Why DPDP Compliance Is a Board-Level Issue for GCCs
Global Capability Centers process enormous volumes of personal data. A financial services GCC handling transaction monitoring reviews customer data from multiple jurisdictions. A healthcare GCC conducting clinical trial data management processes patient records governed by HIPAA, GDPR, and now India's Digital Personal Data Protection Act, 2023. An HR shared services GCC manages employee personal data for the parent's global workforce.
The DPDP Act, which received presidential assent in August 2023, applies to all processing of digital personal data within India — regardless of where the data originates. The DPDP Rules, notified on November 13, 2025, operationalize the Act with specific timelines: governance structures must be established immediately, consent mechanisms and breach notification systems must be operational by mid-2026, and full compliance — including Data Protection Officer appointments for Significant Data Fiduciaries — is mandatory by May 13, 2027.
The penalties are not theoretical. The Act authorizes fines up to INR 250 crore (approximately USD 30 million) per violation. For a GCC processing data on behalf of its parent, a single data breach affecting customer records could trigger penalties in India under the DPDP Act, in the EU under GDPR, and in the US under state privacy laws — simultaneously. This article provides the operational compliance framework GCCs need. For the full regulatory overview, see our GCC compliance checklist.
DPDP Act: Key Concepts for GCCs
The DPDP Act introduces terminology and concepts that GCC compliance teams must internalize. Understanding these definitions determines how your GCC's data processing activities are classified and regulated.
Data Fiduciary vs Data Processor
A Data Fiduciary is any entity that determines the purpose and means of processing personal data. A Data Processor processes data on behalf of a Data Fiduciary. For GCCs, the classification depends on the operating model:
| GCC Operating Model | DPDP Classification | Compliance Burden |
|---|---|---|
| GCC processes employee data for its own workforce | Data Fiduciary | Full obligations (consent, rights, breach notification) |
| GCC processes parent's customer data under parent's instructions | Data Processor | Security safeguards, breach notification, contractual obligations |
| GCC independently determines how to process data (analytics, ML training) | Data Fiduciary | Full obligations apply |
| GCC processes data from Indian customers of the parent | Data Fiduciary (parent) / Data Processor (GCC) | Joint compliance framework needed |
Most GCCs operate in a hybrid model — they are Data Fiduciaries for employee data and Data Processors for parent company data. Each classification triggers different compliance obligations.
Significant Data Fiduciary (SDF)
The Central Government can designate certain Data Fiduciaries as Significant Data Fiduciaries based on the volume and sensitivity of data processed, risk to Data Principals, and potential impact on sovereignty and security. SDFs face enhanced obligations including appointing a Data Protection Officer (DPO) based in India, conducting annual Data Protection Impact Assessments (DPIAs), engaging independent data auditors, and publishing algorithmic fairness assessments.
Large GCCs processing data for millions of individuals — particularly in financial services, healthcare, and consumer technology — should anticipate SDF designation. Proactively implementing SDF-level controls demonstrates compliance maturity and reduces regulatory risk.
Consent Management Framework
The DPDP Act mandates that personal data can only be processed based on valid consent or a "legitimate use" basis. For GCCs, consent management is relevant primarily for employee data and any direct interaction with Indian data subjects.
What Constitutes Valid Consent
Consent under the DPDP Act must be:
- Free: Not bundled with other terms and conditions or obtained under duress
- Specific: Limited to the stated purpose — blanket consent for all processing is invalid
- Informed: Preceded or accompanied by a clear, plain-language notice specifying the personal data collected and the purpose of processing
- Unconditional: Not contingent on providing a service unless the data is necessary for that service
- Unambiguous: Demonstrated by a clear affirmative action — pre-ticked boxes are not valid consent
Consent Notices for GCC Employees
Every GCC must provide consent notices to its employees covering:
- Categories of personal data collected (Aadhaar, PAN, bank details, health information for insurance)
- Purpose of processing (payroll, statutory compliance, insurance, performance management)
- Third parties with whom data is shared (parent company, payroll processors, insurance providers, statutory authorities)
- Cross-border transfers (if employee data is shared with the parent entity abroad)
- Data retention periods for each category
- How to exercise data principal rights (access, correction, erasure)
Consent Manager Registration
Under Rule 4 of the DPDP Rules, Consent Managers are registered intermediaries that provide digital platforms for Data Principals to manage their consent. Consent Manager registration opens on November 13, 2026 (12 months after rules notification). Only India-incorporated entities with a minimum net worth of INR 2 crore qualify for registration. GCCs need not become Consent Managers themselves but must be prepared to integrate with registered Consent Manager platforms when they become operational.
Cross-Border Data Transfers
Cross-border data flow is the single most critical DPDP compliance issue for GCCs. By definition, a GCC exists to provide services to a foreign parent — which almost always involves transferring data across borders.
