GDPR Compliance · India and UAE

GDPR Compliance for Indian Businesses End-to-end implementation until your business is compliant with GDPR regulations. Your team stays focused on the business. We handle everything related to security compliance

GDPR applies to your (Indian/ UAE) business the moment you collect data from a user/ customer/ client in the EU. We implement your GDPR compliance programme end-to-end - lawful bases, consent architecture, data subject rights, Records of Processing Activities, breach notification, and EU Representative arrangements where required

GDPR is extraterritorial. It applies to all organisations that processes personal data of individuals in the EU - regardless of the actual location of the organisation. Examples: an Indian SaaS company with users in Germany is subject to GDPR; an Indian BPO processing EU customer records is subject to GDPR; an Indian exporter with EU buyer contact data is subject to GDPR. Location of the data subject (i.e., within the EU) is what matters. The following fines are applicable for violations:

€20M
or 4% of global annual turnover - whichever is higher - for the most serious violations
€10M
or 2% of global annual turnover for lower-tier violations including inadequate security measures
72 hours
The maximum time to notify the supervisory authority after becoming aware of a personal data breach

If your enterprise client is asking, you may already be in scope

EU enterprise clients, procurement teams, and legal teams have started to include GDPR compliance evidence in vendor questionnaires

SaaS Companies with EU Users

Any SaaS platform that allows EU residents to register, sign up, or use the service - even for free - is processing EU personal data and is therefore subject to GDPR. This includes Indian SaaS companies targeting the global market, B2B platforms used by EU companies, and any product with a self-serve signup available to EU residents. EU enterprise clients will verify your GDPR compliance before signing a data processing agreement.

IT Services and BPO Processing EU Client Data

Indian IT services firms, BPOs, and KPO companies that process personal data on behalf of EU clients operate as Data Processors under GDPR. Your EU client - the Data Controller - is legally required to ensure that you (their processor) complies with GDPR. A Data Processing Agreement (DPA) between you and your EU client is mandatory. Without GDPR compliance, you cannot sign a compliant DPA - and without a DPA, your EU client may be forced to terminate the engagement.

Fintech and Healthcare Serving EU Markets

Indian fintech platforms processing EU payment data, EU insurance clients, or EU-resident user financial records handle data under GDPR's financial and sensitive data provisions. Indian healthtech companies - telemedicine, health data platforms, clinical research organisations - processing EU patient or health data face GDPR's Article 9 special category provisions, which impose significantly stricter requirements than standard personal data processing.

Manufacturing Exporters and B2B Traders

Indian manufacturing exporters collecting EU buyer contact details, purchase history, and communication records are processing personal data. EU distributors, procurement teams, and sales contacts are data subjects under GDPR. The volume may be smaller than a SaaS platform's user base - but the obligation is the same. EU enterprise buyers increasingly require supplier GDPR compliance as part of their own third-party risk management frameworks.

Businesses with active GDPR exposure

SaaS and Software IT Services and BPO Fintech and Payments Healthcare and MedTech Clinical Research Orgs Manufacturing Exporters E-commerce (EU customers) EdTech (EU students) HR Tech (EU employees) Legal Services

What GDPR actually means for your business

GDPR is built on seven principles and a set of operational obligations. Here is what each means in practice

(this is a bit technical)

01

Lawfulness, Fairness, Transparency

Processing must have a legal basis and be conducted openly. Data subjects must know what you are doing with their data and why

02

Purpose Limitation

Data collected for one specific purpose cannot be used for another. Every processing activity must have a documented, defined purpose

03

Data Minimisation

Collect only what is necessary. If your forms, CRM, or product collect more data than the purpose requires, that excess collection is a violation

04

Accuracy

Personal data must be accurate and kept up to date. You need a process for data subjects to correct inaccurate data, and for you to identify and update stale records

05

Storage Limitation

Data must not be kept longer than necessary. A documented retention schedule with automated or procedural deletion is required. A policy that says "we delete when no longer needed" doesn't work

06

Integrity and Confidentiality

Appropriate technical and organisational security measures must protect personal data. This is where ISO 27001 becomes the strongest evidence of GDPR security compliance

