Table of Contents
With the rise of Global Capability Centers (GCCs), India has moved from being a back-office hub to a strategic nerve center for the world’s biggest corporations. However, as of 2023, the rules of the game have changed.
The Digital Personal Data Protection (DPDP) Act 2023 is now the law of the land. If your firm outsources data processing to India—or operates a GCC there—you are likely a “Data Fiduciary” in the eyes of Indian law.
Here is a human-centered guide to what this means for your international operations and a practical checklist to ensure you stay on the right side of the Digital Personal Data Protection Board.
1. Understanding Your Role: Fiduciary vs. Processor
Under the DPDP Act, the “Data Fiduciary” (the entity that decides the why and how of data processing) carries the primary burden of compliance.
- The Global Firm: Usually the Data Fiduciary.
- The Indian Vendor/GCC: Usually the Data Processor.
The Catch: Even if the data belongs to non-Indians, if it is processed in India, certain aspects of the Act regarding security safeguards and data breach reporting still apply.
2. The DPDP Compliance Checklist for Foreign Firms
Audit Your Data Flows (The “Ground Zero” Step)
You cannot protect what you don’t map. Foreign firms must identify exactly what personal data is being sent to Indian servers or accessed by Indian teams.
- Action: Classify data into “Personal” and “Non-Personal.”
- Expert Tip: Remember that the DPDP Act applies only to digital personal data (or data collected offline and later digitized).
Update Your Service Level Agreements (SLAs)
Your contracts with Indian vendors or your own GCC need a “DPDP Facelift.” The law requires a valid contract to be in place for any data processing.
- Action: Ensure contracts specify the nature and purpose of processing and mandate that the processor deletes data once the purpose is served.
Implement “Privacy by Design”
The Act emphasizes technical and organizational safeguards. This isn’t just about encryption; it’s about access control.
- Action: Deploy AES-256 encryption for data at rest and TLS 1.3 for data in transit. Ensure that an employee in a Bengaluru GCC can only see the data strictly necessary for their role.
Establish a Grievance Redressal Mechanism
One of the most human-centric parts of the Act is the right of the individual (the “Data Principal”) to seek answers.
- Action: You must appoint a Grievance Officer and publish their contact details. If a user asks, “What are you doing with my data?”, you must have a system to answer within the prescribed timelines.
Prepare for Breach Notifications
Unlike some jurisdictions where you have a “reasonable” window, the DPDP Act is strict about reporting.
- Action: Create a standard operating procedure (SOP) where your Indian team must notify the headquarters immediately upon discovering a breach, so you can notify the Indian Data Protection Board.
3. Why This Matters for GCCs
If your company has a GCC in India, you are no longer just managing a cost center; you are managing a Regulatory Entity.
The Indian government has the power to designate certain firms as Significant Data Fiduciaries (SDFs) based on the volume of data they handle. If your GCC handles massive datasets, you may be required to:
- Appoint a Data Protection Officer (DPO) based in India.
- Conduct periodic Data Protection Impact Assessments (DPIA).
- Appoint an independent data auditor.
4. The “Safe Harbor” of Section 16
There is a bit of good news for international firms: Section 16 of the Act suggests that if you are processing the data of foreign nationals in India (under a contract with a foreign entity), the stringent “Rights of Data Principals” (like the right to erase) might not apply to those foreign individuals under Indian law.
However, the security obligations remain. You must still keep that data safe.
Final Thoughts: Expertise Over Hype
Compliance isn’t a one-time checkbox; it’s a culture. For foreign firms, the DPDP Act is an opportunity to strengthen the trust they have with their global customers by leveraging India’s robust new legal framework.
Is your Indian operation DPDP-ready? At Biz2India, we specialize in bridging the gap between global business goals and Indian regulatory reality. Don’t wait for a notice from the Board to start your compliance journey.