
2,100+ Global Capability Centres.
Every one is now a Data Fiduciary.
The DPDPA does not distinguish between a startup and a Fortune 500 GCC. Section 4 applies to every organisation processing digital personal data in India. The question is not whether your GCC must comply. It is whether your compliance architecture will survive the Data Protection Board's first inquiry.
Technology · Financial Services · Consulting · Healthcare · Automotive · Retail · 2,100+ Global Capability Centres across India
India's 2,100+ Global Capability Centres generate $64.6 billion in annual revenue.
The DPDPA applies to every rupee of it that touches personal data.
Global Capability Centres are the operational backbone of the world's largest enterprises. A single GCC campus in Bengaluru builds products used by billions. A Mumbai hub processes trading data across global markets. Operations in Hyderabad serve clients in 120+ countries. They route personal data through a dozen jurisdictions before lunch. The DPDPA does not care about your global privacy programme. It asks one question: what did you build for India?
The Global Capability Centre Privacy Challenge Matrix
Each dimension represents a distinct compliance surface. Each requires dedicated architecture. Together, they define the Global Capability Centre's total regulatory exposure under the DPDPA.
Six Cities. 2,100+ Global Capability Centres. Every one a compliance surface.
India accounts for over 53% of the global GCC workforce. These are the primary hubs where the DPDPA's obligations intersect with operational reality. (Source: NASSCOM–Zinnov, FY2024)
Bengaluru
750+Deep tech, AI/ML, product engineering, R&D
Hyderabad
350+Cloud platforms, pharma, fintech, enterprise innovation
Pune
220+ER&D, automotive, industrial software, SaaS
Chennai
200+Automotive, manufacturing, BFSI, shared services
Delhi NCR
280+Product development, fintech, consulting, digital ops
Mumbai
180+Investment banking, trading systems, insurance, media
Global Capability Centre Sectors & Compliance Surfaces
Technology & AI
Product telemetry, AI training datasets, user behavioural analytics — cross-border transfers to parent R&D labs across multiple jurisdictions
Financial Services
Trading data, customer KYC, cross-border transaction records — subject to overlapping RBI, SEBI, and IRDAI localisation mandates
Consulting & Professional Services
Client engagement data, multi-jurisdictional advisory records, workforce analytics at the largest employee scale in India
Healthcare & Life Sciences
Clinical trial data, patient records, pharmacovigilance reporting — elevated sensitivity under Section 4 read with Rule 6
Automotive & Industrial
Connected vehicle data, IoT sensor feeds, supply chain partner records, R&D intellectual property with embedded personal data
Retail & Consumer
Consumer purchase behaviour, loyalty programme data, supply chain workforce records — high-volume consent management challenge
“The statute does not grade Global Capability Centres by revenue, headcount, or brand equity. Section 2(i) asks a single binary question: do you process digital personal data in India? For every Global Capability Centre operating in this country, the answer is yes. The only variable is the architecture of the response.”
— AMLEGALS GCC Privacy Practice
Six Imperatives for Global Capability Centre Privacy Architecture
Compliance is a cost. Architecture is a capability. The difference determines which Global Capability Centres emerge from the DPDPA transition as operationally stronger.
Data Flow Mapping & Classification
Before compliance begins, the GCC must produce a complete cartography of its data estate — every data element, every processing purpose, every cross-border transfer, every retention period. Without this map, every subsequent control is speculative.
Lawful Basis Architecture
Every processing activity must be anchored to a lawful basis — consent under Section 6 or one of the legitimate uses enumerated under Section 7 (employment, medical emergency, epidemic/disaster, statutory obligation, among others). GCCs must evaluate each data stream against these bases and document the rationale.
Cross-Border Transfer Protocol
GCC data flows to headquarters in the US, UK, Germany, or Singapore must comply with Section 16. Until restricted territories are notified by the Central Government, every GCC must implement contractual safeguards, technical controls, and documented risk assessments for every outbound transfer.
Vendor Due Diligence & DPA Framework
Every vendor, subcontractor, and service provider processing personal data on behalf of the GCC must be brought under a compliant Data Processing Agreement. Section 8(2) makes this non-negotiable — liability cannot be delegated.
Incident Response & Notification Engine
GCCs must architect a breach detection, containment, and notification workflow that meets the Section 8(6) notification obligation read with Rule 7, alongside CERT-In's 6-hour cyber-incident reporting requirement. This requires technical detection capabilities, legal escalation protocols, and pre-drafted regulatory communications.
Board Reporting & SDF Compliance
GCCs designated as Significant Data Fiduciaries must establish Board-level governance structures — DPO appointment, periodic DPIAs, independent audits, and structured Board reporting. This transforms privacy from a compliance function into a governance imperative.
“Our parent's GDPR programme covers our Indian GCC.”
This is the single most dangerous assumption in GCC privacy compliance. India did not copy the GDPR. The DPDPA is a sovereign statute with fundamentally different architecture — in consent mechanics, lawful bases, penalty structure, and sectoral overlay. A GDPR programme satisfies European requirements. It does not satisfy Indian law.
Global Capability Centre Privacy & DPDPA Compliance
Yes. The DPDPA applies to every organisation that processes digital personal data within India, regardless of whether the organisation is incorporated in India or abroad. Every Global Capability Centre — across technology, financial services, consulting, healthcare, automotive, or retail — that collects, stores, or processes personal data of Indian Data Principals is a Data Fiduciary under the Act.
GCCs processing personal data at volume — particularly those handling employee data for thousands of professionals, customer data from Indian operations, or sensitive financial/health data — are prime candidates for SDF classification under Section 10. Major GCCs in Bengaluru, Hyderabad, and Pune processing data at the scale of Fortune 500 parent operations will almost certainly meet the thresholds. The Central Government considers volume, sensitivity, risk to sovereignty, and risk to electoral democracy when making this determination.
Section 16 permits cross-border data transfers except to countries or territories specifically restricted by the Central Government through notification. Until the negative list is published, transfers are permissible but must be documented with appropriate contractual safeguards. Sector-specific regulators (RBI, IRDAI, SEBI) may impose additional data localisation requirements.
Penalties under the DPDPA may extend up to two hundred and fifty crore rupees in specified cases under the Schedule. The Data Protection Board has the power to adjudicate complaints, issue directions, and impose penalties. Separate penalty provisions apply for breach of different obligations.
No. The DPDPA is a sovereign statute with its own definitions, obligations, and enforcement mechanisms. While GDPR compliance provides a useful foundation, it does not satisfy DPDPA requirements. India did not copy GDPR — the architecture is fundamentally different in consent mechanics, lawful bases, penalty structure, and sectoral overlay.
Begin with a comprehensive data flow mapping exercise to understand what personal data the GCC processes, the lawful basis for each processing activity, cross-border transfer destinations, and vendor relationships. This cartography forms the foundation for every subsequent compliance control.
Your Global Capability Centre processes personal data every second.
Is the evidence contemporaneous?
The Data Protection Board will not ask whether your Global Capability Centre intended to comply. It will ask what you built, when you built it, and whether the evidence is contemporaneous. That inquiry defines the difference between a defensible programme and an enforcement proceeding.
AMLEGALS · 27 Years · 10 Offices · Counsel-Led DPDPA Advisory
All statistics sourced from NASSCOM–Zinnov GCC India Landscape Report, FY2024. Sector-level data is indicative of the Global Capability Centre ecosystem in India.