AMLEGALS
Global Capability Centre campus in India
GCC Privacy & DPDPA Compliance

2,100+ Global Capability Centres.
Every one is now a Data Fiduciary.

The DPDPA does not distinguish between a startup and a Fortune 500 GCC. Section 4 applies to every organisation processing digital personal data in India. The question is not whether your GCC must comply. It is whether your compliance architecture will survive the Data Protection Board's first inquiry.

Technology · Financial Services · Consulting · Healthcare · Automotive · Retail · 2,100+ Global Capability Centres across India

2,100+
GCCs Operating in India
1.9M+
Professionals Employed
$64.6B
Annual Revenue (FY2024)
₹250 Cr
Maximum DPDPA Penalty
The Compliance Imperative

India's 2,100+ Global Capability Centres generate $64.6 billion in annual revenue.
The DPDPA applies to every rupee of it that touches personal data.

Global Capability Centres are the operational backbone of the world's largest enterprises. A single GCC campus in Bengaluru builds products used by billions. A Mumbai hub processes trading data across global markets. Operations in Hyderabad serve clients in 120+ countries. They route personal data through a dozen jurisdictions before lunch. The DPDPA does not care about your global privacy programme. It asks one question: what did you build for India?

01

Structural Exposure

Every GCC transfers data cross-border by design. Section 16 creates a regulatory chokepoint that no existing GDPR programme addresses.

02

Operational Scale

With 1.9 million employees, the HR data compliance surface alone exceeds the entire customer base of most Indian companies.

03

Board-Level Governance

Section 10 SDF obligations, combined with Companies Act §166 director duty of care, create fiduciary-grade accountability. This is not a compliance function. It is a governance imperative.

Six Critical Compliance Surfaces

The Global Capability Centre Privacy Challenge Matrix

Each dimension represents a distinct compliance surface. Each requires dedicated architecture. Together, they define the Global Capability Centre's total regulatory exposure under the DPDPA.

Section 16
Transfer Restrictions

Cross-Border Data Transfers

Every GCC processes data across jurisdictions. Section 16 empowers the Central Government to restrict transfers to notified territories. In the prevailing reading, this operates as a permissive-with-exception framework — creating structural uncertainty for GCCs routing data to headquarters in the US, UK, or EU.

Read Full Analysis
1.9M+
GCC Workforce in India

Employee Data Compliance

GCCs hold extensive employee personal data — biometrics, health records, performance reviews, CCTV footage. Section 4 applies to every category. The question is not whether you process employee data. It is whether your lawful basis survives adjudication.

Read Full Analysis
Section 8(2)
Non-Delegable Liability

Vendor & Processor Governance

GCCs operate within intricate vendor ecosystems — cloud providers, staffing agencies, facility managers. Under Section 8(2), the Data Fiduciary retains liability even when processing is outsourced. Every subcontractor is a compliance surface.

Read Full Analysis
Section 8(6)
Breach Notification

Breach Response & Notification

A breach at any GCC — whether through a phishing attack, insider threat, or vendor compromise — triggers notification to the Data Protection Board and affected Data Principals under Section 8(6), in the manner prescribed by Rule 7. Separately, CERT-In mandates cyber-incident reporting within 6 hours. The operational imperative is architectural readiness, not post-hoc scrambling.

Read Full Analysis
Section 10
SDF Obligations

Board-Level Governance

GCCs processing data at scale will almost certainly be classified as Significant Data Fiduciaries. Section 10 mandates DPO appointment, periodic DPIA, independent audits, and Board-level reporting. This is not a compliance function. It is a governance obligation.

Read Full Analysis
Section 6
Consent Requirements

Consent Architecture at Scale

GCCs collecting data from millions of Indian Data Principals must build consent infrastructure that is free, specific, informed, and withdrawable. At GCC scale — with multiple data streams, purposes, and systems — this demands architectural investment, not a checkbox.

Read Full Analysis
India’s GCC Ecosystem

Six Cities. 2,100+ Global Capability Centres. Every one a compliance surface.

