What is a Global Capability Centre (GCC) in India?

A Global Capability Centre (GCC) is an offshore entity established by multinational corporations in India to deliver technology services, R&D, business process support, and innovation capabilities. India hosts over 1,800 GCCs employing more than 1.9 million professionals, making it the world's largest GCC destination. GCCs operate as wholly owned subsidiaries, joint ventures, or branch offices, providing cost arbitrage, access to skilled talent, and 24/7 operational capabilities.

What is the typical cost of setting up a GCC in India?

GCC setup costs in India typically range from USD 50,000 to USD 500,000 for legal, regulatory, and initial operational expenses, depending on complexity. This includes incorporation fees (Rs 10,000-50,000), legal advisory (USD 15,000-50,000), initial office setup (varies by city—Bengaluru and Mumbai are most expensive), and compliance registrations. Ongoing annual compliance costs range from USD 20,000-100,000 depending on entity size and regulatory requirements.

Which cities in India are best for establishing a GCC?

Bengaluru leads with 870+ GCCs, strongest for deep tech, AI/ML, and product engineering. Hyderabad (500+ GCCs) excels in cloud infrastructure and pharma R&D. Pune (400+ GCCs) is ideal for automotive engineering with highest retention rates. Chennai (350+ GCCs) offers manufacturing expertise. NCR (400+ GCCs) provides regulatory proximity. Mumbai (300+ GCCs) leads in financial services. Ahmedabad (150+ GCCs) is emerging with GIFT City benefits and 30-40% lower costs.

What are the tax benefits for GCCs in India?

GCCs can benefit from: (1) Section 115BAA concessional corporate tax rate of 22% (effective ~25.17%); (2) SEZ units enjoy 100% income tax exemption for first 5 years, 50% for next 5 years; (3) GST zero-rating for export services with input tax credit refunds; (4) State incentives including capital subsidies (15-30%), stamp duty exemptions, and employment incentives; (5) GIFT City IFSC offers 100% tax exemption for 10 of 15 years and zero GST/STT.

How long does it take to incorporate a GCC entity in India?

GCC incorporation typically takes 3-6 weeks: SPICe+ form processing (7-10 days), DSC procurement (2-3 days), name reservation (3-5 days), document drafting (1 week), and post-incorporation registrations including PAN, TAN, bank account (2 weeks). SEZ unit approval adds 4-6 weeks. Branch office RBI approval requires 8-12 weeks. Expedited timelines possible with pre-planning and professional advisory.

What is DPDPA compliance requirement for GCCs?

The Digital Personal Data Protection Act 2023 (DPDPA) requires GCCs to: (1) Obtain informed, specific consent for personal data processing; (2) Implement data minimization and purpose limitation; (3) Appoint Data Protection Officer if classified as Significant Data Fiduciary; (4) Notify breaches to Data Protection Board and affected individuals; (5) Ensure cross-border transfers only to non-restricted countries; (6) Implement children's data protections with verifiable parental consent.

What transfer pricing method is used for GCC services?

Transactional Net Margin Method (TNMM) is most common for GCC software development services, using operating margin (OP/TC or OP/Sales) as profit level indicator. Arm's length range typically 15-25% for software development. Cost Plus Method (10-15% markup) applies for routine services. Advance Pricing Agreements (APAs) provide 4-5 year certainty. Safe harbor rules under section 92CB offer cost-plus 15-20% for eligible services.

Should a GCC be located inside or outside an SEZ?

SEZ location offers substantial tax benefits (100% income tax exemption for 5 years) but with constraints: minimum export obligation, DTA sales restrictions, physical infrastructure requirements, and DESH Bill sunset risk. Non-SEZ provides operational flexibility for domestic market pivot. Decision matrix: For export-focused R&D/IT services GCCs with minimal India revenue, SEZ is attractive. For GCCs supporting India sales or anticipating domestic expansion, non-SEZ offers flexibility.

