ARTICLE
26 May 2026

Beyond Compliance: How The DPDP Act Will Redefine GCC Strategy In India

LP
Legitpro Law

Contributor

Legitpro Law logo
Legitpro is a leading international full service law firm providing integrated legal & business advisory services, operating through 5 locations with 100+ people. Our purpose is to deliver positive outcomes with our colleagues, clients and communities. The firm proudly serves a diverse clientele, including multinational corporations, foreign companies—particularly those from Japan, China, and Australia and dynamic startups across various industries. Additionally, the firm is empanelled with the Competition Commission of India (CCI) to represent it before High Courts across India. Our Partners also serve as Standing Counsel for prestigious institutions such as the Government of India (GOI), the National Highways Authority of India (NHAI), Serious Fraud Investigation Office (SFIO) and the Union Public Service Commission (UPSC).
Explore Firm Details
“Until the central government publishes the list of permitted and restricted countries under DPDP rules, cross-border data transfer obligations remain in a holding pattern. However, this is not a reason for inaction, it is a reason to audit and map all cross-border data flows now, so you are ready to assess compliance the moment the rules land”.
India Privacy
Rahul Dahiya
Your Author LinkedIn Connections
Rahul Dahiya’s articles from Legitpro Law are most popular:
  • within Privacy topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel
  • with readers working within the Law Firm industries

“Until the central government publishes the list of permitted and restricted countries under DPDP rules, cross-border data transfer obligations remain in a holding pattern. However, this is not a reason for inaction, it is a reason to audit and map all cross-border data flows now, so you are ready to assess compliance the moment the rules land”.

India hosts over 1,700 Global Capability Centers (GCCs) today, processing sensitive personal data for global enterprises across financial services, healthcare technology, IT services, and business process management. That scale is exactly why the Digital Personal Data Protection (DPDP) Act, 2023, India’s first comprehensive personal data protection law is not just a compliance checkbox but a fundamental operational and strategic question for every multinational running or building a GCC in India.

For years, India operated without a unified data privacy regulation. Companies structured their GCC data architectures around internal data governance policies, sector-specific rules from regulators like the RBI, SEBI, and IRDAI, and the comfort of legislative ambiguity. The DPDP Act ends that era. It establishes a clear, consent-based data protection framework that applies to any entity processing digital personal data of individuals in India regardless of where that entity is headquartered.

Understanding the DPDP Act, 2023: Scope and Core Obligations

At its foundation, India’s Digital Personal Data Protection Act governs the collection, storage, processing, and transfer of digital personal data pertaining to individuals (called “Data Principals”) in India. The Act’s extraterritorial reach is its most commercially consequential feature, it applies not only to entities within India but also to entities outside India that process personal data of Indian residents in connection with offering goods or services to them.

For GCC operators, this extraterritorial scope means that the parent company, whether headquartered in the United States, United Kingdom, Germany, Singapore, or anywhere else, is directly within the Act's ambit whenever it receives, stores, or processes personal data processed by its Indian GCC.

The Act establishes two primary roles:

  1. Data Fiduciary: Any entity that determines the purpose and means of processing personal data. In most GCC structures, this is the parent company or the GCC entity itself, depending on the operational model.
  2. Data Processor: Any entity that processes personal data on behalf of a Data Fiduciary. Many Indian GCCs operate as processors under instructions from their global parent.

This distinction carries significant compliance consequences. Core obligations under the DPDP Act include:

  1. Obtaining free, specific, informed, and unambiguous consent from Data Principals before processing their personal data
  2. Processing data only for specified and lawful purposes disclosed at the time of consent
  3. Maintaining data accuracy and limiting retention to the period necessary for the stated purpose
  4. Implementing reasonable and appropriate technical and organizational security safeguards
  5. Honouring Data Principal rights including access, correction, erasure, grievance redressal, and nomination
  6. Appointing a Grievance Officer to handle Data Principal complaints within prescribed timelines

Non-compliance with these obligations can attract penalties of up to INR 250 crore per instance of breach, a figure substantial enough to focus board-level attention.

