Understanding General Data Protection Regulation (GDPR) for Businesses

The implementation of the General Data Protection Regulation (“EU GDPR”) in May 2018 in the European Union (“EU”) brought about new regulations to protect and control the usage and processing of  personal information of European residents.

The EU GDPR principles aim to harmonize data privacy laws across all member countries and regulate how businesses process and collect personal information of EU residents that interact with such businesses. These principles include lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

Businesses that attract EU visitors must comply with the EU GDPR, even if they do not sell their goods or services to EU residents. The regulation becomes applicable any time a company stores or processes personal information about EU residents within the EU nations.

The GDPR legislation defines several roles responsible for ensuring compliance with the provisions thereof such as (a) the Data Controller; (b) the Data Processor; and (c) Data Protection Officer (“DPO”). The Data Controller dictates how the personal data will be processed and is responsible for ensuring outside contractors comply with EU GDPR. Meanwhile, the Data Processor is responsible for processing data that may be outsourced to them. The GDPR holds processors and controllers liable for breaches or non-compliance.

Companies must have a DPO if they: (a) process or store large amounts of EU residents’ data; (b) process or store special personal data; (c) regularly monitor data subjects; or (d) are a public authority. The GDPR calls for the designation of a DPO to oversee data security strategy and GDPR compliance.

Indian companies must comply with guidelines laid out by the EU GDPR regarding the processing, usage, and collection of personal data of EU residents. Personal data must be obtained for specific, explicit, and legitimate purposes, and not be processed for anything other than the same. The data must be adequate, accurate, and relevant to the purposes for which it is processed. The entities collecting such data shall also ensure that the same is  kept/ stored for no longer than as may be necessary.

According to the EU GDPR, “personal data” shall consist of information relating to an identifiable natural person, and the same could be personally identifiable in nature. It also mandates that entities collecting personal data of EU residents adopt internal policies and implement appropriate technical and organizational measures that meet the principles of data protection by design and default. These measures could include: (a) minimizing personal data processing; (b) enabling data monitoring by the data subject; (c) transparency with regard to the functions and processing of personal data; and (d) enabling the data controller to create and improve security features.

If the processing has multiple purposes, the entities shall obtain consent from the data subjects for all of them. Obtaining consent should be specific, informed, and unambiguous, and not through means like pre-ticked boxes or inactivity. The data controller must appoint processors who provide guarantees to implement appropriate technical and organizational measures that comply with the  EU GDPR.

Entities must maintain various policies and procedures, including (a) the General Data Protection Policy; (b) the Data Subject Access Rights Procedure; (c) the Data Retention Policy; (d) Data Breach Escalation and Checklist; (e) Employee Privacy Policy and Notice; (f)  Processing Customer Data Policy; (g) Guidance on Privacy Notes; and (h) Privacy Policy and Terms of Use for websites and applications.

In case of data breaches, the Data Controller must report to the supervisory authority within 72 hours of becoming aware of it. The organization’s privacy policy should state that data subjects should be informed of data breaches without any unreasonable delay.

Employees who handle personal data of either customers or other employees must be trained to handle the same in compliance with the EU GDPR.

Indian companies must comply with EU GDPR to ensure that personal data is processed in a lawful, transparent and fair manner. By complying with EU GDPR, Indian companies will not only be able to protect their customers’ personal data, but they’ll also be able to maintain transparency and accountability in their operations.

FAQs about GDPR

1. Are Indian companies required to comply with EU GDPR regulations? 

Yes, Indian companies that process or store personal data of EU residents within the EU nations must comply with EU GDPR obligations.


2. What is the definition of “personal data” under GDPR? 

Personal data under GDPR is any information related to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier (which could include the person’s name, identification number, location, etc.).

3. What measures should Indian companies adopt to comply with EU GDPR? 

Indian companies should adopt internal policies and implement appropriate technical and organizational measures that meet the EU GDPR requirements. These measures could include: (a) minimizing personal data processing; (b), enabling data monitoring by the data subject; (c), transparency with regard to the functions and processing of personal data; and (d) enabling the data controller to create and improve security features.

4. What is the procedure for reporting data breaches under the EU GDPR by Indian companies? 

In case of data breaches, the Data Controller must report to the supervisory authority within 72 hours of becoming aware of it. The organization’s privacy policy should state that data subjects should be informed of data breaches without any unreasonable delay.

5. What kind of employee training is required to comply with EU GDPR? 

Employees who handle personal data of customers or other employees must be trained to manage the same in compliance with EU GDPR and adopt the requisite measures to ensure that the data is protected and processed in a fair and transparent manner.