DPDPA Hub AI Intelligence Hub AMLEGALS Hub

+91-8448 548549[email protected]

Home Global Capability CentresData Privacy & DPDPA Compliance

Data & Technology

Data Privacy & DPDPA Compliance

Digital Personal Data Protection Act 2023 compliance framework, cross-border data transfer protocols, data localization requirements, and cybersecurity obligations for GCC operations.

Overview

The Digital Personal Data Protection Act 2023 fundamentally reshapes data governance obligations for GCCs processing personal data of individuals in India or offering goods/services to individuals in India. GCCs, whether functioning as data fiduciaries or data processors, must implement consent architecture, privacy-by-design principles, data minimization practices, purpose limitation protocols, and data subject rights management systems. Cross-border data transfers—a lifeblood of GCC operations serving global parent entities—require whitelisted country determinations or standard contractual clauses. The Act introduces significant penalty exposure (up to Rs 250 crore per violation) and mandates appointment of data protection officers for significant data fiduciaries. Cybersecurity incident reporting obligations under IT Act 2000 rules layer additional compliance. For GCCs handling sensitive personal data (health, biometric, financial, genetic), enhanced processing restrictions apply. The interplay between DPDPA, sectoral regulations (RBI, SEBI, IRDAI guidelines on data), and parent company extraterritorial privacy laws (GDPR, CCPA) creates a complex compliance web requiring jurisdiction-specific data mapping, technical controls implementation, and vendor due diligence protocols.

Data Privacy & DPDPA Compliance - Professional Legal Services

Key Considerations

Data fiduciary vs data processor classification: determines direct liability vs joint liability for breaches

Consent framework: valid, free, specific, informed, unconditional, unambiguous consent with clear withdrawal mechanisms

Cross-border data transfer: lawful grounds include whitelisted countries, standard contractual clauses, or parent company binding corporate rules

Data subject rights: access, correction, erasure, grievance redressal within specified timelines (rules awaited)

Data breach notification: to Data Protection Board within 72 hours and affected data principals without undue delay

Data retention limitations: retain only for purpose fulfillment or legal obligation, no blanket perpetual retention

Data protection impact assessment (DPIA): mandatory for high-risk processing, large-scale profiling, automated decision-making

Children's data: special consent requirements from parent/guardian for data principals under 18 years

Regulatory Framework

Digital Personal Data Protection Act 2023 (DPDP Act)

DPDP Act received Presidential assent in August 2023, enforcement contingent on Central Government notification (rules pending as of early 2026). Applies to: (1) processing of digital personal data within India; (2) processing of personal data outside India if related to offering goods/services to data principals in India. "Personal data": data about an individual who is identifiable by or in relation to such data. "Data fiduciary": entity determining purpose and means of processing—typically GCC if it decides what data to collect, how to process. "Data processor": entity processing data on behalf of fiduciary—GCC may be processor if parent company determines purpose/means. Key obligations: (1) Notice specifying purpose, data collected, processing manner, rights; (2) Consent: valid consent per section 6, deemed consent under section 7 for specific grounds (employment contracts, legal obligations, medical emergencies); (3) Data security safeguards; (4) Data principal rights: access, correction, erasure, nominate representative; (5) Grievance redressal officer appointment. Penalties: up to Rs 250 crore per contravention for data fiduciaries, lesser amounts for non-compliance with Board orders. Exemptions: government agencies for national security/public order; historical/archival purposes; judicial proceedings.