The Blacklist Approach
India's DPDP Act adopts a "blacklist" model for cross-border data transfers: personal data can flow to any country except those specifically restricted by the Central Government. As of March 2026, no countries have been placed on the restricted list. This means data transfers from India to the US, UK, EU, Singapore, and other common GCC parent jurisdictions are currently permitted without additional safeguards under Indian law.
However, GCCs must also comply with the data protection laws of the parent company's jurisdiction. If the parent is subject to GDPR, the GCC must implement Standard Contractual Clauses (SCCs) or binding corporate rules for data flowing from the EU to India. If the parent is a US entity processing data of California residents, CCPA obligations apply.
Data Localization Requirements
The DPDP Act does not impose a general data localization mandate for all personal data. However, certain sector-specific regulations require localization:
| Sector | Data Type | Localization Requirement | Regulator |
|---|---|---|---|
| Financial Services | Payment system data | Must be stored exclusively in India (RBI circular April 2018) | RBI |
| Insurance | Policyholder data | Must be stored in India (IRDAI guidelines) | IRDAI |
| Telecom | Subscriber data | Must be stored in India (DoT licence conditions) | DoT |
| Government | Government data | Must be stored in India (MeitY cloud guidelines) | MeitY |
| Healthcare | Health records | Recommended but not yet mandated | NHA/MoHFW |
GCCs in financial services must pay particular attention: all payment system data must be stored on servers physically located in India, with no mirroring to overseas data centers. This affects GCCs processing payment transaction data, reconciliation data, or customer financial records for banking and fintech parents.
Data Breach Response: The 72-Hour Clock
Under Rule 7 of the DPDP Rules, a Data Fiduciary that becomes aware of a personal data breach has a dual obligation: notify affected Data Principals without delay and report to the Data Protection Board of India (DPB) within 72 hours.
What Constitutes a Breach
A personal data breach under the DPDP Act includes any unauthorized access, disclosure, use, alteration, or destruction of personal data. For GCCs, this covers scenarios such as:
- Unauthorized access to employee records by an internal user without legitimate business need
- Data exfiltration through compromised credentials or insider threats
- Accidental exposure of personal data via misconfigured cloud storage or API endpoints
- Ransomware attacks encrypting databases containing personal data
- Loss or theft of devices (laptops, mobile phones) containing unencrypted personal data
Breach Notification Requirements
The 72-hour notification to the DPB must include:
- Nature and extent of the breach (categories and approximate number of Data Principals affected)
- Timing and location of the breach discovery
- How the breach occurred (attack vector, vulnerability exploited)
- Impact assessment on affected Data Principals
- Mitigation and remedial measures taken
- Identity of the person or entity responsible (if known)
- Confirmation of how and when affected Data Principals were notified
The penalty for failing to notify a breach is up to INR 200 crore — making breach notification compliance one of the highest-stakes obligations under the DPDP Act.
Building a Breach Response Plan
GCCs should implement a formal Incident Response Plan that includes:
- Detection: SIEM (Security Information and Event Management) systems monitoring for anomalous access patterns, data exfiltration indicators, and unauthorized privilege escalation
- Classification: A severity matrix that determines whether an incident constitutes a personal data breach requiring notification
- Containment: Immediate isolation of affected systems, credential revocation, and forensic evidence preservation
- Notification: Pre-drafted templates for DPB notification and Data Principal communication, with designated personnel authorized to submit filings
- Remediation: Root cause analysis, vulnerability patching, and policy updates to prevent recurrence
Technical Security Safeguards for GCCs
GCCs structured as wholly owned subsidiaries bear primary responsibility for security implementation. The DPDP Act requires Data Fiduciaries to implement "reasonable security safeguards" to protect personal data. While the Act does not prescribe specific technologies, GCCs should align their security posture with industry standards such as ISO 27001, SOC 2 Type II, and the NIST Cybersecurity Framework.
Recommended Security Architecture
| Security Layer | Controls | Implementation Notes for GCCs |
|---|---|---|
| Network | Firewalls, IDS/IPS, network segmentation, VPN for remote access | Segment GCC network from parent network; dedicated VLAN for sensitive data processing |
| Identity & Access | MFA, RBAC, privileged access management, SSO | Integrate with parent's IAM but enforce India-specific access policies |
| Data | Encryption at rest (AES-256) and in transit (TLS 1.3), tokenization, data masking | Encrypt all databases containing personal data; mask PII in non-production environments |
| Endpoint | EDR, device encryption, DLP, mobile device management | Full disk encryption mandatory on all GCC devices; DLP policies for personal data |
| Application | Secure SDLC, SAST/DAST, API security, WAF | Integrate security testing into CI/CD pipeline; annual penetration testing |
| Monitoring | SIEM, user behavior analytics, audit logging | Minimum 180-day log retention; real-time alerting for sensitive data access |
Data Protection Impact Assessment (DPIA)
While DPIAs are formally required only for Significant Data Fiduciaries, all GCCs processing personal data at scale should conduct periodic DPIAs. A DPIA evaluates:
- The necessity and proportionality of data processing activities
- Risks to Data Principals arising from the processing
- Measures to mitigate identified risks
- Whether cross-border transfers introduce additional risk
Conducting voluntary DPIAs demonstrates compliance maturity and prepares the GCC for potential SDF designation.
