The General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — came into force on 25 May 2018 and is the world's most influential data protection law. It applies to any organisation anywhere in the world that processes personal data of individuals in the European Union, regardless of where the organisation is headquartered. For Indian IT firms, BPOs, SaaS providers, and consultancies serving EU clients, GDPR compliance is not optional — it is a contractual and legal requirement.

GDPR establishes rights for data subjects (EU residents) and obligations for Data Controllers (who determine purposes of processing) and Data Processors (who process on behalf of controllers). Indian IT firms acting as processors must sign Article 28 Data Processing Agreements (DPAs) with their EU clients, implement appropriate technical and organisational measures, and assist controllers in meeting data subject rights requests. Fines reach €20 million or 4% of global annual turnover, whichever is higher.

🔴 India Exposure: Any Indian IT firm handling EU customer data, processing EU employee HR data, or running SaaS/cloud platforms used by EU companies is directly subject to GDPR obligations as a Data Processor. The DPDP Act 2023 and GDPR share many principles — joint compliance is highly achievable.