It is estimated that India is home to more than 1,800 Global Capability Centres (“GCCs”) that employ over 1.8 million professionals. In addition to providing technology-related services, GCCs increasingly serve as global centres of excellence across finance, legal, and HR functions, enabling their foreign parent entity (“Foreign Entity”) to centralize these critical functions in a single location.

This article examines the implications of India’s new data privacy law regime- the Digital Personal Data Protection Act, 2023, together with the Digital Personal Data Protection Rules, 2025 (collectively, the “DPDP Framework”)—for GCCs in India. The DPDP Framework is being rolled out in phases, with its core obligations and compliance requirements scheduled to take effect on May 13, 2027.

Applicability of the DPDP Framework to GCCs

The DPDP Framework applies to the processing of all digital personal data within India. It also has extra-territorial applicability and applies to the processing of digital personal data outside India if such processing is in connection with any activity related to the offering of goods or services to a data principal (i.e., the individual to whom the personal data relates to) within India. Most importantly for GCCs, almost all substantive obligations and compliance requirements under the DPDP Framework, do not apply to an entity in India processing personal data of foreign data principals pursuant to a cross-border contract with an entity outside India (“Outsourcing Exemption”).

Accordingly, the DPDP Framework would apply differently to various personal data processing activities undertaken by GCCs. In view of the Outsourcing Exemption, minimal obligations under the DPDP Framework would apply to a GCC’s processing of personal data of foreign data principals while rendering services for and/or on behalf of the Foreign Entity. However, the DPDP Framework would apply in its entirety to a GCC’s processing of personal data of their Indian data principals as a data fiduciary, for example the GCC’s employees or vendors in India.

Additionally, almost all obligations under the DPDP Framework apply to a data fiduciary (i.e., the entity determining the purpose and means of processing personal data) and the law does not prescribe any specific obligations or compliance requirements for data processors which are entities that solely process personal data on behalf of and based on instructions of data fiduciaries. This would in turn mean that DPDP Framework would not directly apply to GCCs in processing scenarios where they act as a data processor including where they process personal data on behalf of and for purposes and means determined by the Foreign Entity.

The need to map data streams

As a first step for compliance with the DPDP Framework, GCCs would need to undertake a data mapping exercise and catalogue the categories of personal data it collects, the data principals (for example, employees, vendors, contractors, customers, etc.) from which it collects such personal data, purposes of processing of such personal, where and how long such personal data has been retained, whether consent was previously obtained for processing the collected personal data, etc.

Once the data mapping exercise is completed, GCCs would need to analyze each processing scenario, and determine the processing scenario where it qualifies as a data fiduciary since as stated above, by and large, the DPDP Framework does not apply to data processors.

On a practical note, in processing scenarios where it acts as a data fiduciary, GCCs could categorize personal data processed by it into two streams:

• Foreign data stream: Personal data of foreign data principals processed by the GCC pursuant to a contract with the Foreign Entity. As stated above, the Outsourcing Exemption would apply to such processing and most substantive DPDP Framework obligations largely do not apply here, except for the obligation to implement reasonable security safeguards and maintaining processor governance.
• India-facing data stream: Personal data of Indian data principals processed by the GCC, for example, personal data of employees, job applicants, contractors, customers, vendors, website visitors, etc.

It is clarified that all obligations under the DPDP Framework apply where the GCC acts as a data fiduciary while processing the India-facing data stream. These include among others, processing the India-facing data stream pursuant to a lawful basis prescribed under the DPDP Framework, facilitating rights of data principals, implementing reasonable security safeguards to prevent a personal data breach and appropriate technical and organizational safeguards to comply with the DPDP Framework, reporting personal data breaches, and complying with data deletion and data retention obligations.

Lawful bases and notices

Consent is the main lawful ground for processing personal data under the DPDP Framework. The law requires consent to be free, specific, informed, unconditional, unambiguous, and expressed by an affirmative action. Additionally, a clear and standalone privacy notice must be provided to data principals prior to obtaining their consent. The law requires that a privacy notice must include an itemized list of personal data, specify the purpose and services enabled, and include direct links for exercising rights, withdrawing consent, and complaining to the Data Protection Board. Further, consent must be obtained by providing a ‘request for consent’ in a prescribed manner, and requests for consent and privacy notices must be made available in English and the 22 languages listed in the Eighth Schedule of the Indian Constitution.

The DPDP Framework however permits processing without consent for certain ‘legitimate uses’ which include among others, processing of personal data voluntarily provided by a data principal on his/her own initiative without indicating that he/she does not consent to such processing, processing for medical emergencies or for providing services during an epidemic or threat to public health, and processing for purposes of employment or for safeguarding an employer from loss or liability or for provision of a benefit sought by an employee (collectively “Legitimate Uses”). Apart from Legitimate Uses, the DPDP Framework prescribes certain exempted purposes of processing to which most obligations including consent and notice requirements do not apply. Such exempted purposes include the Outsourcing Exemption, processing of personal data necessary to enforce a legal right or a claim, processing in the interest of prevention, detection, investigation or prosecution of any offence of contravention of any law, and processing for a court approved corporate restructuring (collectively “Exempted Purposes”).