A

Lawful Basis for Every Processing Activity

GDPR recognises six lawful bases for processing - consent, contract, legal obligation, vital interests, public task, and legitimate interests. Every single processing activity in your business must be mapped to one of these. Consent is often not the most appropriate basis and is the most easily invalidated. We select the correct basis for each activity and document it in your Records of Processing Activities (ROPA)

B

Records of Processing Activities (ROPA)

Article 30 of GDPR requires most organisations to maintain a written record of all processing activities - what data is collected, for what purpose, who has access, where it is stored, how long it is retained, and which third parties it is shared with. The ROPA is the document a Data Protection Authority requests first in any investigation. A missing or incomplete ROPA is itself a violation

C

Privacy Notice and Consent Mechanism

Your privacy notice must be written in plain, clear language - no legal boilerplate - and must cover all processing activities. Where consent is your lawful basis, it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and implied consent are not valid under GDPR. Consent must be as easy to withdraw as it was to give

D

Data Subject Rights Fulfilment

EU residents have eight rights under GDPR: access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making. Each must have an operational process behind it. You must respond to access requests within one month. A GDPR policy that does not have functioning processes to back it up is not compliance - it is documentation theatre

E

Data Processing Agreements

If you are a Data Processor (you process personal data on behalf of an EU controller), you must sign a GDPR-compliant Data Processing Agreement. If you share personal data with third-party vendors - cloud providers, analytics tools, payment processors, CRMs - you must have DPAs in place with each of them. Missing DPAs are a common GDPR audit finding and a dealbreaker for EU enterprise clients

F

Data Protection Impact Assessments (DPIA)

High-risk processing activities - large-scale profiling, systematic monitoring, processing of special category data, or new technologies with significant privacy impact - require a documented DPIA before processing begins. Most Indian technology companies processing EU data at scale should have completed at least one DPIA. The absence of DPIAs is regularly cited in DPA investigation findings

G

Breach Notification - 72 Hours

A personal data breach affecting EU residents must be notified to the relevant supervisory authority within 72 hours of becoming aware of it. Notification to affected data subjects is required where the breach is likely to result in high risk to their rights and freedoms. This is not a voluntary reporting standard - it is a legal deadline with non-compliance fines. The 72-hour limit requires a breach detection and escalation process to already exist

H

EU Representative (if required)

Non-EU organisations subject to GDPR must appoint an EU Representative in writing unless they qualify for a narrow exemption. The EU Representative is the point of contact for EU supervisory authorities and for data subjects exercising their rights. Failure to appoint an EU Representative when required is itself a violation. We advise on whether this applies to your organisation and refer you to appropriate EU Representative services

Where GDPR and India's DPDP Act overlap
Lawful basis for processing personal data
Consent mechanism design and withdrawal
Data subject / data principal rights fulfilment
Purpose limitation and data minimisation
Breach notification obligations
Vendor and processor obligations
Data retention and deletion
Where they diverge - both must be met independently
GDPR: EU supervisory authority notification (72 hrs) - DPDP: Board of India notification
GDPR: Eight data subject rights - DPDP: Four data principal rights
GDPR: EU Representative requirement - no DPDP equivalent
GDPR: DPIA requirements - DPDP: DPAI for Significant Data Fiduciaries
GDPR: Six lawful bases - DPDP: Two primary bases (consent + legitimate use)
Fine structure and enforcement authority differ entirely

The Data Privacy Pack

GDPR does not stand alone in our service architecture. It is delivered as part of the Data Privacy Pack - alongside HIPAA and UAE PDPL - because businesses with GDPR exposure almost always have at least one of the others as well.

Data Privacy Pack

bolt-on to any base plan
This page

GDPR

EU General Data Protection Regulation. Applies to any business processing personal data of EU residents

Also included

HIPAA

US Health Insurance Portability and Accountability Act. Applies to businesses handling US patient health information

Also included

UAE PDPL

UAE Personal Data Protection Law. Applies to businesses operating in or serving customers in the UAE

Why these three together: Indian businesses targeting international markets frequently encounter all three simultaneously. A single product can have EU users (GDPR), US healthcare clients (HIPAA), and UAE enterprise customers (UAE PDPL). Building three separate compliance programmes is significantly more expensive than one integrated programme with three frameworks. The Data Privacy Pack is designed for exactly this profile.

