicated to the entire team via a top-down approach. Moreover, conducting training and awareness about data privacy is mandated by GDPR under article 47 & article 39

Conduct an in-house GDPR audit

Conducting an in-house Data Protection Audit for all the systems processing personal data in your organization including but not limited to – how PII is generated, stored, transferred and shared will give you a high level overview of the potential untreated data risks.

This in-house audit report can be of great help when you want to prepare your RFP to share with any GDPR consultants.

After you hire a GDPR Consultant

Gap analysis

A gap analysis is the first step in identifying what is non-compliant in your organization. Your GDPR consultant needs to interact with all the departments in your company, to understand the current state of your privacy practices and establish benchmarks to be met to transform non-compliance into compliance.

DPIA

DPIA or Data Protection Impact Assessment is the process of identifying the risks to privacy and finding solutions to address them. A DPIA many not be needed for your organization if the data processing you are doing is simple and not inherently risky for the privacy of your data subjects.

Other GDPR compliance requirements

Several other requirements are to met to be GDPR complaint. A few of them are:

  • Identify Lawful bases for processing (legitimate business interests, consent etc.)

  • Document Data Flows (Data flow Mapping)

  • Inventory all the systems processing PII (Record of Processing Activities)

  • Anonymize the PII both on-storage and in-transit

  • Design Procedures for processing Data Subject Access Rights (DSARs)

  • Create a notice of Privacy practices (in clear and concise language, without using legal jargon)

  • Tweak your website (explicit consent for cookies, contact forms etc.)

GDPR penalties

Law suits for violation of GDPR mandates are being filed on organizations of all sizes. Most notably, a few tech giants have faced GDPR legal suits for allegedly not complying with the European Union’s privacy regulation.

An Austrian non-profit, led by privacy activist and attorney Max Schrems, has filed a suit against Amazon, Apple, Youtube, Netflix, Spotify, and three more tech companies alleging that they have violated the terms of GDPR.

The French Data Protection Authority (CNIL) has imposed a series of penalties, on Google in laws suits related to Cookie consent. A penalty of 50 million Euros in 2019 (for non-compliant cookie processing) is just the tip of the ice berg.

The total penalties imposed for violation of GDPR mandates is a whopping EUR 5.88 billion! (Until 2025)

While the GDPR compliance checklist is exhaustive and beyond the scope of this article, the following pointers will help you understand the basic requirements to be compliant, before outsourcing GDPR compliance to a GDPR consulting company.

Data Controller’s Checklist

If you are a Data Controller, then you might need to look into the following

  • Conduct an audit on systems processing PII and map data flows.

  • Create an appropriate data protection policy.

  • Identify your lawful bases for processing and document the data you have collected from individuals.

  • Review how you ask for consent and record the same thoroughly in a way that can be retrieved and presented to the European Union authorities / GDPR Law Enforcement officers, when asked for.

  • Have internal systems to record and manage ongoing consent of the individuals, to be GDPR compliant.

  • If your business relies on consent to offer online services directly to children, you have systems in place to manage it.

  • Most importantly, protect individual’s legitimate rights and interests and fulfill GDPR’s mandates.

  • Pay the Data protection fee to ICO. More details here.

Data Processor’s Checklist

If you are a Data Processor (Who is a data processor? Read here), then you might need to look into the following

  • Conduct an information audit to map data flows

  • Documented below personal data questions

    • what data you hold

    • where it came from

    • who you share it with and

    • what you do with it

  • Create a Data protection Policy

  • Nominate a Data Protection Officer

  • Communicate with your team about Data Protection compliance commitment

  • Understands the business impact of personal data breach and have a contingency plan

  • Implement technical and organizational measures to integrate data protection into your processing activities

  • Provide data protection awareness training to all your employees

  • Appoint a representative within the EU (if applicable)

  • Set up processes to monitor and report any personal data breaches to your controller

  • Set up a process to respond to a controller’s request for information (arising from an individual's request to access their personal data)

  • Have processes to ensure personal data of individuals remains accurate and up-to-date

  • Have a process to securely dispose of personal data that is no longer required, in line with the agreed timescales as stated in your contract with the data controller

  • Have specific procedures to fulfill data controllers requests to stop/cease the processing of specific personal data

  • Ensure your business can respond to a request from the controller to supply the personal data you process in electronic format

  • Create an information security policy supported by robust security processes.

GDPR compliance checklist

Understand your Privacy risk ...

Evaluate your data security processes ...

Stay compliant ...

Avoid penalties !!!

Talk to a Data Privacy expert today