Make your Company compliant to the General Data Protection Regulations

GDPR is introduced to protect personal data of EU citizens

Update your data protection policy and become GDPR compliant

GDPR Compliance has become mandatory since 25th May 2018

Connect with us. Our GDPR experts are here to assist you.

Talk to a lawyer now!


The General Data Protection Regulations (GDPR) are new set of rules formulated by European Union to give people more control over how organizations use their personal data.

The GDPR carries provisions that require businesses to protect the personal data and privacy of the citizens of the European Union (EU) for transactions that occur within EU member states, as well as provisions for regulating the export of personal data outside the EU.

The GDPR also introduces penalties for organizations that violate the rules as well as remedies for those that suffer data breaches.


GDPR is applicable on any company with more than 250 employees, that stores or processes personal information about EU citizens. It is also applicable to Indian companies who are handling data of EU citizens.

These Regulations are also applicable to companies with less than 250 employees if it’s data-processing impacts the rights and freedoms of data subjects, or includes certain types of sensitive personal data.


To become GDPR compliant the companies will be required to undertake the following obligations-

1. Ensure Data Security- Organisations have to make sure that the data they are handling is safeguarded from additional processing. The organisation is obliged to put in place effective technical and organisational security measures in order to protect personal data from unauthorised usage, loss, damage, alteration, damage.

2. Data Control- Organisations must ensure data accuracy and integrity, implement data security practices and minimise the risk of data theft.

3. Data Breach- As a company you must have a system for handling personal data breaches. Implement appropriate measures to minimise the loss and notify the public authority within 72 hours about such breach.


If a company is not compliant with GDPR after 25th May, 2018, heavy penalty of upto Euro 20 million (around INR 140 crores) or 4 % of total worldwide annual turnover, which is higher can be imposed on the non complaint company.


1. First, we will evaluate the gaps between your present data protection compliance policy and requirement under GDPR.

2. Based on that we will design a strategy for your company to comply with GDPR.

3. Facilitate creation of mechanism for ensuring data protection by reviewing third party contracts and develop an accountability framework for the same.

4. Create an operational structure for complying with data protection regulation.

5. Periodic risk assessment and steps to minimise your risk.


Nationwide Presence

LawRato is one of India’s largest online platforms with a network of over 50k lawyers on-board, across 700+ cities.

Consult a Cyber Law Expert

Use LawRato to hire a top rated cyber law expert in India to comply with General Data Protection Laws.

Hassle free

Doing business is tough, but being compliant with law is must. LawRato makes your firm GDPR compliant while you make profits!


“Good things don’t come cheap”, need not always be true. At LawRato we believe that following the law should not be expensive.

Additional Legal Support

Require further legal assistance? LawRato is India’s leading lawyer search platform that helps 15 Lac users every month in all areas of law.


What you see is what you get! No hidden or additional charges. Get transparent quotes with LawRato.

15 Lac

Monthly Visitors


Satisfied Clients


Lawyer Network


Cities in India


Advocate Puneet Bhasin

Dev Corpora, Thane

Advocate Ricky Chopra

Sector 49, Gurgaon

Advocate Prerna Oberoi

Sector 41, Noida

Frequently Asked Questions

What is considered as personal data under GDPR?

Any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as - name, email address or location, and also online identifiers like IP address, types of website cookies and other device identifiers.

For eg: Support tickets carrying personal data like name, location, social identity for purposes to record and solve an individual's support requests; CRM software collecting online identifiers to learn prospect activity on from the company website/product.

When will GDPR come into effect?

The General Data Protection Regulation will come into effect on 25th April, 2018. Any organisation which will not comply with the provision of this regulations will have to pay hefty fines.

On what type of data GDPR is applicable to?

GDPR like Data Protection Act, 1998 applies to personal data. As per the regulations personal data "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” Online identifiers like IP addresses will also be classified as personal data. The regulations also define Sensitive Personal Data as "special categories of personal data which uniquely identify a person." This will include genetic data and biometric data.

What are the compliances for organisations under GDPR?

Organisations must-

- Handle data lawfully, fairly and in a transparent manner

- Data collected should be used only for specified and legitimate purposes

- The data should be held only for the absolute time necessary and no longer

- Adequate, relevant and limited to what is necessary

- Accurate and kept up to date

Held Processed in a manner that ensures appropriate security of the personal data

When do organisations have to appoint a Data Protection Officer (DPO)?

As per the regulations, it is not mandatory for all companies to appoint a DPO. A company is required to appoint a DPO if-

- It is a public authority

- It is carrying handling data of individuals on large scale

Despite this any organisation is free to appoint a DPO if they wish so. However, even if a company chooses not to appoint a DPO because the above doesn't apply to them, they must still ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.

Does the GDPR only apply to European Union countries?

No. This is applicable to all countries irrespective of the fact if they are a part of European Union or not in situations when they are using personal data of European citizens.

What is meant by large-scale processing?

Large-scale processing is not defined under GDPR. Data is said to be processed at large scale where it handles a wide range or large volume of personal data or where it takes place over a large geographical area or where a large number of individuals are affected or the data used is extensive or has long-lasting effects. All of this is considered large-scale data processing.

What is the difference between data processor or controller?

As per GDPR, data controller is different from data processor. A controller analyses the purposes and means of processing personal data. On the other hand a data processor is responsible for processing personal data on behalf of a controller.

If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

How does complying with GDPR benefit your business?

They are a couple of benefits for organisations to comply with GDPR-

1. It improves and strengthens cyber security- In this digital era companies cannot afford to take the risk of cyber security ignorance or afford to lose critical data.

2. Leads to stronger collaboration across business units- GDPR-regulated data can flow throughout all aspects of an organization — from finance to marketing, customer success teams and beyond.

3. Builds customer loyalty- When your organisation complies with GDPR you build more trusting relationships with your customers.