Print this page

General Data Protection Regulation (GDPR): How will EU data privacy law affect Indian companies & individuals?

Written by Ritwik Ruia Thursday, 07 June 2018 08:56

With the General Data Protection Regulation (GDPR) coming into effect on the 25th of May 2018 in the European Union, many Indian startups and enterprises have been left wondering whether General Data Protection Regulation (GDPR) is going to have any impact on organisations outside European Union(EU). Here’s a brief guide to GDPR’s effect on Indian origin websites, applications and companies in general.

General Data Protection Regulation

What is GDPR & what does it do?

The General Data Protection Regulation (GDPR) is designed to give citizens in the European Union (EU) more rights to control their personal information and holds companies handling their data - wherever they may be or regardless of where the data is processed - liable for violations. The bottom line is clear — an organization comes under the purview of GDPR guidelines if it offers services to EU-based customers or mines their personal data. Non-compliance will cost the organization/company a fortune, with the highest penalty being 20 million Euros or 4% of annual turnover — whichever is greater.

How does GDPR effect

(a) businesses that operate in India:


Indian businesses that manage IT processes for their European clients will naturally have access to a variety of data, including personal data, which brings Indian enterprises under the purview of the GPDR & makes it mandatory for them to implement data privacy and security frameworks compliant with the outlined regulations under GDPR.

The business function impacted the most by GDPR is marketing. With the GDPR in effect, marketing through email to EU citizens without their explicit permission will become a thing of the past.

Under GDPR, businesses will need to obtain clear & explicit consent from every consumer by way of ‘opt-in’ messaging. This consent is needed at the point of data collection, and the consumer should also have the right to request it to be deleted or “forgotten” at any given time. The new regulation will also empower the consumers to have the right to know how and to what end personal data will be used for by a business. GDPR is also expected to completely transform Digital marketing.

(b) individuals located in India?


In the effort to update privacy policies and comply with GDPR, businesses around the world (including India) have decided not to limit these changes only to their EU based users.

In the interests of pragmatism, administrative ease and the chance to appear ethical, businesses are making these safeguards available globally, rather than adopting country-specific policies. This has resulted in Indian nationals enjoying safeguards and controls with respect to their personal data that were previously not available to them under Indian data privacy laws.

That said, it is important to note that these privileges are only available to Indian nationals under contract and they will not be able to seek protection under GDPR. Hence, any enforcement or claim for breach will definitely be under contract and, to the extent available, under Indian data privacy laws.


According to a Deloitte survey conducted in collaboration with the Data Security Council of India (DSCI), large organisations with more than 10,000 employees (21% of respondents), embarked on their GDPR readiness journey in 2016 itself.

Whereas 43% of organisations started their GDPR readiness journey only in late 2017 or early 2018, the results showed.

Last modified on Tuesday, 09 June 2020 14:20