India accounts for over 53% of the global GCC workforce. These are the primary hubs where the DPDPA's obligations intersect with operational reality. (Source: NASSCOM–Zinnov, FY2024)

Bengaluru

750+

Deep tech, AI/ML, product engineering, R&D

35–40% of India's GCC ecosystem

Hyderabad

350+

Cloud platforms, pharma, fintech, enterprise innovation

15–18% of India's GCC ecosystem

Pune

220+

ER&D, automotive, industrial software, SaaS

10–12% of India's GCC ecosystem

Chennai

200+

Automotive, manufacturing, BFSI, shared services

9–11% of India's GCC ecosystem

Delhi NCR

280+

Product development, fintech, consulting, digital ops

12–14% of India's GCC ecosystem

Mumbai

180+

Investment banking, trading systems, insurance, media

8–10% of India's GCC ecosystem

Global Capability Centre Sectors & Compliance Surfaces

Technology & AI

200+

Product telemetry, AI training datasets, user behavioural analytics — cross-border transfers to parent R&D labs across multiple jurisdictions

Financial Services

300+

Trading data, customer KYC, cross-border transaction records — subject to overlapping RBI, SEBI, and IRDAI localisation mandates

Consulting & Professional Services

350+

Client engagement data, multi-jurisdictional advisory records, workforce analytics at the largest employee scale in India

Healthcare & Life Sciences

150+

Clinical trial data, patient records, pharmacovigilance reporting — elevated sensitivity under Section 4 read with Rule 6

Automotive & Industrial

180+

Connected vehicle data, IoT sensor feeds, supply chain partner records, R&D intellectual property with embedded personal data

Retail & Consumer

120+

Consumer purchase behaviour, loyalty programme data, supply chain workforce records — high-volume consent management challenge

“The statute does not grade Global Capability Centres by revenue, headcount, or brand equity. Section 2(i) asks a single binary question: do you process digital personal data in India? For every Global Capability Centre operating in this country, the answer is yes. The only variable is the architecture of the response.”

— AMLEGALS GCC Privacy Practice
Strategic Roadmap

Six Imperatives for Global Capability Centre Privacy Architecture

Compliance is a cost. Architecture is a capability. The difference determines which Global Capability Centres emerge from the DPDPA transition as operationally stronger.

01

Data Flow Mapping & Classification

Before compliance begins, the GCC must produce a complete cartography of its data estate — every data element, every processing purpose, every cross-border transfer, every retention period. Without this map, every subsequent control is speculative.

Deliverable:Enterprise Data Flow Inventory with DPDPA Classification Matrix
02

Lawful Basis Architecture

Every processing activity must be anchored to a lawful basis — consent under Section 6 or one of the legitimate uses enumerated under Section 7 (employment, medical emergency, epidemic/disaster, statutory obligation, among others). GCCs must evaluate each data stream against these bases and document the rationale.

Deliverable:Lawful Basis Register mapped to all GCC processing activities
03

Cross-Border Transfer Protocol

GCC data flows to headquarters in the US, UK, Germany, or Singapore must comply with Section 16. Until restricted territories are notified by the Central Government, every GCC must implement contractual safeguards, technical controls, and documented risk assessments for every outbound transfer.

Deliverable:Cross-Border Transfer Impact Assessment with contractual framework
04

Vendor Due Diligence & DPA Framework

Every vendor, subcontractor, and service provider processing personal data on behalf of the GCC must be brought under a compliant Data Processing Agreement. Section 8(2) makes this non-negotiable — liability cannot be delegated.

Deliverable:Vendor Privacy Assessment Toolkit + Model DPA for GCC operations
05

Incident Response & Notification Engine

GCCs must architect a breach detection, containment, and notification workflow that meets the Section 8(6) notification obligation read with Rule 7, alongside CERT-In's 6-hour cyber-incident reporting requirement. This requires technical detection capabilities, legal escalation protocols, and pre-drafted regulatory communications.

Deliverable:GCC-specific Incident Response Playbook with regulatory templates
06

Board Reporting & SDF Compliance

GCCs designated as Significant Data Fiduciaries must establish Board-level governance structures — DPO appointment, periodic DPIAs, independent audits, and structured Board reporting. This transforms privacy from a compliance function into a governance imperative.

Deliverable:SDF Governance Framework with Board Reporting Templates
Critical Misconception

“Our parent's GDPR programme covers our Indian GCC.”

This is the single most dangerous assumption in GCC privacy compliance. India did not copy the GDPR. The DPDPA is a sovereign statute with fundamentally different architecture — in consent mechanics, lawful bases, penalty structure, and sectoral overlay. A GDPR programme satisfies European requirements. It does not satisfy Indian law.

GDPR
Legitimate Interest (Art. 6(1)(f))
DPDPA
No equivalent. Section 7 "Legitimate Uses" is narrower.
GDPR
Data Protection Officer (Art. 37)
DPDPA
DPO must be India-based for SDFs (Section 10).
GDPR
Standard Contractual Clauses
DPDPA
No SCC equivalent. Section 16 operates, in prevailing reading, as a permissive-with-exception framework.
GDPR
Lead Supervisory Authority
DPDPA
No one-stop-shop. Data Protection Board has exclusive jurisdiction.
Read: India Did Not Copy GDPR
Frequently Asked Questions

Global Capability Centre Privacy & DPDPA Compliance

Yes. The DPDPA applies to every organisation that processes digital personal data within India, regardless of whether the organisation is incorporated in India or abroad. Every Global Capability Centre — across technology, financial services, consulting, healthcare, automotive, or retail — that collects, stores, or processes personal data of Indian Data Principals is a Data Fiduciary under the Act.

