What Indian Firms Need to Know About GDPR Compliance It's extremely important for people doing business with European Union to know about GDPR and hence we elaborate on the subject

By Shaninder Singh Pahwa

Opinions expressed by Entrepreneur contributors are their own.

You're reading Entrepreneur India, an international franchise of Entrepreneur Media.

graphicstock

Every organization in India that deals with, or has access to, personal data of EU residents is required to store and manage such data in compliance with the EU's General Data Protection Regulation (GDPR) which became effective since 25th May2018.

GDPR expands the definition of "personal data', which denotesany information relating to an individual who can be recognised directly or indirectly by identification numbers, location, and physical, genetic, economic or social identity.

GDPR Rights

GDPR assures EU residents privacy of their personal data stored within an organization. The regulation has extraterritorial scope mandating data storage entities outside the EU borders to be compliant. GDPR commissions organizations that possess data on EU residents to protect it; disclosure of which may cause these firms to face considerable penalties. Such organizations must also ensure that data is collected via valid legal approaches.

Impact on Service Providers

Given that many Indian entities render various types of service processes to entities registered in EU who provide access to personal data of EU residents, it is pertinent for such Indian organizations to be GDPR compliant.

Service providers likely impacted:

  • Chartered Accountants providing Personal Tax consulting to EU nationals and residents

  • Organizations performing Background Checks on EU nationals and residents

  • Law Firms working with direct clients, and law firms, based in the EU

  • Forensic investigators conducting fraud investigations on Indian subsidiaries of EU companies

  • Recruitment, HR and Payroll Consulting firms analysing personal data of EU residents

  • EU based consulting firms internally bidding and outsourcing contracts obtained in the EU to their Indian subsidiary/back office.

Keeping Data Safe

Indian organizations must revisit the terms of their contracts which allow them access to personal data of EU residents. Both awareness and vigilance will be necessary prerequisites to remain compliant with GDPR. Some options to mitigate breach of data:

  1. Stringent non-disclosure terms and strict confidentiality agreements with all senior employees is a must. Ideally these should be locked-in with their employment agreement.

  2. Employees should have access to such data in accordance with their assigned role and responsibilities. Sharing or providing access to information should be only on a need to know basis as at times critical personal information is shared with other employees or third-party vendors without realizing the consequences of such actions. Therefore, it is important to have in place back-to-back confidentiality agreements with all those with whom personal data of EU residents is to be shared.

  3. An organization must have an IT policy in place to further secure such data when an employee is serving his or her notice period, to have limited or no access.

  4. Ex-employees may attempt to access information by connecting with unsuspecting employees. Ensure that data confidentiality is stressed to all employees during attrition.

  5. Invest and maintain a reliable encrypted backup and storage system. Indian companies that control information about EU individuals must audit their data storage integrity, and archives access policies, while ensuring they have access to all necessary data when needed.

  6. Use of portable storage media must be prohibited unless critical but should be monitored and supervised. SD cards hold 512GB easily and are unnoticed.

  7. Random audit of data security procedures and processes may be undertaken to monitor system integrity, especially during change in the IT department or major migration of data or software.

  8. Lastly, regular training for employees to understand the scope of GDPR, what it entails and implications to the company, especially in case of non-compliance. Employees must be made aware of the consequences in the case of mishandling or mismanagement of digital data.

Indian organizations must provide comfort to EU clients that they're committed to complying with GDRP regulations and that data with them is securely stored, and data rights under GDPR are respected. These include an EU resident's right to:

  • withdraw consent for the use of their personal data at any time

  • access their personal data

  • know the nature of the data

  • To object concerning how the data is used.

GDPR Compliance

  • Map and Audit Data Flows

To remain GDPR compliant all entities in India, irrespective of their size, will need to take stock of the data they store about EU residents. To do this they must keep track of where and when they use such data. In the event an EU resident seeks information, pertaining to their personal data, its storage and purpose for which they said data is used, Indian firms must be able to share such information with ease, transparency and clarity.

  • Stronger Data Control and Collection

GDPR tightens the privileges of consent when acquiring data from customers. Indian companies falling within the ambit of GDPR may consider appointing a Chief Data Officer to manage how they receive, control, collect, store and archive data of EU residents.

  • Compliance with Local Indian Laws

Indian companies, while developing compliance to GDPR, must not ignore compliance with India's cyber laws too, for which Legal and IT will need to work together.

Opportunity

Although continuous efforts will be needed to remain GDPR compliant, SME's should view this as an opportunity rather than a hindrance. Being GDPR compliant provides a USP to a service provider differentiate itself and acquire more business from the EU.

Shaninder Singh Pahwa

COO, Alea Consulting

Mr Pahwa is the COO of Alea Consulting, India’s first home-grown Risk and Fraud Mitigation Consulting firm

 

Business Ideas

70 Small Business Ideas to Start in 2025

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2025.

Business News

JPMorgan Shuts Down Internal Message Board Comments After Employees React to Return-to-Office Mandate

Employees were given the option to leave comments about the RTO mandate with their first and last names on display — and they did not hold back.

News and Trends

Electric Vehicle Maker Euler Motors Secures USD 20 Mn to Transform Logistics Sector

The funding supports Euler Motors' mission to electrify India's commercial vehicle sector by scaling production, advancing next-gen EV R&D, and boosting growth of the Storm EV for logistics and e-commerce.

Business News

'Lawfare Needs to Stop': Elon Musk Responds to SEC Lawsuit Accusing Him of Underpaying for Twitter, Now X

The SEC alleged that Musk committed securities fraud in 2022 when buying Twitter.

Social Media

What to Do If TikTok Is Banned — Protect Your Brand With This 5-Step Action Plan

Here are some actionable strategies to help creators and entrepreneurs safeguard their brands from the potential TikTok ban.

Business News

A Company That Made $50M Selling Side Hustle Courses on AI Book Writing Is Under Federal Investigation

Publishing.com, which sells courses and tools for generating AI-written books, is under investigation for alleged aggressive sales tactics, according to a new report.