Cross-Border Data Transfers Under the DPDP Act: What GCCs Need to Know

For Global Capability Centers, no provision of the DPDP Act is more operationally significant than Section 16, which governs cross-border personal data transfers. Unlike the earlier Personal Data Protection Bill, 2019, which proposed strict data localization requirements for sensitive and critical data, the enacted DPDP Act takes a more open, trade-friendly approach.

Under Section 16, personal data may be transferred outside India to countries or territories notified by the central government as permissible destinations. The approach is essentially a negative-list model: transfers are permitted broadly, subject to specific country-level restrictions rather than requiring explicit adequacy decisions for every destination.

For multinationals, this matters because virtually every GCC data flow crosses a border. Code reviews, software quality assurance, payroll and HR data, customer service records, financial analytics, product telemetry, all of it moves between India and the parent entity’s global infrastructure. Each of these flows involving personal data of Indian residents will need legal cover under the eventual DPDP transfer framework.

Organizations that have already navigated GDPR cross-border transfer compliance, including Standard Contractual Clauses (SCCs), Transfer Impact Assessments, and Article 49 derogations, have a meaningful operational advantage. The institutional knowledge of data flow mapping, legal basis documentation, and third-party processor management translates directly, even though the specific DPDP mechanisms will differ.

Significant Data Fiduciaries: Higher Obligations for Large-Scale GCC Operations

The DPDP Act creates a designated category of “Significant Data Fiduciaries” (SDFs) entities that the central government may classify based on the volume and sensitivity of personal data processed, the potential risk to Data Principals and to national security, India’s digital economy, and public order.

SDFs face a materially elevated compliance burden compared to ordinary Data Fiduciaries:

  1. Mandatory appointment of a Data Protection Officer (DPO) who must be based in India and is responsible to the Board of the fiduciary
  2. Periodic Data Protection Impact Assessments (DPIAs) to identify and mitigate risks arising from data processing activities
  3. Algorithmic audits and assessment of potential harms from automated processing systems
  4. Additional compliance measures as may be prescribed by the Data Protection Board of India

For large GCCs, particularly those in BFSI, healthcare technology, e-commerce enablement, or those processing data at scale for global consumer platforms, SDF designation is a realistic possibility. The thresholds will be set by subordinate rules, but the legislative intent is clear i.e. scale and sensitivity attract scrutiny.

SDF status has structural governance implications that go beyond additional paperwork. An India-based DPO with genuine board-level accountability introduces local accountability structures that may sit awkwardly alongside a globally centralized Chief Privacy Officer model. GCCs will need to map out how an India DPO interacts with their GDPR-mandated EU representative, their global data governance framework, and their enterprise information security architecture.

The DPDP Act and India's Broader Data Regulatory Landscape

The DPDP Act does not operate in isolation. India’s data regulation ecosystem is multi-layered, and GCCs must navigate it as a whole:

  1. RBI’s data localization requirements for payment system operators mandate that payment data be stored exclusively in India, a hard localization obligation that already applies to many fintech and BFSI GCCs
  2. SEBI’s cybersecurity and data governance frameworks impose obligations on entities in the securities market, including GCCs supporting capital markets operations
  3. IRDAI regulations governing insurance data add sector-specific restrictions that interact with DPDP obligations
  4. The IT Act, 2000 and the SPDI Rules, 2011, which the DPDP Act partially supersedes, remain relevant for certain categories of data and certain processing contexts
  5. India’s National Data Governance Framework Policy (NDGFP) and proposed non-personal data regulations add further layers to the compliance landscape

For GCC compliance teams, the practical implication is that a DPDP-only compliance programme is insufficient. Data governance for an Indian GCC requires a cross-regulatory view that maps each data flow to its applicable regulatory obligations across all relevant frameworks.

DPDP Act Compliance Checklist for GCCs: What To Do Now

With the Data Protection Board of India yet to be constituted and the implementing rules still pending, the temptation is to wait. That would be a mistake. The structural compliance work, which is independent of specific rule thresholds can and should begin immediately.

