What Indian Firms Need to Know About GDPR Compliance It's extremely important for people doing business with European Union to know about GDPR and hence we elaborate on the subject

By Shaninder Singh Pahwa

Opinions expressed by Entrepreneur contributors are their own.

You're reading Entrepreneur India, an international franchise of Entrepreneur Media.


Every organization in India that deals with, or has access to, personal data of EU residents is required to store and manage such data in compliance with the EU's General Data Protection Regulation (GDPR) which became effective since 25th May2018.

GDPR expands the definition of "personal data', which denotesany information relating to an individual who can be recognised directly or indirectly by identification numbers, location, and physical, genetic, economic or social identity.

GDPR Rights

GDPR assures EU residents privacy of their personal data stored within an organization. The regulation has extraterritorial scope mandating data storage entities outside the EU borders to be compliant. GDPR commissions organizations that possess data on EU residents to protect it; disclosure of which may cause these firms to face considerable penalties. Such organizations must also ensure that data is collected via valid legal approaches.

Impact on Service Providers

Given that many Indian entities render various types of service processes to entities registered in EU who provide access to personal data of EU residents, it is pertinent for such Indian organizations to be GDPR compliant.

Service providers likely impacted:

  • Chartered Accountants providing Personal Tax consulting to EU nationals and residents

  • Organizations performing Background Checks on EU nationals and residents

  • Law Firms working with direct clients, and law firms, based in the EU

  • Forensic investigators conducting fraud investigations on Indian subsidiaries of EU companies

  • Recruitment, HR and Payroll Consulting firms analysing personal data of EU residents

  • EU based consulting firms internally bidding and outsourcing contracts obtained in the EU to their Indian subsidiary/back office.

Keeping Data Safe

Indian organizations must revisit the terms of their contracts which allow them access to personal data of EU residents. Both awareness and vigilance will be necessary prerequisites to remain compliant with GDPR. Some options to mitigate breach of data:

  1. Stringent non-disclosure terms and strict confidentiality agreements with all senior employees is a must. Ideally these should be locked-in with their employment agreement.

  2. Employees should have access to such data in accordance with their assigned role and responsibilities. Sharing or providing access to information should be only on a need to know basis as at times critical personal information is shared with other employees or third-party vendors without realizing the consequences of such actions. Therefore, it is important to have in place back-to-back confidentiality agreements with all those with whom personal data of EU residents is to be shared.

  3. An organization must have an IT policy in place to further secure such data when an employee is serving his or her notice period, to have limited or no access.

  4. Ex-employees may attempt to access information by connecting with unsuspecting employees. Ensure that data confidentiality is stressed to all employees during attrition.

  5. Invest and maintain a reliable encrypted backup and storage system. Indian companies that control information about EU individuals must audit their data storage integrity, and archives access policies, while ensuring they have access to all necessary data when needed.

  6. Use of portable storage media must be prohibited unless critical but should be monitored and supervised. SD cards hold 512GB easily and are unnoticed.

  7. Random audit of data security procedures and processes may be undertaken to monitor system integrity, especially during change in the IT department or major migration of data or software.

  8. Lastly, regular training for employees to understand the scope of GDPR, what it entails and implications to the company, especially in case of non-compliance. Employees must be made aware of the consequences in the case of mishandling or mismanagement of digital data.

Indian organizations must provide comfort to EU clients that they're committed to complying with GDRP regulations and that data with them is securely stored, and data rights under GDPR are respected. These include an EU resident's right to:

  • withdraw consent for the use of their personal data at any time

  • access their personal data

  • know the nature of the data

  • To object concerning how the data is used.

GDPR Compliance

  • Map and Audit Data Flows

To remain GDPR compliant all entities in India, irrespective of their size, will need to take stock of the data they store about EU residents. To do this they must keep track of where and when they use such data. In the event an EU resident seeks information, pertaining to their personal data, its storage and purpose for which they said data is used, Indian firms must be able to share such information with ease, transparency and clarity.

  • Stronger Data Control and Collection

GDPR tightens the privileges of consent when acquiring data from customers. Indian companies falling within the ambit of GDPR may consider appointing a Chief Data Officer to manage how they receive, control, collect, store and archive data of EU residents.

  • Compliance with Local Indian Laws

Indian companies, while developing compliance to GDPR, must not ignore compliance with India's cyber laws too, for which Legal and IT will need to work together.


Although continuous efforts will be needed to remain GDPR compliant, SME's should view this as an opportunity rather than a hindrance. Being GDPR compliant provides a USP to a service provider differentiate itself and acquire more business from the EU.

Shaninder Singh Pahwa

COO, Alea Consulting

Mr Pahwa is the COO of Alea Consulting, India’s first home-grown Risk and Fraud Mitigation Consulting firm


Related Topics

Business Plans

How You Can Use the 80/20 Rule to Unlock Success and Maximize Your Impact

Our success is determined by where we focus our efforts.

Business News

This Influencer Has Nearly 150,000 Instagram Followers and Makes Over $10,000 a Month. There's Just One Catch—She's Not Real.

Aitana López has over 149,000 Instagram followers and brands love her. Is she the future of social media marketing?

Buy a Franchise

Learn the Secrets of Running 20+ Businesses as a Side Hustle — Finding and Nurturing Your 'STIC People'

Explore the critical importance of choosing the right franchise manager and the innovative 'STIC' approach.

News and Trends

upGrad In FY 23 Doubles Revenue - Loss Remains The Same

One of Asia's largest integrated learning, skilling & workforce development majors upGrad moved to the widely accepted IndAS accounting standard in line with its longer-term listing plans.

Business Ideas

55 Small Business Ideas to Start in 2023

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2023.

Business News

Can't Find a Place on Airbnb? The New 'Black Market' Has You Covered.

Tightening regulations on short-term rentals in NYC has led to a shadow market for Airbnb alternatives.