Four months after the rules under the Digital Personal Data Protection Act, 2023 were notified, most global capability centres (GCCs) in India remain in the early phases of compliance planning, with only a small fraction having moved into structured implementation even as the 14-month compliance clock continues to run, experts told ET.

The rules for the law were notified on November 13, last year, triggering a transition period that ends on May 13, next year. Industry experts said organisations should treat the deadline as firm rather than indicative, given the scale of operational changes required across people, processes and technology.

India hosts roughly 1,700-1,800 GCCs running global technology, finance, analytics and operations functions for multinational companies. Early assessments suggest only a minority of these centres have begun building concrete compliance frameworks.

Assessments across GCC clients suggest the implementation curve remains still low. Across the ecosystem, companies have however begun conducting gap analyses, particularly in areas involving employee and human resources data, typically the largest repository of personal information within India operations.

Ritika Loganey Gupta, partner and GCC tax leader at EY India, said GCCs have started reviewing structured HR systems more easily, but mixed and unstructured datasets such as collaboration tools, shared drives and operational logs remain difficult to assess.

“This is where many organisations are still building clarity and control,” she said.

Early reviews have also highlighted gaps in handling mixed datasets where global customer information and India-resident data sit in the same systems: a common architecture in multinational operations.

Roop Kaistha, regional managing director for Asia-Pacific at AMS, a global talent solutions and consulting firm said many organisations initially assume that existing compliance with global privacy regimes such as GDPR automatically satisfies Indian requirements.

“In reality, there are several India-specific expectations that require redesign and local adaptation,” Kaistha said. These include DPDP-specific notices, logging requirements and role definitions.

Human resources systems are emerging as the most immediate compliance priority. Payroll records, background verification files, health insurance claims and grievance data often contain significant volumes of personal data that fall squarely within the scope of the law.

However, these platforms are usually standardised globally, meaning India-specific consent notices, access rights and retention policies have yet to be fully deployed.

GS Bhalla, co-founder and chief executive of Cosentus, a technology company that builds automation, analytics and workflow platforms to help businesses improve operational visibility and efficiency, said that among roughly 30-40 GCCs his firm reviewed between December last year and February this year, only about 10-15% of larger centres had progressed to structured implementation programmes.

“Most remain in interpretation and scoping while they map which datasets fall under Indian jurisdiction and wait for clarity on Significant Data Fiduciary designation before scaling budgets,” Bhalla said.

A major structural challenge, he said, is that GCCs operate within global enterprise systems where even small changes to data handling often require alignment with headquarters. “Regardless of when that clarity arrives, the compliance window is already running,” he added.

Technology changes

Vendors and third-party partners are also coming under greater scrutiny.

“GCCs will extend existing global privacy programmes with India-specific controls such as data discovery, retention automation, pseudonymisation for shared datasets and tighter vendor contracting,” Bhalla said.

Yet a key obstacle remains the lack of clean and up-to-date data inventories across large enterprise systems.

“The biggest blocker we see is not the technology itself but the absence of a clear view of where personal data resides and how it flows,” Kaistha said.

Reporting gaps

Another emerging challenge is aligning India’s regulatory requirements with global corporate governance structures.

From Cosentus’ assessments, roughly 60-70% of GCCs still do not have a dedicated India-specific entry in their global privacy or enterprise risk registers. Without such formal tracking, India-related risks often surface too late in global decision-making cycles, slowing budget approvals and technology deployment.

Many GCCs currently report DPDP progress through quarterly privacy or cybersecurity reviews with headquarters, but the maturity of these reporting mechanisms varies widely.

“The more effective models position DPDP as an India-specific extension of existing global privacy and security programmes,” Gupta said, adding that clear escalation and reporting structures help maintain consistency while addressing local regulatory expectations.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!