India's Digital Personal Data Protection Act rules will require companies to adopt new consent manager frameworks by May 2027. Global Capability Centres must now analyze their data infrastructure to determine which operations fall under local consent rules versus foreign data exemptions.
What Happened
India’s regulatory landscape for data privacy is shifting as the Digital Personal Data Protection (DPDP) framework prepares for full implementation. A central feature of these rules is the introduction of 'consent managers,' which are intermediaries designed to help individuals track and manage how their personal information is used. Entities looking to operate as consent managers can begin the registration process in November 2026, with the final deadline for full compliance set for May 2027. This change impacts a wide range of companies, particularly Global Capability Centres (GCCs) that handle data for both Indian and international clients.
Why This Matters For GCCs
For companies operating GCCs in India, the primary challenge is determining which data falls under the new Indian rules and which qualifies for an exemption. The government has provided a carve-out for Indian entities that process the data of foreign citizens under contracts with overseas firms. In these cases, the foreign entity's local data laws, such as the GDPR in Europe, remain the primary authority. However, this is not a blanket exemption for the entire GCC. It applies strictly to the specific data being processed under those foreign contracts, creating a complex operational environment for firms that use shared digital infrastructure.
The Challenge of Shared Infrastructure
Many GCCs in India function as service hubs for their global parent companies, often housing data for both domestic and international employees or customers on the same servers. The new rules mean these centers cannot simply apply one set of privacy standards to all their data. They must perform a detailed audit to separate data streams. If a GCC processes data for an Indian employee, it must be ready to integrate with registered consent managers. If it processes data for a German employee under a contract with its parent company, those consent manager obligations may not apply. Failing to make this distinction correctly could lead to technical and compliance gaps.
Operational Requirements and Costs
To qualify as a consent manager, an entity must be incorporated in India and maintain a minimum net worth of INR 2 crore. These managers are required to act as independent fiduciaries, meaning they must remain separate from any company whose data they manage. They are also tasked with operating on a 'data-blind' basis, ensuring they facilitate the movement of consent signals without accessing or monetizing the sensitive information itself. For GCCs, this means investing in interoperable technology that can communicate with multiple consent platforms rather than relying on a single, internal-only solution.
What Investors Should Track
As the May 2027 deadline approaches, the key monitorables for stakeholders are the technical integration costs and the potential impact on operational efficiency for Indian tech hubs. Investors may watch for how companies modify their IT infrastructure to handle 'data-blind' consent signals. Additionally, management commentary regarding compliance budgets and the potential for increased legal oversight of data processing activities will be important indicators of how these firms are managing their regulatory exposure.
