The General Data Protection Regulation is the European Union's data protection law, and it reaches well beyond Europe. An organisation anywhere in the world that offers goods or services to people in the EU, or that processes personal data on behalf of clients who do, carries obligations under it. For Indian technology and services companies the usual route into GDPR is the processor role: an EU or UK client sends a due diligence questionnaire or an Article 28 agreement, and the answers decide the contract.
Our practice is organised around that reality. We build controller programs where the client owns the data, and processor programs where the client serves those who do, and in both cases the deliverables are built to survive the scrutiny of the client's own counsel and auditors.
The work concentrates in four places: lawful basis architecture beyond consent, cross border transfer mechanisms, data subject rights on the one month statutory clock, and Data Protection Impact Assessments for high risk processing.
A GDPR engagement produces the following, each signed off against written acceptance criteria:
A typical program runs ten to sixteen weeks, with processing scale, transfer routes, and the controller or processor role as the drivers. Processor side programs for delivery organisations often run shorter, because the scope is defined by the client contracts they must satisfy.
A scoping conversation and a short Scoping Questionnaire tell us your systems, data, and obligations, and this step carries no charge. The written proposal that follows states scope, approach, deliverables, timeline, team, and exact fixed fees. Write to consulting@codecolonies.com or visit codecolonies.com to begin.