Cross-Border Data Transfer Framework

Section 16 permits cross-border transfer to countries/territories notified by Central Government (whitelisted jurisdictions). Whitelist pending—likely to include US (with adequacy caveats), EU, UK, Singapore. Alternative mechanisms: (1) Standard contractual clauses (SCCs): contractual safeguards approved by Data Protection Board ensuring data principal rights enforceable in recipient jurisdiction; (2) Binding corporate rules: intra-group data transfer policies approved by Board for multinational groups; (3) Explicit consent of data principal for specific transfer (consent fatigue concern limits practicality). For GCCs: most scenarios involve transfer to parent entity in US/Europe. Strategy: monitor whitelist notifications, implement SCCs with parent company in interim, conduct transfer impact assessments evaluating adequacy of recipient jurisdiction's data protection regime (GDPR Article 45/46 analogy). Critical: data localization not mandated by DPDP Act (unlike draft 2018/2019 versions), enabling GCC operational flexibility—but sectoral regulations (RBI for payment data, IRDAI for insurance data) impose storage within India requirements.

Information Technology Act 2000 & Cybersecurity Rules

Section 43A: body corporate possessing sensitive personal data or information must implement reasonable security practices—ISO 27001 or equivalent. Failure rendering body corporate liable to compensate affected persons. "Sensitive personal data" per 2011 Rules: passwords, financial information, health records, sexual orientation, biometric data, genetic data. Data breach notification: CERT-In directions 2022 mandate reporting cyber incidents to national nodal agency within 6 hours. Incident categories: data breaches, unauthorized access, malware attacks, identity theft, denial of service. Synchronization with DPDP Act breach notification obligations necessary. Section 66C-66F: identity theft, cheating using computer resources, cyber terrorism—criminal penalties. Section 72A: disclosure of personal information in breach of lawful contract—imprisonment up to 3 years. For GCCs: implement ISMS (information security management system), conduct VAPT (vulnerability assessment and penetration testing) annually, appoint CISO, maintain incident response playbooks, cyber insurance coverage (errors & omissions, cyber liability policies) advisable given penalty exposure.

Sectoral Data Regulations

RBI: Payment and Settlement Systems Act 2007 + circulars—payment data must be stored in India within 24 hours of transaction, foreign storage permitted for fraud analysis subject to deletion within 24 hours (October 2018 circular). SEBI: cyber resilience framework for market intermediaries—data localization for securities trading data, audit trails for 5 years. IRDAI: insurance repository regulations—insurance data stored in India, IT systems audit every 3 years. Telecom: DOT license conditions—call detail records (CDRs) stored for specified periods, lawful intercept compliance. For GCCs in BFSI sector: complex compliance given overlap of DPDP Act, RBI data localization, and parent company data governance. Recommendation: data classification (public, internal, confidential, restricted), jurisdiction-specific processing policies, hybrid cloud architectures (India region for regulated data, offshore regions for non-regulated business data).

TCL Framework Application

Technical Dimension

Technical controls for DPDP compliance: (1) Data discovery and classification tools—automated PII detection in databases, applications, file shares; (2) Consent management platforms—capture, log, track consent lifecycle (grant, withdraw, modification); (3) Data subject rights portal—self-service for access requests, correction, erasure ("right to be forgotten" operationalization); (4) Encryption: data at rest (AES-256), data in transit (TLS 1.2+), tokenization for high-sensitivity fields (credit cards, Aadhaar); (5) Access controls: role-based access control (RBAC), principle of least privilege, multi-factor authentication for production data; (6) Data loss prevention (DLP): egress controls, masking for non-production environments, audit logging; (7) Cross-border transfer controls: geo-fencing, region-aware data routing, segregated storage (India data in India region clouds); (8) Incident detection: SIEM (security information and event management), intrusion detection/prevention systems, anomaly detection; (9) Privacy-by-design: default privacy settings, data minimization in application design, pseudonymization where feasible.