GCCs will essentially need to analyze each purpose for which it processes the India-facing data stream of its data principals.  Where such purpose is not a Legitimate Use or an Exempted Purpose, the consent and notice requirements under the DPDP Framework would be applicable.

Facilitating rights of data principals

Where processing is based on consent, data principals are granted rights to: (i) access information about their personal data so processed (including a summary of personal data processed, processing activities undertaken, identities of data fiduciaries and data processors with whom their personal data is shared and a description of the personal data so shared); (ii) correct, complete, update, and erase their personal data; (iii) withdraw consent; (iv) grievance redressal within 90 days; and (v) nominate another person who shall exercise his/ her rights under the DPDP Framework in case of his/her death or disability. GCCs will have to facilitate exercise of the foregoing rights and publish on their website and/or web application the details of means for exercise of such rights by data principals.

It is clarified that where processing is for Legitimate Uses or Exempted Purposes, the rights under (i), (ii) and (iii) above are not available to data principals.

Information Security Safeguards

The DPDP Framework prescribe certain baseline “reasonable security safeguards” that must be implemented by all data fiduciaries. These include encryption, obfuscation, access controls, data backups and log retention. In addition to the foregoing, GCCs may need to implement additional security safeguards based on the personal data processing activities and industry best practices.

Data Processor Governance

As previously mentioned,, the DPDP Framework does not impose standalone statutory obligations on data processors; rather, data fiduciaries remain responsible for processing carried out on their behalf. Accordingly, GCCs should ensure their processor contracts flow down all applicable DPDP obligations and include indemnities supported by specific representations and warranties, so as to mitigate any loss, damage, or liability arising from a processor’s non-compliance with the DPDP Framework.

Personal data breach notifications

The DPDP Framework does not prescribe any impact or harm thresholds for breach reporting. Instead, it requires all personal data breaches to be reported to all affected data principals ‘without delay’ after becoming aware of a breach; and prescribes a two-tier reporting mechanism to the Data Protection Board, the first ‘without delay’ and the second within 72 hours after becoming aware of a breach.  It is clarified that the 6-hour breach reporting requirement to the Computer Emergency Response Team (CERT) under the Information Technology Act, 2000, would continue to remain applicable for GCCs in India.

Cross‑border transfers

The DPDP Framework does not include any restrictions for cross-border transfer of personal data. That said, the law empowers the government to notify a blacklist of countries to which transfer of personal data would be restricted. GCCs would therefore need to monitor restrictions, and update group policies and intercompany agreements accordingly.  It is relevant to note that the DPDP Framework grants broad exemptions and extensive data access powers to the government. This would be material to Schrems II transfer impact assessments for EU-to-India transfers supporting GCC operations.

Data Retention and Data Deletion Obligations

Where processing is based on consent, unless retention is required to comply with any other applicable law, the DPDP Framework obligates deletion of personal data once consent is withdrawn, or the specified purpose of processing is fulfilled (whichever is earlier).  That said, the DPDP Framework requires all data fiduciaries to retain all personal data (including personal data processed by its data processors) and associated traffic data and logs for a period of one year from the date of completion of its processing for use by the government for purposes that broadly relate to national security. Additionally, all data fiduciaries are obligated to retain logs enabling detection, investigation, and remediation of any unauthorized access to personal data for a minimum period of one year.

Enforcement and penalties

The Data Protection Board of India, i.e., the adjudicatory authority set up under the DPDP Framework, has inquiry and direction powers and can impose monetary penalties for contraventions, with repeated non‑compliance risking blocking directions. Illustratively, failures to implement reasonable security safeguards can attract monetary penalties of up to INR 250 crore, and breach‑notification failures and child‑protection contraventions can result in penalties of up to INR 200 crore; and there is a residuary penalty of up to INR 50 crores prescribes for contraventions for which no specific penalty has been prescribed.

Way Forward

With core DPDP obligations taking effect on May 13, 2027, GCCs should urgently launch a structured gap assessment, assign accountable owners, and build a program plan to reach operational readiness well before the deadline.
Even GDPR-compliant GCCs would need to implement India-specific controls to meet the DPDP Framework’s unique requirements, including tailored privacy notices, consents, data-principal rights handling, retention/logging expectations, and India-facing governance. A timely, India-specific compliance lift now will position GCCs to meet the DPDP Framework with confidence and to turn compliance into a competitive advantage.