DPDP Act 2027: A Compliance Checklist for GCCs in India

Global Capability Centers (GCCs) in India face a critical deadline: the Digital Personal Data Protection (DPDP) Act 2023 enforcement on 11 May 2027. DPDP Act compliance for GCC operations requires immediate action on consent frameworks, data mapping, breach notification protocols, and data processor obligations—with direct intersections to ISO 27001 and SOC 2 certifications. This checklist outlines the seven essential steps GCCs must complete within the next 24 months to avoid penalties up to ₹250 crore and operational disruptions.

1. Establish Consent Management & Legal Basis Framework

The DPDP Act mandates explicit consent before processing personal data. GCCs handling employee data (India-based and expatriate staff), client information, and vendor details must redesign consent workflows immediately.

• Audit current consent mechanisms: Review all data collection touchpoints—onboarding forms, HR systems (Workday, SAP SuccessFactors), client databases, and vendor portals. Document which consents exist and which are missing.
• Implement granular consent architecture: Distinguish between different processing purposes (payroll, performance management, vendor compliance, client deliverables). Use preference management platforms (e.g., OneTrust, TrustArc) to track consent per data subject per purpose.
• Create consent withdrawal mechanisms: Build self-service portals where employees and vendors can withdraw consent. This aligns with ISO 27001 A.5.2.1 (information security policies) and demonstrates SOC 2 CC6.1 (access controls).
• India-specific example: A Bangalore-based GCC with 5,000 employees must obtain fresh consent for processing biometric attendance data, location tracking, and performance analytics before May 2027. Failure to do so can trigger ₹50 lakh per violation under Section 41 of DPDP.

2. Build Data Inventory, Classification & Mapping

DPDP Act compliance mandates complete visibility into what personal data exists, where it flows, and how it’s processed. This is foundational for both DPDP enforcement and ISO 27001:2022 control A.8.3.1 (information classification).

• Conduct enterprise-wide data mapping: Document all systems, databases, and applications storing personal data—ERP systems (Oracle, SAP), CRM platforms (Salesforce), cloud storage (AWS S3, Azure), email systems, and third-party integrations. Use RACI matrices to assign ownership per data category.
• Classify data by sensitivity: Segment into categories—employee personal data, client financial records, vendor contact details, sensitive personal data (health, biometrics, caste, religion). Tag each with processing legal basis and retention period.
• Map data flows: Trace movement between systems. Example: India GCC processes US client payroll → data moves from local HRIS → cloud gateway (AWS) → client systems. Each handoff must be logged and justified under DPDP.
• Create a Data Register: Maintain a live registry (Excel, Dataedo, or automated tools) listing data source, purpose, processor, storage location, retention period, and consent status. Update quarterly.
• Alignment with SOC 2 Type II: This inventory directly supports SOC 2 CC6.2 (physical and logical access controls) and CC7.2 (system monitoring) by evidencing data governance.

3. Implement 72-Hour Breach Notification & Incident Response

The DPDP Act requires notification to the Data Protection Board within 72 hours of discovering a breach. GCCs with 24/7 operations across India, US, EU, and Australia must embed breach detection and escalation into incident response protocols.

• Deploy breach detection tools: Integrate SIEM solutions (Splunk, ELK Stack), DLP software (Digital Guardian, Code42), and vulnerability scanners (Qualys, Nessus) to identify unauthorized access, data exfiltration, or anomalies.
• Create breach response playbooks: Document roles, timelines, and notification templates. Example: Security incident detected at 2 PM IST → team notified within 15 minutes → investigation initiated → risk assessment completed by 6 PM → DPB notification drafted by 10 AM next day (within 72 hours).
• Set up follow-the-sun monitoring: TechTweek’s 24/7 NOC model ensures India-based GCCs have breach detection coverage across all time zones. Overnight incidents in India are escalated to US/EU teams for immediate investigation.
• Document breach register: Maintain records of all breaches (confirmed and suspected), investigation outcomes, and remediation actions. This satisfies DPDP Section 6 (breach notification) and ISO 27001 A.16.1 (incident management).
• Regulatory requirement: Failure to notify within 72 hours incurs penalties up to ₹100 crore under DPDP Section 41(4).

4. Define Data Processor Obligations & Contracts

If your GCC engages cloud providers (AWS, Google Cloud, Azure), third-party vendors, or outsourced teams, they’re classified as “data processors” under DPDP. Contracts must explicitly detail processor responsibilities.

• Review and amend Data Processing Agreements (DPAs): Ensure all processor contracts (AWS Addendum, vendor SOWs) include DPDP-specific clauses: purpose limitation, security measures, sub-processor approval, data subject rights support, and audit rights. Use templates from NASSCOM, DSCI, or CyberLaw expertise.
• Audit processor certifications: Verify all data processors hold ISO 27001 (TechTweek’s AWS Advanced Consulting Partner status exemplifies this) and SOC 2 Type II attestations. Non-compliance by processors extends liability to your GCC.
• Implement processor due diligence: Before onboarding any vendor, conduct security assessments covering data handling, access controls, encryption, and incident response capabilities.
• India example: A GCC outsourcing recruitment to a Delhi-based agency must ensure the agency signs a DPDP-compliant DPA covering candidate personal data (CVs, contact details, interview notes). Without this, the GCC remains jointly liable for breaches.
• SOC 2 relevance: Processor audits align with SOC 2 CC4.1 (risk management framework) and CC6.1 (logical access control) assessments.