Commercial Dimension

Data compliance cost overlay: (1) Data protection officer (DPO) appointment—dedicated resource or outsourced DPO-as-a-service (~Rs 15-25 lakh annually); (2) Privacy assessments: data protection impact assessment (DPIA) for high-risk processing, transfer impact assessment (TIA) for cross-border transfers—external consultants Rs 5-15 lakh per assessment; (3) Technology investments: consent management platform (Rs 20-50 lakh implementation + Rs 10-20 lakh annual licenses), DLP tools (Rs 30-60 lakh), SIEM (Rs 50 lakh - 1 crore for enterprise deployment); (4) Audits: ISO 27001 certification (Rs 10-20 lakh), annual surveillance audits (Rs 3-5 lakh), IT Act section 43A audit (Rs 5-10 lakh); (5) Cyber insurance: premiums 0.5-2% of sum insured (typical Rs 10-50 crore coverage, premium Rs 5-50 lakh annually depending on risk profile); (6) Breach response retainer: cyber incident response firm, forensics capability (Rs 10-20 lakh annual retainer + incident-based fees). Budget 1-2% of GCC operating costs for data protection compliance at maturity.

Legal Dimension

Legal documentation suite: (1) Privacy notice/policy—detailed, layered disclosure (short form + full notice) of processing activities, data categories, purposes, retention, third-party sharing, data subject rights, grievance redressal; (2) Consent forms—granular, unbundled, free (not tied to service provision unless strictly necessary), withdrawable; (3) Data processing agreements (DPA)—with vendors, contractors, service providers defining processor obligations, security standards, breach notification protocols, audit rights, liability allocation; (4) Intra-group data transfer agreements—SCCs or binding corporate rules with parent company and affiliates, specifying lawful basis for transfer, data subject rights enforceability, governing law and dispute resolution; (5) Data retention and disposal policy—purpose-linked timelines, secure disposal methods; (6) Incident response plan—breach detection, containment, investigation, notification (Data Protection Board, affected data principals, parent company), remediation, root cause analysis; (7) Employee training acknowledgments—DPDP Act obligations, confidentiality, secure data handling; (8) Data protection impact assessment (DPIA) reports—for high-risk processing like profiling, automated decision-making, large-scale monitoring, special category data processing. For cross-border GCCs: obtain parent company data privacy legal opinions on home jurisdiction adequacy, validate SCCs enforceability, address conflicts of law (e.g., CLOUD Act in US vs DPDP Act data localization for regulated data).

Practical Guidance

Conduct data mapping exercise: inventory all personal data processed—categories, volumes, sources, purposes, retention periods, third-party sharing, cross-border transfers. Output: data flow diagrams, system-level data maps.

Classify GCC's role as data fiduciary vs processor: if GCC determines purposes/means, fiduciary obligations apply; if parent determines and GCC executes, processor obligations apply. Document role in DPA with parent.

Appoint data protection officer (DPO): designated individual responsible for DPDP compliance, grievance redressal, Board liaison. Publish contact details publicly. DPO to report to senior management, adequate resources.

Implement privacy-by-design: embed data protection from system design stage—default privacy settings, data minimization, purpose limitation, retention automation (automatic deletion post-purpose fulfillment).

Standardize consent mechanisms: pre-ticked boxes invalid; consent must be affirmative action (opt-in, not opt-out). Provide easy withdrawal via same mechanism as grant. Maintain consent records with timestamp, IP address.

Establish data subject rights process: intake mechanism (email, portal), identity verification, response timelines per rules (likely 30-45 days), log maintenance. For erasure requests, evaluate legal retention obligations before deletion.

Negotiate vendor DPAs: all vendors processing personal data on GCC's behalf must sign DPA—specify security obligations, sub-processor restrictions, breach notification SLAs, audit rights, liability caps.

Plan for cross-border transfer: monitor whitelist notifications, execute SCCs with parent/affiliates, conduct transfer impact assessments, implement supplementary safeguards (encryption, access controls) to mitigate jurisdiction risks.

Cyber incident response: establish response team (legal, IT, communications, senior management), pre-negotiate forensics vendor retainer, draft notification templates, simulate breach scenarios via tabletop exercises.

