Conversations about the Digital Personal Data Protection Act (DPDPA) usually orbit around banks, fintechs and e-commerce platforms. That’s understandable because these sectors handle large volumes of consumer data and face the sharpest regulatory scrutiny.
But if you run a Global Capability Center (GCC) or an IT/ITES company in India, DPDPA is your problem too. This is because your organisation processes personal data every day. Take for example employee records, candidate profiles, client delivery data and vendor information.
The DPDP Rules make it clear that any entity processing digital personal data of Indian residents falls under the Act’s obligations. Geography of ownership does not create an exemption.
What makes it more complex perhaps is the dual role you play. GCCs and IT/ITES firms often operate simultaneously as data fiduciaries for their own workforce and as data processors for global clients. That layered status creates compliance obligations that a standard DPDPA checklist does not address.
In this blog, we try to unravel what DPDPA means for your business.
Why DPDPA applies to every IT/ITES company and GCC in India
DPDPA applies to any entity that determines the purpose and means of processing personal data of individuals in India. That entity is called a Data Fiduciary.
You’re already a data fiduciary for your employees
Your HR system holds employee names, addresses, Aadhaar numbers, bank details, health records and performance data. Your recruitment platform processes candidate information. Your payroll system stores financial details. All of this is personal data under DPDPA. The moment you decide how and why this data is collected and used, you become a Data Fiduciary – with full obligations under the Act.
You may also be a data processor for your clients
When you build software, run BPO operations or manage IT infrastructure for a global client, you often process personal data on their behalf. In those situations, your client is the Data Fiduciary. You are the Data Processor.
This distinction matters because the DPDP Rules extend compliance obligations to Data Processors. You must implement the same minimum security safeguards as fiduciaries. Contracts need to reflect this. Vendor audits become mandatory on both sides.
The cross-border data challenge for GCCs and IT/ITES firms
Cross-border data flows are central to how GCCs and IT/ITES companies operate. Data collected in India is transmitted to parent companies, foreign clients or cloud infrastructure outside the country. DPDPA places clear restrictions on this.
What DPDPA says about transferring data outside India
The Central Government has the authority under DPDPA to designate countries to which personal data cannot be transferred. Until those notifications are issued, transfers are not entirely unrestricted. Organisations must still ensure contractual safeguards are in place and that the transfer is covered by a valid lawful basis under the Act.
GCCs face a specific challenge here. They routinely process data in India on behalf of activities abroad, data that originates from Indian employees, contractors or customers but is ultimately used by overseas entities. That flow needs to be mapped, governed and documented.
How this changes client contracts and delivery models
Your existing Master Service Agreements (MSAs) and Data Processing Agreements (DPAs) were almost certainly drafted before DPDPA rules were notified. Most of them do not address Indian data protection obligations adequately.
You will need to review and update these contracts to reflect DPDPA-specific requirements. The lawful basis for processing, data retention timelines, breach notification obligations and security safeguard standards. For global clients, this is a conversation that needs to happen proactively, not after the DPB comes knocking.
Dual compliance exposure: fiduciary & processor at the same time
Running both roles inside one organisation is the defining compliance challenge for IT/ITES and GCCs. Getting the distinction wrong creates blind spots that auditors will find.
Where the fiduciary obligation kicks in
Every time your organisation decides why you process data and how, you are acting as a Data Fiduciary. This covers:
- Employee and contractor data: onboarding, payroll, performance management, exit
- Candidate data: applications, assessments, interview records
- Internal IT systems: access logs, device management, CCTV in office premises
These are entirely within your control. Your policies, consent mechanisms and security controls govern them.
Where the processor obligation applies
When you are executing instructions from a client and have no say in the purpose of processing, you are a Data Processor. This typically covers:
- Software development and testing: where production data or synthetic data is used
- BPO and KPO operations: where you handle customer data on behalf of a client
- Managed services and IT infrastructure: where client data passes through your systems
As a processor, you must implement minimum security safeguards as required under DPDP Rules. Your client contracts must define your obligations clearly. You cannot simply rely on your client’s compliance programme to cover you.
Key DPDPA obligations your IT/ITES team needs to address now
The DPDP Rules, 2025 are enforceable now. Full compliance is expected by May 2027. Here are the obligations that demand immediate attention.
Consent and notice requirements for employee and candidate data
For data you collect directly – job applications, onboarding forms, attendance systems, you must provide a clear, accessible notice explaining what data you collect, why and how it will be used. Consent must be obtained before processing begins and must be easy to withdraw.
This affects your HR technology stack, your onboarding workflows and your recruitment platforms. Review all digital touchpoints where employee or candidate data is captured.
Security safeguards under Rule 6 – encryption, access controls and logging
Rule 6 of the DPDP Rules sets a legally enforceable baseline for cybersecurity. It mandates encryption of personal data, access controls limiting who can view or modify it, activity monitoring and logging, regular backups and a minimum one-year data retention period for logs.
For IT/ITES companies and GCCs, this is not just a checkbox. These requirements apply to your internal HR systems and to any client data environments where you act as a processor. Your security controls need to be assessed and documented against Rule 6 specifically.
Breach notification within 72 hours – what that means operationally
If a personal data breach occurs, DPDPA requires notification to the Data Protection Board of India and to affected individuals within 72 hours of becoming aware of it.
For a GCC or IT/ITES firm, this is an operational challenge. You need to know about the breach fast enough to notify in time. That means your monitoring systems must detect incidents in near real-time. It also means your incident response plan must define who notifies whom – within your organisation, with your global parent and with your client before an actual breach occurs.
Conclusion
DPDPA does not carve out an exception for IT/ITES companies or GCCs. If your organisation processes personal data of Indian residents and virtually every GCC and IT/ITES firm does, you carry real obligations under the Act.
CyberNX’s DPDPA Consulting team works with IT/ITES companies and GCCs to build compliance programmes that are practical, auditable and aligned with how your business actually operates. Have questions about where to start? Talk to our team.
DPDP compliance for GCCs and IT/ITES FAQs
Does DPDPA apply to IT/ITES companies that only process data for foreign clients?
Yes. DPDPA applies to any organisation that processes digital personal data of individuals in India, regardless of where the client or parent company is located. If your employees, contractors or delivery operations involve Indian residents’ data, you are subject to DPDPA obligations.
What is the difference between a data fiduciary and a data processor under DPDPA?
A Data Fiduciary determines the purpose and means of processing personal data. A Data Processor processes data on the instructions of a Fiduciary. IT/ITES companies and GCCs are often both – a fiduciary for employee data and a processor for client delivery data. Each role carries distinct obligations under the Act.
What happens if a GCC’s client instructs them to transfer data outside India?
The Data Fiduciary – typically the global client – bears primary responsibility for ensuring transfers comply with DPDPA. However, as a Data Processor, you must ensure your contracts clearly address cross-border transfer obligations and that you are not facilitating a non-compliant transfer. Legal review of your DPAs is strongly recommended before you comply with any such instruction.