Compliance with Multiple Data Protection Regimes
GCCs face the unique challenge of simultaneously complying with India's DPDP Act and the data protection laws of the parent company's jurisdiction. For companies from the United States, United Kingdom, or Germany, this means navigating overlapping and sometimes conflicting requirements.
DPDP Act vs GDPR: Key Differences
| Aspect | DPDP Act (India) | GDPR (EU) |
|---|---|---|
| Legal Bases for Processing | Consent or Legitimate Use | Six legal bases including Legitimate Interest |
| Cross-Border Transfers | Blacklist model (allowed unless restricted) | Adequacy, SCCs, BCRs required |
| Breach Notification | 72 hours to DPB | 72 hours to supervisory authority |
| Right to Portability | Not explicitly provided | Yes |
| DPO Requirement | SDFs only | All controllers processing sensitive data at scale |
| Maximum Penalty | INR 250 crore (~USD 30M) | 4% of global annual turnover |
| Data Localization | Sector-specific only | No general mandate |
For GCCs with EU data exposure, the practical recommendation is to implement GDPR-level controls as the baseline and layer DPDP-specific requirements (consent notice format, DPB notification procedure, Consent Manager integration) on top. This approach ensures compliance with both regimes without maintaining parallel systems.
DPDP Compliance Implementation Timeline for GCCs
Based on the phased rollout specified in the DPDP Rules, here is the recommended implementation timeline for GCCs:
| Phase | Timeline | Actions |
|---|---|---|
| Phase 1: Foundation | Now - Q2 2026 | Appoint privacy lead, conduct data mapping exercise, draft privacy notices, establish records of processing activities, review all vendor agreements for data processor clauses |
| Phase 2: Operationalize | Q3 2026 - Q4 2026 | Implement consent collection mechanisms, build Data Principal rights request workflow, deploy breach detection and notification system, conduct first voluntary DPIA |
| Phase 3: Full Compliance | Q1 2027 - May 13, 2027 | Integrate with registered Consent Managers, complete employee training, appoint DPO if designated as SDF, engage independent data auditor, finalize data retention and deletion policies |
GCCs that wait until 2027 to begin compliance work face significant execution risk. The data mapping exercise alone — cataloguing every personal data element processed, its source, purpose, storage location, and retention period — typically takes 3-6 months for a GCC with multiple processing activities.
Employee Data: The Often-Overlooked Compliance Area
GCCs frequently focus on customer data compliance while overlooking their obligations regarding employee personal data. Every GCC in India processes significant volumes of employee personal data — Aadhaar numbers for KYC verification, PAN details for tax compliance, bank account information for salary payments, health records for insurance enrolment, and biometric data for access control.
Employee Data Processing Inventory
| Data Category | Examples | Legal Basis | Retention Period |
|---|---|---|---|
| Identity Data | Aadhaar, PAN, passport | Employment contract + statutory requirement | 8 years post-separation (IT Act) |
| Financial Data | Bank account, salary, tax deductions | Statutory compliance (EPF, ESI, IT Act) | 8 years post-separation |
| Health Data | Insurance records, medical certificates | Consent + ESI Act requirements | Duration of employment + 5 years |
| Biometric Data | Fingerprints, facial recognition for access | Consent (must be specific and informed) | Delete upon separation |
| Performance Data | Reviews, disciplinary records | Legitimate use (employment relationship) | Duration of employment + 3 years |
| Background Verification | Education, criminal records, references | Consent (obtained during hiring) | Duration of employment + 1 year |
Under the DPDP Act, employee consent for data processing must be granular — a single blanket consent in the offer letter is insufficient. The GCC must provide separate consent notices for each category of processing, particularly where data is shared with the foreign parent company or third-party processors. Biometric data collection requires especially clear consent, and employees must be offered alternative access methods if they decline biometric enrolment.
Practical Steps: What Your GCC Should Do This Quarter
Here are the five highest-priority actions for GCC compliance and data security teams:
- Complete a personal data inventory: Map every system that processes personal data — HRMS, CRM, ticketing systems, shared drives, cloud storage. Identify what personal data each system holds, where it is stored, and who has access.