Training and awareness: mandatory DPDP Act training for all employees at onboarding and annually, specialized training for developers (secure coding), HR (employee data handling), customer-facing teams (consent processes).

Common Pitfalls

Assuming GCC is merely processor when functionally determining processing purposes: misclassification shifts penalty liability—conduct honest FAR (functions, assets, risks) analysis, if GCC management decides data collection scope or retention periods, fiduciary obligations triggered.

Blanket consents: single consent for multiple unrelated purposes invalid under DPDP Act—unbundle consents (marketing separate from service delivery, profiling separate from transactional processing).

Ignoring sectoral data localization: DPDP Act permits cross-border transfer but RBI mandates payment data storage in India—conflicting compliance regimes require layered architecture (regulated data in India infra, other data transferable).

Third-party risk exposure: vendor data breaches attributable to fiduciary under vicarious liability theories—inadequate DPAs, lack of vendor audits, absence of cyber insurance coverage for vendor incidents amplify risk.

Inadequate data subject rights infrastructure: manual processing of access/erasure requests unsustainable at scale—invest in automation (portals, workflows, tracking) preemptively to avoid backlog-driven Board complaints.

Insufficient breach detection: delayed breach discovery beyond 72-hour reporting window to Board creates additional penalty exposure—deploy SIEM, anomaly detection, and 24/7 SOC (security operations center) monitoring.

Employee data blind spot: GCC employee data (PF, ESI, health insurance, performance evaluations) is personal data under DPDP Act—HR policies must embed consent, notice, retention limitations, access rights. Employment contract deemed consent provisions (section 7) limited to necessary processing only.

Cross-border transfer without adequacy assessment: relying solely on parent company assurance of GDPR compliance insufficient—India DPDP Act requires independent transfer impact assessment, contractual safeguards, data principal rights enforceability validation.

Frequently Asked Questions

What is the difference between data fiduciary and data processor under DPDP Act?

Data fiduciary is entity determining purpose and means of processing personal data. "Purpose" = why data is processed (fraud detection, marketing, service delivery). "Means" = how data is processed (systems, technology, retention duration). Data processor is entity processing data on behalf of fiduciary without determining purpose/means—follows fiduciary's instructions. For GCCs: if parent company instructs "process these transactions for fraud detection using this algorithm, retain for 90 days," GCC is processor. If GCC management decides "we will analyze customer behavior to recommend products, using our AI models, retaining data for 2 years," GCC is fiduciary. Practical implications: (1) Fiduciaries face direct penalties (up to Rs 250 crore) for breaches; processors liable jointly if breach due to processor's failure; (2) Fiduciaries must appoint DPO, conduct DPIA, handle data subject rights directly; processors's obligations limited to security, breach notification to fiduciary, audit compliance; (3) Fiduciaries responsible for cross-border transfer adequacy; processors transfer only per fiduciary instructions. Many GCCs operate in hybrid mode—fiduciary for employee data (HR autonomy), processor for parent's customer data (operating per parent charter). Document role clearly in data processing agreement with parent.

How should GCCs handle cross-border data transfers until DPDP Act rules are finalized?

Pragmatic approach pending rule finalization: (1) Implement standard contractual clauses (SCCs) proactively—adapt EU Commission SCCs or draft custom clauses addressing DPDP Act data principal rights (access, correction, erasure, grievance redressal), security obligations, breach notification, audit rights, liability allocation. Rationale: rules likely to mandate SCC framework, early adoption demonstrates good faith compliance; (2) Conduct transfer impact assessment (TIA)—evaluate recipient jurisdiction's data protection laws, government access regimes, enforceability of data principal rights. Document assessment with legal opinions from home jurisdiction counsel; (3) Implement supplementary safeguards—encryption (data unusable by unauthorized parties including government), access controls (role-based, MFA), contractual restrictions (no onward transfer without consent), audit rights; (4) Obtain explicit consent for high-risk transfers—particularly for sensitive personal data (health, financial), inform data principals of cross-border transfer, risks, and mitigations; (5) Monitor whitelist notifications—Central Government expected to notify adequacy determinations for US (with caveats), EU, UK, Singapore, Australia. Once notified, transfers to whitelisted countries permissible without SCCs; (6) Engage with parent company data privacy teams—align India GCC practices with parent's global data protection program (GDPR, CCPA compliance infrastructures), ensure India-specific risks addressed. Risk: retrospective enforcement unlikely given pending rules, but proactive compliance positions GCC favorably in Data Protection Board interactions.

