2,100+ Global Capability Centres.
Every one is now a Data Fiduciary.
The DPDPA does not distinguish between a startup and a Fortune 500 GCC. Section 4 applies to every organisation processing digital personal data in India. The question is not whether your GCC must comply. It is whether your compliance architecture will survive the Data Protection Board's first inquiry.
Google · Microsoft · Amazon · JPMorgan · Goldman Sachs · Accenture · Deloitte · Walmart · Mercedes-Benz · 2,100+ centres in India
India’s 2,100+ GCCs generate $64.6 billion in annual revenue.
The DPDPA applies to every rupee of it that touches personal data.
Global Capability Centres are the operational backbone of the world's largest enterprises. Google's Bengaluru campus builds products used by billions. JPMorgan's Mumbai hub processes trading data across global markets. Accenture's Indian operations serve clients in 120+ countries. They route personal data through a dozen jurisdictions before lunch. The DPDPA does not care about your global privacy programme. It asks one question: what did you build for India?
The GCC Privacy Challenge Matrix
Each dimension represents a distinct compliance surface. Each requires dedicated architecture. Together, they define the GCC's regulatory exposure under the DPDPA.
Six Cities. 2,100+ Centres. Every one a compliance surface.
India accounts for over 53% of the global GCC workforce. These are the primary hubs where the DPDPA's obligations intersect with operational reality. (Source: NASSCOM–Zinnov, FY2024)
Bengaluru
750+Deep tech, AI/ML, product engineering, R&D
Hyderabad
350+Cloud platforms, pharma, fintech, enterprise innovation
Pune
220+ER&D, automotive, industrial software, SaaS
Chennai
200+Automotive, manufacturing, BFSI, shared services
Delhi NCR
280+Product development, fintech, consulting, digital ops
Mumbai
180+Investment banking, trading systems, insurance, media
Who operates GCCs in India?
Technology & AI
Financial Services
Consulting & Professional Services
Healthcare & Life Sciences
Automotive & Industrial
Retail & Consumer
“Every one of these organisations processes digital personal data in India. Every one is a Data Fiduciary under Section 2(i). The statute does not grade by revenue, headcount, or brand equity. It asks a single binary question: do you process personal data? The answer, for every GCC, is yes.”
— AMLEGALS GCC Privacy Practice
Six Imperatives for GCC Privacy Architecture
A sequenced programme that converts regulatory obligation into operational capability.
Data Flow Mapping & Classification
Before compliance begins, the GCC must produce a complete cartography of its data estate — every data element, every processing purpose, every cross-border transfer, every retention period. Without this map, every subsequent control is speculative.
Lawful Basis Architecture
Every processing activity must be anchored to a lawful basis — consent under Section 6 or one of the legitimate uses enumerated under Section 7 (employment, medical emergency, epidemic/disaster, statutory obligation, among others). GCCs must evaluate each data stream against these bases and document the rationale.
Cross-Border Transfer Protocol
GCC data flows to headquarters in the US, UK, Germany, or Singapore must comply with Section 16. Until restricted territories are notified by the Central Government, every GCC must implement contractual safeguards, technical controls, and documented risk assessments for every outbound transfer.
Vendor Due Diligence & DPA Framework
Every vendor, subcontractor, and service provider processing personal data on behalf of the GCC must be brought under a compliant Data Processing Agreement. Section 8(2) makes this non-negotiable — liability cannot be delegated.
Incident Response & Notification Engine
GCCs must architect a breach detection, containment, and notification workflow that meets the Section 8(6) notification obligation read with Rule 7, alongside CERT-In's 6-hour cyber-incident reporting requirement. This requires technical detection capabilities, legal escalation protocols, and pre-drafted regulatory communications.
Board Reporting & SDF Compliance
GCCs designated as Significant Data Fiduciaries must establish Board-level governance structures — DPO appointment, periodic DPIAs, independent audits, and structured Board reporting. This transforms privacy from a compliance function into a governance imperative.
“Our parent's GDPR programme covers our Indian GCC.”
This is the single most dangerous assumption in GCC privacy compliance. India did not copy the GDPR. The DPDPA is a sovereign statute with fundamentally different architecture — in consent mechanics, lawful bases, penalty structure, and sectoral overlay. A GDPR programme satisfies European requirements. It does not satisfy Indian law.
GCC Privacy & DPDPA Compliance
Yes. The DPDPA applies to every organisation that processes digital personal data within India, regardless of whether the organisation is incorporated in India or abroad. Every GCC — whether operated by Google, JPMorgan, Accenture, or a mid-market enterprise — that collects, stores, or processes personal data of Indian Data Principals is a Data Fiduciary under the Act.
GCCs processing personal data at volume — particularly those handling employee data for thousands of professionals, customer data from Indian operations, or sensitive financial/health data — are prime candidates for SDF classification under Section 10. Major GCCs in Bengaluru, Hyderabad, and Pune processing data at the scale of Fortune 500 parent operations will almost certainly meet the thresholds. The Central Government considers volume, sensitivity, risk to sovereignty, and risk to electoral democracy when making this determination.
Section 16 permits cross-border data transfers except to countries or territories specifically restricted by the Central Government through notification. Until the negative list is published, transfers are permissible but must be documented with appropriate contractual safeguards. Sector-specific regulators (RBI, IRDAI, SEBI) may impose additional data localisation requirements.
Penalties under the DPDPA may extend up to two hundred and fifty crore rupees in specified cases under the Schedule. The Data Protection Board has the power to adjudicate complaints, issue directions, and impose penalties. Separate penalty provisions apply for breach of different obligations.
No. The DPDPA is a sovereign statute with its own definitions, obligations, and enforcement mechanisms. While GDPR compliance provides a useful foundation, it does not satisfy DPDPA requirements. India did not copy GDPR — the architecture is fundamentally different in consent mechanics, lawful bases, penalty structure, and sectoral overlay.
Begin with a comprehensive data flow mapping exercise to understand what personal data the GCC processes, the lawful basis for each processing activity, cross-border transfer destinations, and vendor relationships. This cartography forms the foundation for every subsequent compliance control.
Your GCC processes personal data every second.
Is the evidence contemporaneous?
Our counsel-led GCC privacy assessment maps your entire data estate, identifies structural exposure across all six compliance surfaces, and architects a programme that withstands regulatory scrutiny.
AMLEGALS · 27 Years · 10 Offices · Counsel-Led DPDPA Advisory
Company names referenced on this page are illustrative of the GCC ecosystem in India and do not imply any client relationship, endorsement, or affiliation with AMLEGALS. Statistics sourced from NASSCOM–Zinnov GCC India Landscape Report, FY2024.