India's DPDP Rules are notified, time to gap-assess your India programmeSee how we helpEU AI Act obligations are phasing in: the privacy groundwork comes firstAI privacy advisoryTransfer documentation is a top enforcement target: SCCs, IDTA, TIAsTransfer servicesIndia's DPDP Rules are notified, time to gap-assess your India programmeSee how we helpEU AI Act obligations are phasing in: the privacy groundwork comes firstAI privacy advisoryTransfer documentation is a top enforcement target: SCCs, IDTA, TIAsTransfer services
Abhishek Bansiwal
EUGeneral Data Protection Regulation (EU) 2016/679

The regulation every data-driven business ends up answering to.

The GDPR applies to any organisation processing personal data of people in the EU, including companies with no EU presence that offer goods or services to EU residents or monitor their behaviour. It is the core of our practice: programme builds, DPIAs, Art. 28 processor agreements, international transfers, and Art. 42 certification.

At a glance

Who it catches

EU-established organisations, plus any business worldwide targeting or monitoring people in the EU (Art. 3)

Maximum fines

Up to €20 million or 4% of global annual turnover, whichever is higher

Key trigger points

DPIAs for high-risk processing (Art. 35), 72-hour breach notification (Art. 33), DPO appointment (Art. 37)

Status

In force since May 2018; enforcement volume and fine sizes continue to grow

What it requires

The obligations that matter in practice.

  • A lawful basis for every processing operation, documented before processing starts
  • Transparency notices meeting Arts. 13–14, written for people rather than regulators
  • Records of Processing Activities (Art. 30) that reflect what actually happens to the data
  • DPIAs for high-risk processing, and consultation with the regulator where risk remains
  • Processor contracts under Art. 28 and a compliant route for every international transfer
  • Data subject rights handling within one month, access, erasure, portability, objection

How we help

Where our practice comes in.

FAQ

Common GDPR questions.

If you offer goods or services to people in the EU, or monitor their behaviour (analytics, tracking, profiling), then yes: Art. 3(2) applies regardless of where you're incorporated. You may also need an EU representative under Art. 27.

A structured gap assessment. We map your processing, check it against every applicable obligation, and give you a prioritised remediation list, usually within two to three weeks.

Start here

Tell us what you're dealing with.

Pick the service that sounds closest, or just describe the situation. You'll get an honest reply within 24 hours: where you stand, what actually needs doing, and whether we're the right fit for it.

Prefer to talk? Book a free 30-min call

Email: abhishek.adv@yahoo.com

LinkedIn: linkedin.com/in/abhishekbansiwal

Working with clients across the EU, UK, US, India, and beyond. See the privacy notice for how enquiries are handled.

Replies within 24 hours. No mailing list, no follow-up sequence.