GDPR Compliance, Audit, Lawful Basis & Consent
Audit. Map. Justify. Comply.
If your business processes personal data of anyone in the EU, visitors, customers, employees, prospects, GDPR applies, regardless of where you're incorporated. We map your data, justify each purpose, write the policies and stand up the consent flows that pass European scrutiny. For businesses anywhere in the world.
A defensible GDPR posture across every data flow.
Six deliverables, scoped to your business and the EU data you actually touch.
GDPR audit & data map
A full discovery of every place EU personal data lives in your business, what you collect, why, where it goes, how long it stays. Output: a documented data-flow map.
Lawful basis justification
GDPR requires a documented legal basis (consent, contract, legal obligation, vital interest, public task, or legitimate interest) for every processing activity. We pick the right one for each, and write it down.
Cookie & consent management
A real consent banner, not a passive notice. Granular opt-ins per category. Records of consent. Easy withdrawal. Built to satisfy ePrivacy Directive + GDPR + the 2024 EDPB guidance.
GDPR-ready privacy policy
Not a template, a policy written after auditing your real data. Includes the seven required disclosures: identity, purposes, legal basis, recipients, transfers, retention, and rights.
DSAR workflow & DPO advisory
A documented process for handling Subject Access Requests within 30 days. DPO-as-a-Service available for businesses processing data on a regular and systematic scale.
International transfer controls
Standard Contractual Clauses (SCCs), Transfer Impact Assessments (TIAs) and data-residency review for any data leaving the EU/EEA, including from India.
Four phases, six to eight weeks for most businesses.
Audit
Two weeks. We map every EU data flow in your business and produce a written gap report against GDPR + ePrivacy Directive + recent EDPB guidance.
Map
For each processing activity: data category, purpose, legal basis, recipients, retention, transfers. A defensible Article 30 record.
Justify
Lawful basis assigned, legitimate interest assessments where applicable, consent flows where required. All documented.
Comply
Privacy policy, cookie consent, DSAR workflow, DPO retainer (if needed), breach playbook. Ready for the next request, from a customer or a regulator.
GDPR for Indian businesses, plainly answered.
Does GDPR apply to my business?
+
If your business offers goods or services to individuals in the EU (paid or free), monitors the behaviour of individuals in the EU (analytics, advertising, cookies on EU visitors), or processes EU personal data on behalf of another organisation, GDPR applies, regardless of where your business is incorporated. A SaaS company in San Francisco with EU users is in scope. A consultancy in Singapore with one EU client is in scope. A pharma exporter in India shipping to Germany is in scope. The territorial reach is broad and intentional.
GDPR vs other privacy regimes, how do they relate?
+
GDPR is the EU's flagship data protection law and remains the global gold standard. India's DPDP Act (2023), the US CCPA/CPRA, Brazil's LGPD, China's PIPL and others derive from or align with GDPR principles. A business operating in multiple jurisdictions typically needs each regime covered separately, but a single unified compliance posture, built around GDPR, satisfies most. We help businesses build that unified posture.
How much does GDPR compliance cost?
+
Pricing depends on company size, data complexity and EU footprint, and currency by region. For small businesses with a single website and limited EU traffic, a full GDPR setup (audit + lawful basis assignment + cookie consent + privacy policy + documentation) typically runs $700–$3,000 USD (₹60,000–₹2.5 lakh). Mid-sized businesses with multiple systems, recurring EU transfers and DPO requirements run $3,000–$15,000 USD ($2.5 lakh–₹12 lakh). DPO-as-a-Service retainer is $300–$1,200 USD/month (₹25,000–₹1 lakh).
What are the GDPR penalties?
+
GDPR fines can reach €20 million or 4% of global annual turnover, whichever is higher. Enforcement reaches non-EU businesses, with cross-border cooperation through the EDPB. Beyond the regulator, the bigger commercial risk is procurement: EU buyers and partners refuse to engage with vendors who can't produce a Data Processing Agreement (DPA), a privacy posture document, and evidence of compliance. Being demonstrably compliant is increasingly an entry ticket to European business.
Do I need to appoint a Data Protection Officer (DPO)?
+
GDPR requires a DPO if your business processes personal data on a regular and systematic scale, processes sensitive personal data at scale, or is a public authority. Most Indian SMBs do not strictly require a DPO, but EU buyers increasingly expect one, even if outsourced. We offer DPO-as-a-Service for businesses that need a credible privacy contact without hiring full-time.
What about cross-border data transfers (EU to non-EU)?
+
Transferring EU personal data outside the EU/EEA requires a transfer mechanism, typically Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) for large groups, or one of the narrow derogations. Some jurisdictions (UK, Japan, Canada, South Korea, and several others) have EU adequacy decisions and require less paperwork. Others (US, India, most of Asia, Latin America, Africa) require full SCCs plus a Transfer Impact Assessment (TIA). We help businesses set up the right mechanism for their data flows.
Is RoseLeap based outside the EU? Can you still help?
+
Yes. We're based in India and work with clients on every continent. GDPR compliance work is jurisdiction-agnostic on the consultant side, what matters is whether we understand EU law and produce defensible documentation in English. We do both. Time-zone-wise, India works well for clients across EMEA, APAC and the US; we run remote-first engagements with periodic video sessions.
Compliant before your European buyer asks.
Tell us where in the EU your business operates and what data you touch. We'll come back with a fixed-fee scope and a date by which you can be compliant.