India's GCCs Lag Behind on DPDP Compliance as Deadline Looms

Most global capability centres operating in India are yet to align with the Digital Personal Data Protection Act, with the compliance window narrowing rapidly, industry experts warn.

A significant majority of Global Capability Centres (GCCs) operating across India remain in the early stages of compliance with the country's landmark Digital Personal Data Protection (DPDP) Act, 2023, even as the regulatory clock ticks toward a critical deadline now roughly 14 months away, according to senior industry experts and legal professionals tracking the space.

The DPDP Act, which received presidential assent in August 2023, represents the most comprehensive overhaul of India's data governance framework in decades. It mandates stringent obligations on data fiduciaries — including consent management, data minimisation, purpose limitation, and robust grievance redressal mechanisms. For GCCs, which handle vast volumes of sensitive personal and enterprise data on behalf of their parent organisations globally, the compliance stakes are especially high.

A Slow Start Despite High Stakes

Despite the law having been on the books for over two years, experts indicate that most GCCs have yet to move beyond initial assessments. Many centres are still conducting gap analyses or mapping their data flows — foundational steps that ideally should have been completed much earlier in the compliance journey.

"There is a concerning disparity between awareness and action," said a senior data privacy consultant who advises several Fortune 500-affiliated GCCs in Bengaluru and Hyderabad. "Organisations understand that the DPDP Act exists, but translating that awareness into operational readiness — updating consent frameworks, appointing Data Protection Officers, and implementing technical controls — has been painfully slow."

The sluggish pace is attributed to multiple factors: continued uncertainty around the final rules that the Ministry of Electronics and Information Technology (MeitY) is yet to fully notify, resource constraints within legal and compliance teams, and a tendency to wait for regulatory clarity before committing to large-scale implementation investments.

The Compliance Chasm

Under the DPDP Act, data fiduciaries are required to, among other things, obtain free, specific, informed, and unambiguous consent from data principals before processing their personal data. They must also honour rights such as data access, correction, and erasure, while ensuring that personal data is not retained beyond the period necessary for its intended purpose.

For GCCs — which often act as shared services hubs processing payroll, human resources, customer support, and research data — compliance involves navigating complex data-sharing arrangements across jurisdictions. Many of these centres process data originating from both Indian and international customers, adding layers of cross-border transfer considerations.

Legal experts point out that GCCs face a dual compliance burden: they must align with the DPDP Act domestically while simultaneously adhering to the data protection regimes of their parent company's home country, such as the European Union's General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

"Having GDPR frameworks in place does not automatically make a GCC DPDP-compliant," cautioned a partner at a leading Indian law firm specialising in technology regulation. "The two regimes share philosophical similarities, but differ significantly in implementation — particularly on consent architecture and the rights of data principals."

The 14-Month Window: A False Comfort

Experts urge that the apparent buffer of approximately 14 months should not lull organisations into complacency. Full DPDP compliance is not a matter of flipping a switch — it demands structural changes to data workflows, IT architecture, vendor contracts, employee training programmes, and internal governance policies.

"Fourteen months sounds like a reasonable runway, but for organisations that have not started in earnest, it is already tight," said a Chief Information Security Officer at a major technology GCC headquartered in Pune. "Retrofitting consent mechanisms and data localisation frameworks into legacy systems takes time, budget, and executive buy-in — all of which need to be mobilised now."

The penalties under the DPDP Act are significant. Organisations found to be in breach of obligations related to the security of personal data can face fines of up to ₹250 crore per instance of non-compliance, while failure to notify data breaches can attract penalties of up to ₹200 crore. Repeated or egregious violations could invite even steeper consequences.

The Road Ahead

Industry associations and legal advisors are calling on GCCs to accelerate compliance efforts by prioritising three immediate actions: conducting comprehensive data inventories, engaging legal counsel to interpret obligations specific to their business model, and establishing an internal DPDP steering committee with representation from legal, IT, HR, and senior leadership.

Some larger GCCs with mature privacy practices — particularly those already aligned with GDPR — are further along the compliance curve and are expected to meet the deadline with manageable adjustments. However, mid-sized and newer centres, which collectively account for a growing share of India's GCC ecosystem, face a steeper climb.

India is now home to over 1,700 GCCs employing more than 1.9 million professionals, with the sector projected to reach a valuation of $100 billion by 2030. As the country cements its position as a global hub for high-value technology and business services, robust data protection practices are increasingly viewed not just as a regulatory necessity but as a competitive differentiator — one that global clients and partners will scrutinise closely.

"The organisations that treat DPDP compliance as a strategic priority rather than a box-ticking exercise will be better positioned to win and retain global mandates," said the data privacy consultant. "The deadline is firm. The question is whether the will is equally firm."

Reporting based on expert commentary and publicly available information on India's Digital Personal Data Protection Act, 2023, and its implications for Global Capability Centres.

Stay with us for updates on: DPDP Consultants Newsletter