5. Align DPDP with ISO 27001:2022 & SOC 2 Type II

DPDP compliance is not standalone. GCCs must integrate it with existing or planned ISO 27001 and SOC 2 certifications to avoid duplicative efforts and demonstrate maturity to global clients.

• ISO 27001 mapping: DPDP’s data protection requirements align with A.5 (policies), A.8 (asset management), A.9 (access control), A.12 (operations security), and A.16 (incident management). Implement DPDP controls within your Information Security Management System (ISMS).
• SOC 2 Type II alignment: DPDP breach notification (72 hours) directly supports SOC 2 CC7.4 (system monitoring and incident identification). Data inventory and classification (DPDP requirement) support CC6.1 (physical/logical access) and CC7.1 (secure system design).
• Certification timeline: GCCs targeting ISO 27001 certification by end of 2026 can incorporate DPDP controls from the outset, reducing remediation post-enforcement. SOC 2 audits typically require 6 months of operational evidence; start preparations by Q3 2026.
• TechTweek’s integrated approach: Our team has helped 20+ India-based GCCs simultaneously achieve ISO 27001, SOC 2 Type II, and DPDP readiness, reducing implementation timelines by 30% through coordinated control mapping and shared evidence documentation.

6. Establish Data Subject Rights Management

DPDP grants individuals rights to access, correct, and erase their personal data. GCCs must build processes to handle these requests within prescribed timelines.

• Create a Data Subject Request (DSR) portal: Employees, vendors, and clients should be able to submit access, correction, or deletion requests via a self-service platform. Implement a ticketing system to track and respond within statutory timelines (typically 30 days under DPDP).
• Develop request handling workflows: Assign responsibilities—HR for employee data, vendor management for supplier data, client success for client data. Ensure legal review before fulfilling deletion requests to balance DPDP rights with legal retention obligations.
• Document compliance: Maintain records of all DSRs received, actions taken, and closure dates. This evidence supports both DPDP audits and ISO 27001 A.5.2 (policies).

7. Prepare for DPDP Audits & DPB Inspections

The Data Protection Board (DPB) will conduct proactive inspections of GCCs. Begin audit readiness preparations now.

• Document governance structure: Identify a Data Protection Officer (DPO) or designate a compliance lead responsible for DPDP adherence. Create audit trails showing management oversight, board-level accountability, and regular compliance reviews.
• Maintain audit evidence: Retain logs of consent grants, breach investigations, processor audits, data subject requests, and training records for at least 3 years. Use centralized repositories (SharePoint, Confluence) for easy retrieval during inspections.
• Conduct mock audits: Engage external auditors (DSCI-certified consultants, Big 4 firms) to simulate DPB inspections by Q2 2026. Identify gaps and remediate proactively.
• Train workforce: Conduct quarterly DPDP awareness training for all employees—security teams, HR, operations, and legal. Document attendance and competency assessments.

FAQ: DPDP Act Compliance for GCCs

What is the penalty for non-compliance with the DPDP Act?

The DPDP Act imposes penalties up to ₹250 crore for violations. Specific penalties include ₹5 crore or 2% of annual turnover (whichever is higher) for unauthorized data processing, and ₹100 crore for failure to notify breaches within 72 hours. GCCs with significant India revenues are at highest risk.

Do GCCs need a Data Protection Officer under DPDP?

While DPDP doesn’t mandate a DPO for all organizations, large GCCs (500+ employees or extensive personal data processing) should designate one to ensure structured compliance and serve as the primary contact for the Data Protection Board.

How does DPDP differ from GDPR, and which applies to India GCCs?

DPDP is India’s native data protection law; GDPR applies to EU residents’ data. GCCs processing EU client or employee data must comply with GDPR regardless of location. TechTweek supports GCCs in dual compliance (both DPDP and GDPR) through integrated governance frameworks.

Can GCCs transfer personal data to parent companies abroad under DPDP?

Yes, but only with explicit consent and robust cross-border transfer mechanisms (equivalent protection guarantees or contractual safeguards). Document all transfers and ensure parent company processors maintain DPDP-aligned security standards.

What is the role of ISO 27001 and SOC 2 in DPDP compliance?

ISO 27001 and SOC 2 provide foundational security controls (encryption, access management, incident response) required by DPDP. GCCs with these certifications demonstrate to clients and regulators that they meet both compliance and security standards, reducing DPDP audit risk.

The May 2027 DPDP enforcement deadline is a critical milestone for India GCCs. Procrastination risks operational shutdown, regulatory penalties, and client trust erosion. Start with consent audits and data mapping immediately; prioritize processor contracts and breach notification protocols by Q4 2025; and achieve ISO 27001 or SOC 2 certifications by Q2 2026. TechTweek Infotech’s AWS Advanced Consulting Partner expertise, 24/7 follow-the-sun coverage, and proven track record with India-based GCCs ensures your compliance roadmap is realistic, cost-efficient, and defensible during DPB inspections. Explore our GCC Compliance Services: ISO 27001, SOC 2 & DPDP offerings to align your governance, security, and data protection strategies across all frameworks.