GCCs processing personal data at volume — particularly those handling employee data for thousands of professionals, customer data from Indian operations, or sensitive financial/health data — are prime candidates for SDF classification under Section 10. Major GCCs in Bengaluru, Hyderabad, and Pune processing data at the scale of Fortune 500 parent operations will almost certainly meet the thresholds. The Central Government considers volume, sensitivity, risk to sovereignty, and risk to electoral democracy when making this determination.

Section 16 permits cross-border data transfers except to countries or territories specifically restricted by the Central Government through notification. Until the negative list is published, transfers are permissible but must be documented with appropriate contractual safeguards. Sector-specific regulators (RBI, IRDAI, SEBI) may impose additional data localisation requirements.

Penalties under the DPDPA may extend up to two hundred and fifty crore rupees in specified cases under the Schedule. The Data Protection Board has the power to adjudicate complaints, issue directions, and impose penalties. Separate penalty provisions apply for breach of different obligations.

No. The DPDPA is a sovereign statute with its own definitions, obligations, and enforcement mechanisms. While GDPR compliance provides a useful foundation, it does not satisfy DPDPA requirements. India did not copy GDPR — the architecture is fundamentally different in consent mechanics, lawful bases, penalty structure, and sectoral overlay.

Begin with a comprehensive data flow mapping exercise to understand what personal data the GCC processes, the lawful basis for each processing activity, cross-border transfer destinations, and vendor relationships. This cartography forms the foundation for every subsequent compliance control.

Begin Your Assessment

Your Global Capability Centre processes personal data every second.
Is the evidence contemporaneous?

The Data Protection Board will not ask whether your Global Capability Centre intended to comply. It will ask what you built, when you built it, and whether the evidence is contemporaneous. That inquiry defines the difference between a defensible programme and an enforcement proceeding.

AMLEGALS · 27 Years · 10 Offices · Counsel-Led DPDPA Advisory

All statistics sourced from NASSCOM–Zinnov GCC India Landscape Report, FY2024. Sector-level data is indicative of the Global Capability Centre ecosystem in India.

Insights & Answers

What practitioners and boards are asking

What DPDPA obligations apply to Global Capability Centres in India?

Every Global Capability Centre (GCC) processing digital personal data in India is a Data Fiduciary under Section 2(i) of DPDPA 2023. GCCs must implement consent architecture under Section 6, data processing agreements under Section 8(2), breach notification under Section 8(6) read with Rule 7, cross border transfer compliance under Section 16, and Board level governance under Section 10 if classified as Significant Data Fiduciary. With 2,100+ GCCs employing 1.9 million professionals (NASSCOM–Zinnov FY2024), the compliance surface is substantial.

Why do GCCs face unique DPDPA compliance challenges?

GCCs face dual regulatory exposure because they process data both as Indian Data Fiduciaries and as offshore processors for parent entities. They must reconcile DPDPA with GDPR, CCPA, PIPL, or PDPA requirements simultaneously. Key challenges include Section 16 cross border transfer structuring for data flowing to parent headquarters, employee biometric and HR data governance, multi-jurisdictional vendor chains under Section 8(2), and Significant Data Fiduciary classification thresholds. The $64.6 billion GCC ecosystem cannot afford to treat DPDPA as a bolt-on.

How does DPDPA Section 16 affect GCC cross border data transfers?

Section 16 of DPDPA permits cross border transfers to all jurisdictions except those on the Government's negative list (yet to be notified). This is structurally different from GDPR's adequacy mechanism. GCCs must still implement contractual safeguards, data processing agreements, and transfer impact assessments for data flowing to parent entities abroad. Sector specific restrictions from RBI, IRDAI, and SEBI may impose additional localisation requirements on regulated data categories.

What is AMLEGALS GCC privacy advisory practice?

AMLEGALS provides counsel led DPDPA compliance for Global Capability Centres across six domains: cross border data transfer structuring under Section 16, employee and HR data governance, vendor and processor chain management under Section 8(2), breach response and CERT-In coordination under Section 8(6) and Rule 7, Board governance and SDF readiness under Section 10, and enterprise consent architecture. The firm serves GCCs across Bengaluru, Hyderabad, Pune, Chennai, Delhi NCR, and Mumbai from 10 offices in India.