Board-Level Governance for GCCs Under the DPDPA
Section 10 elevates privacy from compliance function to governance imperative. For GCCs classified as Significant Data Fiduciaries, the boardroom is the compliance surface.
When a GCC is designated as a Significant Data Fiduciary, privacy exits the compliance department and enters the boardroom. Section 10 makes it structural.
Section 10 of the DPDPA empowers the Central Government to designate certain Data Fiduciaries as "Significant" based on volume and sensitivity of data processed, risk to Data Principals, potential impact on sovereignty and integrity, and risk to electoral democracy. GCCs processing millions of records, handling sensitive employee data, and operating cross-border data flows are prime candidates for SDF designation. The obligations that follow — DPO appointment, periodic DPIAs, independent audits, and Board-level reporting — transform the privacy function from an operational compliance exercise into a strategic governance imperative.
Why Board-Level Governance Is Non-Negotiable for GCCs
SDF obligations under Section 10, combined with director duty of care under Companies Act §166, make privacy governance a fiduciary imperative — not a compliance checkbox.
The DPDPA does not create a direct personal criminal liability provision for directors. However, Board members and senior officers of GCCs face significant indirect exposure. Under Companies Act 2013 §166, every director has a duty to exercise due diligence and act in the best interests of the company. A director who fails to establish adequate data protection governance — resulting in penalties of up to ₹250 crore under the DPDPA Schedule — faces derivative suit exposure, D&O insurance implications, and potential §166 action for breach of fiduciary duty. Privacy governance is no longer a problem that can be delegated to the IT department.
The SDF obligations under Section 10 are operationally demanding. The DPO must be based in India, report to the Board, and be independently resourced. DPIAs must be conducted periodically and before any new processing that presents significant risk. Independent audits must be performed by qualified auditors and reported to the Data Protection Board. Each obligation generates a specific deliverable that the Board must review, approve, and document.
For GCCs with dual reporting lines — to the local Board in India and to the global parent — this creates a governance complexity. The Indian Board must have independent authority over data protection decisions that affect Indian Data Principals. The DPO's reporting line must reach the Indian Board, not merely the global privacy office. This structural requirement may require amendments to existing governance frameworks.
SDF Governance Architecture for GCCs
Six governance pillars that every GCC classified as a Significant Data Fiduciary must establish.
Data Protection Officer
Appoint a DPO who is based in India, possesses appropriate expertise, and reports directly to the Board of the Indian entity. The DPO serves as the point of contact for the Data Protection Board and must be independently resourced.
Data Protection Impact Assessment
Conduct periodic DPIAs and before any new processing activity that presents significant risk. The DPIA must evaluate processing necessity, proportionality, risks to Data Principals, and mitigation measures. Document findings and Board approval.
Independent Audit
Engage qualified, independent auditors to audit the GCC's data protection practices. Audit reports must be submitted to the Data Protection Board. Audit scope covers processing activities, security safeguards, consent management, and breach response capabilities.
Board-Level Reporting
Establish a structured Board reporting framework for data protection. Quarterly reports covering compliance posture, incident metrics, DPIA outcomes, audit findings, vendor risk assessments, and regulatory developments.
Compliance Programme Documentation
Maintain contemporaneous records of all compliance activities — policies, training records, consent logs, processing registers, breach reports, and vendor assessments. This documentation is the GCC's primary defence in any regulatory proceeding.
Director Duty of Care & D&O Exposure
Ensure that Board members and senior officers understand their indirect exposure — Companies Act §166 fiduciary duty, D&O insurance implications, derivative suit risk, and reputational consequences of regulatory penalties. Implement awareness programmes and maintain records of Board deliberations on privacy matters.
The Dual Reporting Challenge: Indian Board vs Global Parent
GCC governance structures must balance global integration with Indian regulatory sovereignty — and the DPDPA's requirements are uncompromising.
Most GCCs operate with governance structures that route key decisions through the global parent. Privacy governance, under many existing frameworks, is managed through a global Chief Privacy Officer or global DPO. The DPDPA disrupts this model. Section 10 requires that the DPO of an SDF be based in India and represent the Indian entity before the Data Protection Board. The DPO's authority must be sufficient to make binding decisions on privacy matters affecting Indian Data Principals. This does not preclude coordination with the global privacy function, but it establishes that the Indian governance structure must have independent decision-making authority. GCCs that fail to restructure their governance to meet this requirement will face regulatory challenges.
“The Data Protection Board will not ask whether the global parent had a privacy programme. It will ask what the Indian Board did, what the Indian DPO reported, and whether the evidence is contemporaneous.”
— AMLEGALS GCC Privacy Practice
Frequently Asked Questions
Key questions on gcc board-level privacy under the DPDPA.
The DPDPA requires the DPO to represent the SDF before the Data Protection Board. While the Act does not explicitly mandate employment, the DPO must be based in India, have sufficient authority, and be independently resourced. Practical regulatory expectation is that the DPO has a formal relationship with the Indian entity — whether as employee, officer, or retained counsel.
A global DPIA may serve as a starting point, but it must be supplemented with India-specific analysis. The DPIA must evaluate processing against DPDPA provisions, Indian sectoral regulations, and risks specific to Indian Data Principals. A generic global assessment will not satisfy the Section 10(2)(b) requirement.
The auditor must be independent of the GCC — meaning no financial interest, no employment relationship, and no conflict of interest. The auditor should possess relevant qualifications in data protection, information security, or regulatory compliance. The Data Protection Board may issue further guidance on auditor qualifications.
The DPDPA itself does not create direct personal criminal liability for directors. However, exposure arises indirectly: Companies Act 2013 §166 imposes a duty of care on every director to act in the company's best interests. A failure to establish adequate data protection governance — resulting in substantial penalties under the DPDPA Schedule — can ground a §166 action, trigger D&O claims, and invite derivative suits. The reputational consequence of a Board-level governance failure at a marquee GCC adds a further dimension of risk.
Establish Your GCC's Board-Level Privacy Governance
Our engagement designs the complete SDF governance architecture — DPO mandate, DPIA framework, audit programme, and Board reporting structure.