What are the penalties for non-compliance with DPDP Act and how are they determined?

DPDP Act penalty framework: (1) Data fiduciaries: up to Rs 250 crore per contravention; (2) Data processors: liability if breach caused by processor's failure, quantum lesser than fiduciary; (3) Consent managers (platforms managing consent): penalties for non-compliance with registration, technical standards. Penalty determinants: (a) Nature, gravity, and duration of breach—single incident vs systemic non-compliance, number of data principals affected, sensitivity of data (children's data, health data higher gravity); (b) Data fiduciary's conduct—proactive remediation vs negligent inaction, cooperation with Data Protection Board investigation, prior violations; (c) Financial capacity—turnover of fiduciary considered for proportionality; (d) Mitigating factors—self-disclosure of breach, prompt notification to affected data principals, effective remediation (credit monitoring, identity theft protection). Adjudication process: Data Protection Board to investigate violations (suo moto or on complaint), conduct hearings, issue orders. Appeal to Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Comparators: GDPR penalties up to 4% of global turnover or EUR 20 million (higher); India quantum lower but Rs 250 crore non-trivial for most GCCs. Key: proportionality principle likely in application—minor paperwork lapses unlikely to attract maximum penalty, but data breach affecting lakhs of individuals with inadequate security could trigger substantial penalty. Mitigation: maintain compliance documentation (policies, training records, DPIAs, audit reports, breach response logs) to demonstrate good faith, invest in cybersecurity maturity to establish reasonable security practices defense under IT Act section 43A.

Do employee data processing activities fall under DPDP Act compliance requirements?

Yes, employee personal data subject to DPDP Act. "Personal data" is data about an individual identifiable by or in relation to such data—includes employee names, contact details, PF numbers, salary, performance evaluations, health records, biometric attendance. GCC as employer is data fiduciary determining purposes (HR administration, payroll, compliance) and means (HRMS systems, retention periods). However, section 7(b) provides deemed consent ground: processing necessary for fulfilling employment contract or taking steps at request of data principal prior to entering contract. Practical implication: GCC need not obtain explicit consent for routine HR data processing (payroll, PF, ESI, tax deductions, attendance) as it's necessary for employment relationship. But: (1) Consent still required for non-essential processing—employee surveys, wellness programs, social events, employee referral programs (process personal data of referrals); (2) Notice obligation remains—privacy notice to employees specifying data collected, purposes, retention, sharing (government for PF/tax, insurers for group health), data subject rights; (3) Data subject rights applicable—employees can request access to their HR file, correction of inaccurate records, nomination of representative; (4) Special category data (health, biometric attendance) requires heightened security, purpose limitation—biometric data for attendance only, not for tracking without consent; (5) Retention limitations—post-termination, retain only for legal obligations (7 years for tax records, 3 years for PF), delete other data. Common pitfall: CCTV footage of premises—employees must be informed, footage retained only for security purposes (30-90 days typical), not indefinite storage. Employee background verification—explicit consent required, data shared with verification agencies only on need basis, candidate informed of sources checked. Exit interviews—if data used for analytics (attrition patterns), anonymize before aggregation to avoid individual identifiability.

Need Expert Guidance on Data Privacy & DPDPA Compliance?

Our specialized GCC practice combines technical depth with practical commercial insight to deliver actionable legal solutions.

Get in Touch