The New Architecture of Trust: How India's DPDP Act Reshapes the Global Capability Centre Landscape

The story of Global Capability Centres in India has always been one of arbitrage — of labour costs, of talent pools, of time zones. For three decades, multinational corporations have dispatched their data-intensive operations to Bengaluru, Hyderabad, and Gurugram, constructing sprawling campuses where the world's financial transactions are reconciled, insurance claims adjudicated, and customer records maintained. What these corporations are now discovering, with the operationalisation of India's Digital Personal Data Protection Act through the DPDP Rules 2025 notified in November, is that the rules of this particular game have fundamentally shifted. The arbitrage of the future will not be measured merely in cost savings but in the sophistication with which organisations navigate an increasingly complex sovereignty of data.

Why the DPDP Act Forces a New Operating Model for GCCs

India's 1,700-odd GCCs employ approximately 1.9 million professionals and process data that spans the entire spectrum of human commercial activity — from European pension funds to American healthcare records, from Asian banking transactions to Australian insurance claims. These centres have long operated in what might charitably be described as a regulatory interregnum: bound by the data protection laws of their parent jurisdictions, yet physically domiciled in a country whose own framework remained gestational. That ambiguity has now been resolved, and its resolution demands a fundamental reconceptualisation of how GCCs organise their operations.

The Dual Compliance Architecture: Indian vs Foreign Personal Data

The DPDP Act introduces what is, in effect, a dual compliance architecture for GCCs handling mixed datasets. The law applies with full force to the personal data of Indian residents — the "data principals" in the statute's terminology — while remaining largely silent on data pertaining to foreign nationals processed exclusively for overseas operations. This bifurcation, seemingly straightforward in legislative text, becomes extraordinarily complex in operational practice. Consider a GCC processing customer service interactions for a European bank: the same systems, the same employees, and often the same databases may handle inquiries from a German pensioner and an Indian software engineer banking with the same institution. The DPDP Act demands that the Indian's data be governed by its provisions — consent mechanisms, purpose limitation, retention schedules, breach notification protocols — while the German's data continues under GDPR's dominion.

The operational implications of this jurisdictional demarcation are profound. GCCs processing such mixed datasets will increasingly need to implement physical or logical segregation between Indian and foreign data streams — a requirement that necessitates architectural transformations in data infrastructure across the sector. The days of co-mingled data environments, where nationality was merely a field in a database rather than a determinant of regulatory treatment, are drawing to a close. What emerges is a new paradigm where data architecture must mirror legal architecture, with clear boundaries delineating which regulatory regime governs which byte.

Data Segregation, Mapping, and Logging Requirements Under DPDP

The implications cascade through every layer of GCC operations. Data mapping, once a compliance checkbox exercise, becomes a strategic imperative. Organisations must now trace, with granular precision, the provenance and destination of every data element flowing through their Indian operations. The DPDP Rules mandate that Data Fiduciaries maintain detailed activity logs for every instance of access, storage, or sharing of personal data, retaining these records for a minimum of one year. For GCCs processing millions of transactions daily, this requirement alone necessitates substantial investment in logging infrastructure and audit trail management.

Consent Architecture Challenges for GCCs

The consent architecture required under the new regime presents particular challenges for GCCs operating in business-to-business contexts. While consumer-facing operations can redesign their digital touchpoints to capture the "specific, informed, unconditional, and freely given" consent the Rules demand, GCCs often process data received through complex contractual chains where the end customer's consent was obtained by an upstream party under a different jurisdiction's framework. The legal fiction that has sustained much GCC processing — that adequate safeguards exist somewhere in the contractual chain — must now be replaced by demonstrable compliance mechanisms that can withstand scrutiny from India's Data Protection Board.

Cross-Border Data Transfers: The New Compliance Frontier

Cross-border data transfers emerge as perhaps the most consequential frontier. The DPDP Act contemplates a whitelist approach, where the Central Government would designate countries or territories to which personal data may be transferred without additional safeguards. Until such designations materialise — and the framework for recognising foreign jurisdictions through bilateral instruments or adequacy determinations remains prospective — GCCs exist in interpretive uncertainty. Data flows that were previously unremarkable now require justification frameworks demonstrating continuity of protection across borders. The multinational parent that once viewed its Indian GCC as a seamless extension of its global operations must now contend with the reality that data crossing into India acquires a new legal character, one that persists even as that data flows back outward.

Breach Notification and Multi-Jurisdiction Coordination

The breach notification requirements introduce operational urgencies of a different order. Under the DPDP Rules, Data Fiduciaries must notify the Data Protection Board within 72 hours of discovering a breach — a timeline that mirrors GDPR but carries distinct enforcement implications in the Indian context. For GCCs serving as data processors for foreign principals, this creates a coordination challenge of considerable complexity: breach response protocols must now account for multiple notification streams, potentially to authorities in different jurisdictions with different definitions of what constitutes a reportable incident. A single security event may trigger parallel obligations to India's Data Protection Board, the European supervisory authorities, and the parent company's home regulator — each with its own timeline, its own disclosure requirements, and its own enforcement apparatus.

Significant Data Fiduciaries and Their Obligations

The designation of "Significant Data Fiduciaries" adds another layer of complexity. SDFs face enhanced obligations including mandatory Data Protection Officers, annual Data Protection Impact Assessments, and independent audits submitted to the Data Protection Board. While the criteria for SDF designation remain to be fully articulated through government notification, GCCs processing data at scale should anticipate falling within this category. The DPIA requirement, in particular, demands that organisations systematically evaluate the risks of their processing activities — an exercise that, for GCCs with diverse service portfolios, may reveal concentrations of risk previously obscured by operational fragmentation.

What emerges from this regulatory architecture is a new calculus for GCC operations. The cost advantages that drew multinationals to India remain substantial, but they must now be weighed against compliance investments that were previously externalised or deferred. The sophisticated GCC of the post-DPDP era will be one that transforms compliance from burden to capability — building data governance frameworks sufficiently robust to satisfy the most demanding jurisdiction in its operational portfolio, and marketing that capability as a competitive differentiator. Those organisations that can demonstrate architectural transparency, rigorous consent management, and breach response capabilities that meet global standards will find themselves positioned not merely as cost centres but as trust anchors in their parent companies' global data ecosystems.

The corporations that anticipated this transition have already begun the work of transformation. They are redesigning data architectures, retraining workforces, and renegotiating contracts with parent entities to clarify responsibilities in this new regime.

Those that delayed, hoping for regulatory clarity or enforcement forbearance, now face compressed timelines and escalating costs. The DPDP Rules provide an 18-month window for full operational compliance — a period that, for organisations starting from low maturity baselines, will prove brutally short.

The Strategic Shift: From Cost Arbitrage to Trust Infrastructure

India's DPDP framework represents, ultimately, a declaration of data sovereignty that multinational corporations can neither ignore nor circumvent. The GCC model that flourished under regulatory arbitrage must evolve into something more sophisticated: a model built on demonstrable trustworthiness, architectural rigour, and governance frameworks that honour the dignity of the individuals whose data flows through these operations. The era of self-regulation has concluded. What follows will test whether India's GCC ecosystem can transform this regulatory challenge into an enduring competitive advantage — or whether the new rules of engagement will prompt a fundamental reassessment of where the world's data work gets done.

To help organisations navigate this new regulatory architecture with confidence, Decimal Point Analytics offers specialised DPDPA Compliance & Data Governance Solutions designed for GCCs and global enterprises.