GDPR

GDPR applies to any organisation that processes personal data of individuals in the EU/EEA, regardless of where the organisation is based. This means Indian IT services companies processing data of European clients. Gulf-based businesses with European customers or employees. US SaaS companies with European users. Any organisation with a website accessible to EU residents that collects personal data through forms, cookies, or analytics. Any employer with staff located in EU/EEA member states.

The regulation does not require a physical presence in Europe. If you offer goods or services to people in the EU (even for free) or monitor their behaviour (including through website analytics or ad tracking), you are within scope.

Every processing activity must have a documented lawful basis. GDPR provides six: consent (freely given, specific, informed, and unambiguous), contract (processing necessary to perform a contract with the individual), legal obligation (processing required by EU or member state law), vital interests (protecting someone’s life), public task (processing necessary for official functions), and legitimate interests (the controller’s interests, balanced against the individual’s rights).

Choosing the correct lawful basis is not a formality — it determines what rights individuals have, what transparency obligations apply, and how the processing must be documented. Organisations that default to consent for everything often create operational problems because consent can be withdrawn at any time, potentially invalidating processing that the business depends on.

Records of Processing Activities (RoPA): Controllers and processors must maintain detailed records of all processing activities, including purposes, data categories, recipients, retention periods, and security measures. This is the operational backbone of a GDPR programme and is typically the first document a supervisory authority requests during an investigation.

Data Protection Impact Assessments (DPIAs): Required for processing that is likely to result in a high risk to individuals — including large-scale profiling, systematic monitoring, and processing of sensitive categories of data. A DPIA must describe the processing, assess necessity and proportionality, evaluate risks, and identify mitigation measures.

Data subject rights: Individuals have the right to access their data, rectify inaccuracies, request erasure, restrict processing, receive their data in a portable format, object to processing, and not be subject to solely automated decisions with legal effects. You must respond within one month, extendable by two months for complex requests. These rights require operational processes, not just policy statements.

International data transfers: Transferring personal data outside the EEA requires a valid transfer mechanism. Following the Schrems II decision, Standard Contractual Clauses (SCCs) remain the most widely used mechanism, but they must be accompanied by a Transfer Impact Assessment evaluating the legal framework of the recipient country. Adequacy decisions, Binding Corporate Rules, and derogations provide alternative pathways for specific situations.

Breach notification: Controllers must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals. If the breach poses a high risk, affected individuals must also be notified without undue delay. The 72-hour timeline begins when the controller becomes aware of the breach, not when the investigation is complete — making preparation and rehearsal essential.

Data Protection Officer: Organisations must appoint a DPO if they are a public authority, if their core activities involve regular and systematic monitoring of individuals at large scale, or if their core activities involve large-scale processing of sensitive data. Even when not mandatory, appointing a DPO or privacy lead provides a clear point of accountability.

We implement GDPR compliance programmes that are built for regulatory scrutiny, not just internal comfort. Our process begins with a comprehensive gap assessment, followed by RoPA development, lawful basis mapping, DPIA framework implementation, data subject rights workflow design, international transfer analysis, vendor agreement review, breach response planning, and staff training. For organisations that also need to comply with DPDPA, CCPA, or other regulations, we design unified programmes that eliminate duplication.