Loading...

How DPDP Act reshapes compliance requirements for GCCs

How DPDP Act reshapes compliance requirements for GCCs
Loading...

The Digital Personal Data Protection (DPDP) Act, 2023 establishes a comprehensive framework for data protection, imposing stringent obligations on both data fiduciaries and data processors. This Act introduces compliance requirements with respect to consent requirements, cross-border data transfer, guidelines for safeguarding personal data, and contractual obligations for third parties, which will impact the operational and technical environment of many organizations including Global Capability Centers (GCCs).

Currently, over 1,500 GCCs operate in India across a multitude of sectors, spanning information technology (IT), financial services, telecommunications, manufacturing, healthcare, automobiles, and biotechnology. These organizations actively collect, process, transfer, and store substantial volume of personal and highly sensitive data related to their employees, contractors, vendors, clients, and customers. With the DPDP Act coming into effect, GCCs may find it necessary to reassess their existing ecosystem, consisting of people, process, and technology layers, to realign with the compliance requirements of the Act.

Navigating Indian data regulations

Loading...

Organizations must ensure strict adherence to regulations defined by the central government, when transferring personal data outside India. Notably, the Act has adopted a 'whitelist' approach concerning cross-border data transfer and processing, signifying that the central government will specify geographic locations where data processing will be allowed.

Numerous GCCs engage in cross-border data transfers to facilitate core business functions, including customer support, financial operations, and human resources. Once the compliance requirements are mandated, the organizations will be required to re-assess and re-align their data transfer mechanisms to ensure compliance.  

The Act also has requirements related to personal data discovery and mapping, which is a significant factor for GCCs from the compliance perspective. In accordance with the Act's requirements, organizations must conduct systematic data discovery, employing both automated and manual methods to identify structured and unstructured personal data that is processed. It is crucial for organizations to establish and maintain an inventory of personal data elements.

Loading...

GCCs must also ensure that personal data transferred between an India entity and its global counterparts is processed in compliance with the Act. Organizations must, therefore, integrate Standard Contractual Clauses (SCCs) specifying data privacy clauses along with notice and explicit consent requirements for transferring certain categories of personal data. Furthermore, GCCs must clearly define the legal basis for processing of personal data, either through the acquisition of consent or in accordance with legitimate uses as specified in the Act.

As the Act’s purview extends to third-parties as well, the organization must ensure that the personal data outsourced to a third-party is safeguarded using same or similar technical and organizational measures as the organization. Non-compliance by a third-party will result in the outsourcing organization being penalized directly. Therefore, organizations must ensure that their third-parties comply with the rules, necessitating a shift in evaluation criteria with privacy by design and by default becoming a paramount consideration. For example, GCCs must ensure that only minimum personal data, necessary for processing, is shared with these processors, accompanied by robust safeguards for data management.

Gearing up for protection  

Loading...

Once the Act’s compliance requirements come into effect, GCCs must reassess their personal data processing framework. This entails an assessment of the types of personal data processed, the volume of personal data processed, the existing privacy framework tailored to global laws such as General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), and the incorporation of specific DPDPA requirements into the privacy program. GCCs must also include budgetary considerations specific to the required technical and organizational measures. Employees, contractors, and vendors must also be trained and made aware of data privacy practices and DPDPA.

GCCs must establish a mechanism for promptly reporting essential details to the Data Protection Board and affected data principals, in case of a data breach.  GCCs must institute a regular reporting cadence for privacy key performance indicators at both regional and global levels, contributing to the overall metrics on global privacy practices.

GCCs need to be prepared in terms of data privacy assessment and implementation requirements before the Act comes into effect. This will support them in understanding in a timely manner the amount of budget, resources, and other significant considerations required for compliance.

Loading...
 Prashant Gupta

Prashant Gupta


Prashant Gupta is Technology Partner at EY India.


Sign up for Newsletter

Select your Newsletter frequency