Express Computer

Home  »  Guest Blogs  »  The DPDP questions GCC leaders are asking, and what really changes

The DPDP questions GCC leaders are asking, and what really changes

Guest BlogsGCCNews
By Express Computer
Shiv Narain and Ritika Loganey Gupta
0 11

By Ritika Loganey Gupta, GCC Tax Leader and Shiv Narain, GCC Consulting Partner, EY India

With the Digital Personal Data Protection (DPDP) Act and Rules now notified and effective from 13 November 2025, most Global Capability Centres (GCCs) understand the law. However, this understanding is often mistaken for readiness. In boardrooms, the realisation is setting in that DPDP is not a legal exercise, but much more an operational stress test.

The shift underway is from interpretation to execution, and many organisations are not yet prepared. An EY India survey of nearly 150 enterprises shows that 71% still struggle to interpret the Act and Rules, and almost 80% have not yet updated privacy policies or governance frameworks. As enforcement approaches, leaders are moving past policy discussions toward a harder question: can we demonstrate compliance in real operating conditions?

What does DPDP mean for analytics, AI and automation?

DPDP is not an AI law, but it is already shaping how AI will operate. Purpose limitation challenges the reuse of historical datasets. Consent requirements affect training pipelines. Accountability expectations bring automated decisions under sharper scrutiny. For GCCs driving analytics and AI from India, DPDP is becoming an early governance checkpoint—forcing answers to questions that many organisations have so far avoided: where did the data come from, how exactly will it be used, and who is accountable for the outcome?

As DPDP moves toward enforcement, the real question for boards is no longer “Are we compliant?” but “Will our systems and teams hold up under pressure?” Compliance that cannot be demonstrated is indistinguishable from noncompliance.

For most GCCs, the answers are still uncertain. Do organisations truly know what personal data they handle and how it flows across systems? Are breach and grievance responses tested against real timelines, or are they theoretical? Are controls embedded into workflows, or dependent on policy documents? And most critically, does leadership in India genuinely own the outcome?

Addressing these questions requires more than incremental fixes.

Unavoidable shifts

Three shifts are unavoidable. First, visibility over personal data. Many organisations still cannot say, with confidence, what data they hold, where it resides or how it moves. Second, systemembedded controls. Consent, access, retention and audit cannot rely on manual oversight—they must be engineered into platforms. Third, real monitoring and response capability—early detection, clear thresholds and rehearsed execution.

Yet progress remains slow. EY’s survey shows that only 48% have begun formal gap assessments, fewer than 44% have documented data processing activities, and just 38% have identified thirdparty processors. At GCC scale, these gaps multiply exposure—they do not remain isolated weaknesses but become systemic risks across global operations.

What changes for GCC operating models

There is also a growing recognition that GDPR playbooks cannot simply be repurposed because DPDP is less about what you say on paper and more about how your systems actually behave—it forces real changes in workflows, not just policy alignment . DPDP does not rely on “legitimate interest” and does not tolerate broad or bundled notices. It demands specificity—of purpose, of consent, and of withdrawal. This directly disrupts employee platforms, customer journeys and internal systems. In many GCCs, it is exposing an inconvenient truth: privacy has often existed in PowerPoint decks, not in production systems.

The same pattern is emerging in breach preparedness. Many organisations are still looking for technology solutions to what is, in reality, a leadership problem. DPDP’s “without delay” notification expectation and 72hour reporting timelines leave no room for confusion. If escalation paths are unclear or ownership is shared, response will fail—regardless of tools. The GCCs that will get this right are not the ones with the most sophisticated tech stacks, but the ones with the clearest decisionmaking discipline.

DPDP also forces longdelayed clarity on roles—when the India entity is a data fiduciary versus a processor—and demands that contracts, operating models and accountability finally reflect that reality. With fixed timelines—12 months for consentmanager provisions and 18 months for full compliance—organisations have time to act, but not to procrastinate.

So what can GCCs do to bridge this preparedness gap?

For most, the journey starts with gap assessments—but the real challenge lies beneath the surface. While structured datasets such as employee and HR records in payroll systems are relatively easier to map, risk is increasingly concentrated in unstructured environments. Collaboration tools, shared drives and internal platforms hold large volumes of personal data with limited visibility or control, making them the hardest area to govern under DPDP.

In response, leading GCCs are moving quickly to build core capabilities. Data discovery and classification tools are being deployed to identify where personal data actually resides, alongside tighter data segregation, purposebased processing and rolebased access controls. At the same time, notice, consent and grievance mechanisms are being embedded directly into workflows, supported by auditable systems, while vendor ecosystems are coming under sharper contractual and technical scrutiny. Just as critical is alignment with headquarters—treating DPDP not as a standalone India requirement, but as an extension of global privacy programmes. This ensures consistency, clearer escalation and stronger enterprisewide accountability.

A moment India should not waste

Seen clearly, DPDP is not a constraint on India’s GCC growth – it is an upgrade. It strengthens alignment with global expectations and supports India’s position as a trusted digital economy. For GCC leaders, the opportunity is to move early, strengthen execution and position India not just as a delivery base, but as a credible and trusted steward of data. Done well, compliance is not a cost – it is credibility.

Express Computer

Express Computer is one of India's most respected IT media brands and has been in publication for 24 years running. We cover enterprise technology in all its flavours, including processors, storage, networking, wireless, business applications, cloud computing, analytics, green initiatives and anything that can help companies make the most of their ICT investments. Additionally, we also report on the fast emerging realm of eGovernance in India.

You might also like More from author
Leave A Reply

Your email address will not be published.