- Review intercompany data processing agreements: Ensure your agreement with the parent company clearly defines data processing responsibilities, breach notification obligations, and cross-border transfer safeguards. Update agreements to reference the DPDP Act.
- Draft employee privacy notices: Create DPDP-compliant privacy notices for employees covering all data categories, processing purposes, cross-border transfers, and rights. Roll out with acknowledgement collection.
- Implement breach detection and response: Deploy or upgrade SIEM capabilities, establish a breach response team with defined roles, and create pre-approved notification templates for the DPB and affected individuals.
- Engage legal counsel for multi-regime compliance: If your GCC processes data subject to GDPR, CCPA, HIPAA, or other international privacy laws, engage counsel to harmonize your compliance framework across jurisdictions. Our annual compliance services and regulatory compliance services can help navigate the intersection of data protection and FEMA obligations for cross-border data flows.
Key Takeaways
- The DPDP Act applies to all GCCs processing personal data in India — whether the data relates to Indian employees, global employees, or customer data processed on behalf of the parent company. Full compliance is mandatory by May 13, 2027.
- Penalties reach INR 250 crore per violation — with INR 200 crore specifically for failure to notify a data breach. The 72-hour breach notification clock starts when the GCC becomes aware of the breach.
- Cross-border transfers are currently permitted under India's blacklist model, but GCCs must also satisfy the parent jurisdiction's transfer requirements (GDPR SCCs, CCPA obligations). Sector-specific localization mandates apply for financial services, insurance, and telecom data.
- Most GCCs operate as both Data Fiduciary and Data Processor — Fiduciary for employee data, Processor for parent company data. Each classification triggers different compliance obligations under the DPDP Act.
- Start compliance work now: Data mapping, privacy notices, and breach response planning should be completed by mid-2026. Waiting until the May 2027 deadline creates unacceptable execution risk for organizations processing data at GCC scale.
Frequently Asked Questions
Does the DPDP Act apply to data processed by a GCC on behalf of a foreign parent?
Yes. The DPDP Act applies to all processing of digital personal data within India, regardless of where the data originates or who the data relates to. A GCC processing customer data, employee data, or any personal data within India is subject to the Act. The GCC may be classified as a Data Fiduciary or Data Processor depending on whether it determines the purpose of processing.
What is the deadline for full DPDP Act compliance?
Full compliance with the DPDP Act and DPDP Rules is mandatory by May 13, 2027 — 18 months after the Rules were notified on November 13, 2025. The rollout is phased: governance structures should be in place now, consent and breach notification systems by mid-2026, and complete compliance including DPO appointments for SDFs by the May 2027 deadline.
Can a GCC transfer personal data from India to its parent company abroad?
Currently yes, under the DPDP Act's blacklist approach. Personal data can be transferred to any country unless specifically restricted by the Central Government — and as of March 2026, no countries are on the restricted list. However, sector-specific rules apply: financial payment data must remain in India per RBI mandate, and the GCC must also comply with the parent jurisdiction's transfer requirements such as GDPR SCCs.
What are the penalties for a data breach under the DPDP Act?
Failure to notify the Data Protection Board and affected individuals of a personal data breach carries a penalty of up to INR 200 crore (approximately USD 24 million). The overall maximum penalty under the DPDP Act is INR 250 crore per violation. The Data Fiduciary must notify the DPB within 72 hours of becoming aware of the breach.
Does the DPDP Act require data localization in India?
The DPDP Act itself does not impose a blanket data localization requirement. However, sector-specific regulations mandate localization for certain data types: the RBI requires payment system data to be stored exclusively in India, IRDAI requires policyholder data localization, and DoT requires telecom subscriber data to remain in India. GCCs in these sectors must ensure compliance with both the DPDP Act and sectoral localization rules.
What is a Significant Data Fiduciary and could a GCC be designated as one?
A Significant Data Fiduciary (SDF) is a Data Fiduciary designated by the Central Government based on the volume and sensitivity of data processed, risk to individuals, and impact on sovereignty. SDFs must appoint a DPO based in India, conduct annual DPIAs, and engage independent data auditors. Large GCCs processing data for millions of individuals — particularly in financial services and healthcare — should anticipate potential SDF designation.
How should a GCC handle DPDP and GDPR compliance simultaneously?
The practical approach is to implement GDPR-level controls as the baseline and layer DPDP-specific requirements on top. Both laws require breach notification within 72 hours, but differ on legal bases for processing, DPO requirements, and cross-border transfer mechanisms. For EU data, GCCs need Standard Contractual Clauses. This unified approach avoids maintaining parallel compliance systems while satisfying both regimes.