From first assessment to a demonstrably compliant programme

Phase 1

Data Mapping and Applicability Assessment

We map every category of EU personal data your business collects or processes, identify every system where it resides, and confirm the full scope of your GDPR obligations including whether an EU Representative is required. Most businesses are surprised by how many processing activities exist that were never formally documented

Phase 2

Lawful Basis and Consent Architecture

We assign the correct lawful basis to each processing activity, design your consent mechanism where consent is applicable, audit your existing consent records for validity, and document your legitimate interests assessments where that basis is used. We do not default everything to consent - that is the most common and costly GDPR mistake

Phase 3

ROPA, DPIA, and Policy Documentation

We produce your complete Records of Processing Activities, conduct Data Protection Impact Assessments for high-risk processing, write your privacy notice in compliant plain language, and document all required policies. Every document is specific to the needs of your organisation

Phase 4

Rights Fulfilment and DPA Implementation

We build the operational processes for responding to data subject rights requests - access, erasure, portability, rectification, and objection - with response workflows, templates, and evidence trails. We also review and update your data processing agreements with EU clients and your sub-processor agreements with vendors

Phase 5

Ongoing Monitoring and DPA Readiness

GDPR compliance is not a project with an end date. We monitor for regulatory guidance updates, European Data Protection Board decisions, and changes to EU adequacy decisions affecting data transfers. If a Data Protection Authority contacts your organisation, you have a documented compliance record and an operational programme

On GDPR and ISO 27001: Article 32 of GDPR requires "appropriate technical and organisational measures" to protect personal data. ISO 27001 certification from an independent body is the most credible evidence of this requirement being met. Our Leader plan combines ISO 27001 + DPDP, and the Data Privacy Pack adds GDPR, HIPAA, and UAE PDPL on top

GDPR compliance plans for your business

Added onto a base Starter or Leader subscription

Data Privacy Pack - bolt-on add-on, includes GDPR + HIPAA + UAE PDPL
Component
Base pack: Starter
DPDP and [ISO 27001 or SOC 2 Type 1 or SOC 2 Type 2]
Base pack: Leader
DPDP + ISO 27001 + SOC 2 Type 1 or 2 (recommended)
Data Privacy Add-on Pack
GDPR + HIPAA + UAE PDPL implementation and maintenance

There is no GDPR certificate. Demonstrable compliance is built through documentation, processes, and operational evidence. You pay Cyber Commandos for implementation and ongoing maintenance.

₹1Cr+ Big Four annual minimum - reports only; no implementation; no guarantee
Cost-optimized End-to-end implementation

Leave your number or email

Share your contact and we will reach out within an hour

We build a functioning compliance programme

  • Complete data mapping of all EU personal data processing activities across your systems
  • Lawful basis assessment and documentation for every processing activity
  • Consent mechanism design, implementation, and withdrawal architecture
  • Records of Processing Activities (ROPA) - complete and maintained
  • Privacy notice written to GDPR's plain language and content requirements
  • Data Protection Impact Assessments (DPIA) for high-risk processing
  • Data subject rights fulfilment - operational processes, not just policy text
  • Data Processing Agreements with EU clients and sub-processor agreements with vendors
  • 72-hour breach notification procedure - detection, escalation, and supervisory authority notification process
  • EU Representative advisory and referral where required
  • Ongoing regulatory monitoring - EDPB guidance, DPA decisions, adequacy agreement changes

Is there a GDPR certificate?

GDPR does not have a widely operational certification scheme equivalent to ISO 27001. Article 42 of GDPR references certification mechanisms - but these are not yet standardised across the EU. GDPR compliance is demonstrated through documented policies, operational processes, ROPA, and evidence of data subject rights fulfilment. ISO 27001 certification is currently the most credible independent attestation of GDPR's security requirements under Article 32.

What other firms deliver

A privacy policy pasted onto your website. A ROPA template handed over without population. A legal review of documents that does not build the operational processes required to fulfil data subject rights requests. And an invoice for their time with no ongoing relationship.

When a DPA investigation starts, you need a functioning programme - not documents. We build and implement the programme.

Questions we hear before every GDPR engagement

When your EU client asks about GDPR, you'll be ready

Start with the free 15-minute gap analysis. Receive your readiness report by email and we can take it from there

Get Your Free Gap Analysis Talk to a Commando instead

15 minutes · Results emailed instantly