// COMPLIANCE & AUDIT

GDPR Compliance

GDPR compliance assessment, data mapping, DPA templates, and remediation advisory.

Article 32Security Measures
72hBreach Notification
DPIAReady
Privacyby Design
Overview

GDPR Compliance Assessment

The General Data Protection Regulation continues to be enforced with increasing rigour — 2023 and 2024 saw record fines exceeding €2 billion across the EU, with Article 32 security failures accounting for a significant proportion of enforcement action. Indian organisations processing personal data of EU residents — whether through SaaS products, services contracts, or data processing agreements — are subject to GDPR regardless of where they are established. Intelliroot's GDPR Compliance Assessment provides a comprehensive evaluation of your technical and organisational security measures against the standard required by Article 32.

We conduct data mapping to identify all personal data flows, assess lawful basis for each processing activity, evaluate your data subject rights procedures, review DPA agreements with processors and sub-processors, and assess your technical security controls against the Article 32 standard of appropriate technical measures. Our output is a prioritised compliance roadmap that systematically closes gaps while building a defensible compliance programme that satisfies both supervisory authorities and enterprise customers conducting vendor due diligence.

Why This Matters

Why GDPR Compliance Requires Ongoing Attention

Fines Are Proportionate to Revenue — Not Incident Size

GDPR fines for Article 32 security failures can reach 4% of global annual turnover. Supervisory authorities are increasingly willing to impose substantial fines on processors, not just controllers — meaning Indian SaaS providers processing EU data face direct enforcement exposure.

72-Hour Breach Notification Is a Hard Deadline

Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. Without a well-rehearsed incident response process and pre-drafted notification templates, organisations routinely miss this window and face separate sanctions for notification failures.

Controller Liability for Processor Failures

EU controllers are liable for GDPR breaches caused by their processors. Enterprise customers are therefore requiring comprehensive DPA agreements, sub-processor lists, and evidence of processor compliance — often including third-party audit reports — before contracting with Indian SaaS vendors.

International Transfers Require Legal Mechanisms

Transferring personal data from the EU to India requires a valid legal transfer mechanism — Standard Contractual Clauses (SCCs) being the most common. Post-Schrems II, SCCs must be supplemented by Transfer Impact Assessments (TIAs) evaluating the legal landscape in the destination country.

Scope

What the Assessment Covers

Data Mapping & Lawful Basis

  • Personal data inventory and data flow mapping
  • Records of processing activities (Article 30) review
  • Lawful basis assessment for each processing activity
  • Special category data identification and controls
  • Retention schedule review and data minimisation

Technical Security Measures (Article 32)

  • Encryption of personal data at rest and in transit
  • Pseudonymisation and anonymisation assessment
  • Access control and least privilege review
  • Availability and resilience controls
  • Security testing programme review

Data Subject Rights & DPA Agreements

  • Data subject rights procedures (access, erasure, portability)
  • Consent management and withdrawal mechanisms
  • Data Processing Agreement review and gap filling
  • Sub-processor disclosure and approval processes
  • Controller and processor obligation mapping

DPIA, Breach Notification & International Transfers

  • DPIA trigger assessment and template
  • Breach notification procedure (72h) review
  • SCCs and Transfer Impact Assessment (TIA)
  • Privacy by Design review for new systems
  • DPO function and governance assessment
Methodology

Our Assessment Approach

01

Applicability Assessment & Scoping

Confirm GDPR applicability, identify the categories of data subjects and personal data processed, map EU data flows, and determine controller/processor status for each processing relationship — establishing the precise scope of the compliance assessment.

02

Data Mapping & Records of Processing

Conduct structured data mapping workshops with product, engineering, and operations teams to build comprehensive records of processing activities (RoPA) per Article 30 — identifying all personal data categories, sources, recipients, retention periods, and transfer mechanisms.

03

Article 32 Technical Controls Assessment

Evaluate all technical security measures against the Article 32 standard — assessing encryption, access controls, logging, incident detection, and security testing against the risk level of the processing activity and the state of the art in security technology.

04

Organisational Measures & Documentation Review

Review privacy policies, consent mechanisms, data subject rights procedures, DPA agreements, sub-processor lists, breach notification procedures, DPIA processes, and training records against GDPR requirements — identifying documentation gaps and drafting missing instruments.

05

Gap Report & Compliance Roadmap

Deliver a prioritised gap report mapping findings to specific GDPR articles, with risk ratings, remediation actions, and a phased compliance roadmap. Provide implementation support for high-priority gaps including DPA templates, SCC addenda, and breach notification runbooks.

Focus Areas
GDPR Article 32 DPIA Data Mapping Lawful Basis DPA Agreements SCCs Breach Notification Privacy by Design Data Subject Rights International Transfers
FAQ

Frequently Asked Questions

Yes. GDPR applies to any organisation processing personal data of individuals in the EU — regardless of where the organisation is established. Indian SaaS companies, IT service providers, and data processors serving EU customers or employees are subject to GDPR under Article 3(2) (extraterritorial scope).
A Transfer Impact Assessment (TIA) is a documented analysis of whether the legal protections in the destination country are equivalent to those in the EU — required when using Standard Contractual Clauses for data transfers following the Schrems II judgment. For transfers to India, a TIA must assess Indian data protection law, government access powers, and available redress mechanisms.
India's DPDP Act 2023 shares several conceptual elements with GDPR — consent, purpose limitation, data principal rights, and significant data fiduciary obligations. We conduct GDPR and DPDP Act assessments together where relevant, identifying control overlaps that allow a single compliance programme to satisfy both regimes and highlighting areas where the two frameworks diverge.

Deliverables

GDPR Compliance Assessment Report

Article-by-article gap assessment with risk ratings, supporting evidence, and remediation recommendations — suitable for DPO, legal, and executive review.

Records of Processing Activities (RoPA)

Completed or reviewed Article 30 records covering all processing activities, data categories, recipients, retention periods, and transfer mechanisms.

DPA & SCC Templates

Data Processing Agreement template and EU Standard Contractual Clauses addendum tailored to your processor role, including sub-processor provisions and TIA framework.

Breach Notification Runbook

Step-by-step 72-hour breach notification procedure with notification templates for supervisory authorities and data subjects, and internal escalation decision tree.

GDPR Compliance Roadmap

Phased remediation roadmap prioritising gaps by risk level, with implementation guidance, effort estimates, and quick wins for immediate risk reduction.

Related Services in Compliance & Audit

ISO 27001 Gap Assessment ISO 27001 Internal Audit SOC 2 Readiness PCI DSS Compliance
GET STARTED
Accepting New Engagements · 24h Response

Request a Security Assessment

Tell us about your environment and security objectives. We'll design a bespoke assessment and deliver a detailed proposal within 48 hours.

Scoping Call with a Certified Consultant 45-minute deep-dive with a senior practitioner — no sales pitch.
Proposal Delivered in 48 Hours Fully scoped engagement plan with pricing and timeline.
Free Attack Surface Analysis Preliminary external exposure report at no cost.
Fully Confidential. NDA Available. No obligation. Your data is never shared.
200+ Engagements
40+ Services
98% Satisfaction
CERT-In Empanelled ISO 27001 OSCP · CEH · CISSP
1
You
2
Service
3
Details

About You

We'll use this to route you to the right expert.

What Do You Need?

Select all that apply — you can pick multiple.

Select at least one area to continue.

Final Details

Optional context to help us scope your engagement.

By submitting, you agree to our Privacy Policy. We'll never share your data.