  1. Conduct a Personal Data Inventory and Flow Mapping Exercise

You cannot protect or comply with obligations around data you cannot see. Every GCC should be able to answer with specificity: What personal data of Indian residents do we collect, process, store, or transfer? To whom does it flow? Across which geographies? Under what legal basis? This data mapping exercise is the foundation of every other compliance activity.

  1. Classify Your Role Under the DPDP Act

Determine whether your GCC entity is a Data Fiduciary, a Data Processor, or both and make this determination for each distinct processing activity. The classification will determine your specific obligations, your contractual requirements with counterparts, and your exposure to regulatory scrutiny.

  1. Review and Update Inter-Company Data Processing Agreements

The DPDP Act requires Data Processing Agreements (DPAs) between Fiduciaries and Processors. The standard inter-company services agreement or Master Services Agreement may not satisfy these requirements. Review all intra-group data processing arrangements through a DPDP compliance lens and update contractual terms to reflect required representations, obligations, and audit rights.

  1. Redesign Consent Architecture and Notice Frameworks

The Act’s consent standard is demanding: consent must be free, specific, informed, unconditional, and unambiguous and withdrawal must be as easy as grant. Data collection processes that rely on bundled consent, pre-ticked boxes, or lengthy legalese-embedded disclosures will need fundamental redesign. Privacy notices must be clear, accessible, and available in multiple languages given India's linguistic diversity.

  1. Build Operational Infrastructure for Data Principal Rights

GCCs that process data of Indian consumers for customer support, analytics, product development, or any other purpose must be operationally ready to receive and honour Data Principal rights requests. This means designated intake channels, identity verification processes, defined internal workflows, and response time tracking all calibrated to the timelines that the rules will specify.

  1. Assess Significant Data Fiduciary Exposure

Even before SDF thresholds are published, large-scale GCCs should begin assessing their likely designation risk. If SDF status is probable, begin planning for India-based DPO appointment, DPIA methodology development, and algorithmic audit frameworks.

  1. Monitor DPDP Rulemaking and Data Protection Board Formation Actively

The subordinate rules under the DPDP Act will define the operational specifics: transfer mechanisms, exemption categories, SDF thresholds, penalty structures, and the Board's adjudication processes. Engage with the public consultation process. Build scenario-based compliance plans around the most likely outcomes, designed to be quickly adapted as rules are finalized.

The Strategic Stakes: Why DPDP Compliance is a Competitive Differentiator

Beyond regulatory obligation, DPDP compliance is increasingly a factor in GCC commercial positioning. Global enterprises particularly those headquartered in GDPR jurisdictions are placing greater scrutiny on the data governance standards of their Indian operations. A GCC that can demonstrate robust personal data protection practices, audit-ready data flows, and mature privacy governance is a more credible partner than one that treats compliance as an afterthought.

India's data protection framework also has geopolitical significance. As the world’s largest GCC ecosystem, India’s data governance rules will directly shape enterprise architecture decisions for thousands of multinationals. A regulatory environment perceived as predictable, proportionate, and internationally compatible will attract higher-value GCC investment in functions like AI development, data analytics, and enterprise technology. The DPDP Act’s relatively open approach to cross-border transfers, compared to the more restrictive earlier drafts signals that India is attempting to strike this balance.

Legitpro Remark:

The DPDP Act, 2023 is India’s most significant data governance development in a generation and for the GCC sector that processes personal data of Indian residents at scale, its implications are both immediate and structural. Penalties of up to INR 250 crore per breach, cross-border transfer obligations, Significant Data Fiduciary designations, and Data Principal rights frameworks collectively demand board-level attention, not just a compliance team response.

The organizations that will navigate this best are not those that wait for every rule to be finalized. They are those that build the foundational infrastructure now: map your data, understand your role under the Act, restructure your contracts, redesign your consent architecture, and create operational readiness for Data Principal rights. When the rules land, you will be adapting an existing programme, not scrambling to build one from scratch.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Rahul Dahiya
Rahul Dahiya
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More