Data Privacy Perspective of GCCs in India

Global Capability Centers (GCCs) are centralized entities established by multinational enterprises to deliver comprehensive business services, encompassing research and development, information technology support, customer care, and data analysis. These centres are frequently based in nations such as India, measuring human resources and comparatively smaller functional prices. In-country GCCs cater to both the local as well as the global clients and thus, work on data which may be regulated in varying degrees depending on the environment.

The large-scale and variety of data managed by GCCs makes them an attractive target for cybercriminals. Hence, ensuring the integrity and confidentiality of data while providing access to it to the working professionals is one of the most critical aspects.

Data protection has becoming one of the biggest concerns for the organizations around the globe in recent times. Data privacy and protection are especially important for GCCs in India because of the sensitive data these centers process and store. Such centers, which offer outsourced services like IT support, business operations and customer service, typically process huge volumes of personal, financial and corporate data from customers all over the world. As cyber-attacks, data breaches and changing regulations increasingly plague the business landscape, adequate protection of data in GCCs is becoming an area of concern for both enterprises as well as customers.

This article discusses the major data protection challenges faced by GCCs in India, outline the relevant regulatory framework for GCCs in India and the best practices that can be adopted to protect data.

Digital Personal Data Protection Act 2023 (‘PRIVACY ACT’)

The Privacy Act is the most major milestone on the data protection front in India. Originally introduced in December 2019, the Privacy Act seeks to regulate data processing and protect personal privacy of an individual. While it takes cues from the GDPR, its provisions are tailored to India’s distinct circumstances.

Important aspects of the Privacy Act are as follows:

(I)Consent-Based Data Collection: Organizations are required to get clear consent from an individual before they can collect and process your data.

(ii) Data Protection Authority (DPA): DPA to monitor compliance with the Privacy Act, impose penalties for breaches of the law, and address complaints is established by the bill.

(iii) Individual Data Subject Rights: The PRIVACY ACT details the rights of individuals to access, correct and delete their data.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘IT Rules 2011’)

In India, IT Rules 2011 governs the collection and processing of sensitive personal data or information (SPDI). These rules currently form the legal basis for privacy and data protection in India, although the PRIVACY ACT would repeal them. The rules mandate organizations to take reasonable security practices and procedures while handling SPDI.

The IT Rules do remain in place, but are limited and don't provide the scope of protections that would arise from a PRIVACY ACT.

Cross-border Data Transfers

As GCCs are usually global, transfer of data across borders is a usual issue. Multinational companies, for example, frequently move data from their GCCs in India to their banks and the companies’ headquarters in other nations. Such transfers are also governed under regulatory frameworks, including the GDPR which has certain requirements that must be fulfilled in relation to such transfer and thus require compliance from its businesses on both ends of the data exchange.

The Issues of Data Protection for GCCs in India

Several challenges exist for GCCs with respect to data protection and privacy in India. These problems stem from a few different elements, including the amount of information being handled, the complexity involved in legal compliance, and increasing sophistication of cyber threats.

Cyber-attacks and Data Security Breaches

With the growing amounts of data that GCCs manage, cyber-attacks and data breaches have become a widespread threat. Tales of ransomware, phishing attacks and Advanced Persistent Threats (APTs) have become a near-daily occurrence because GCCs store sensitive data that can be targeted, resulting in reputational damage and financial loss or regulatory fines.

In India, the smaller or less mature GCCs often get stuck with older security infrastructure and find it difficult to invest in the latest cybersecurity technologies. In addition, the increased prevalence of remote work and cloud-based services has widened the attack surface, offering cybercriminals countless opportunities to take advantage of weaknesses.

Adherence to Various Regulations

That is, GCCs in India need to abide by various data protection regulations across a whole spectrum of domestic and overseas jurisdictions. That leads to a more complex compliance ecosystem, particularly for organizations that manage data across multiple jurisdictions. For example, GCCs that process personal data from European customers will have to comply with General Data Protection Regulation (GDPR) and those processing data in the US will need to contend with legislations such as California Consumer Privacy Act (CCPA).

To navigate the nuances of multiple regulations, an extensive compliance framework and dedicated resources are needed. Failure to adhere to these regulations can lead to steep fines and reputational harm.

Cross Border Transfers

Section 16 of the Privacy Act enables the free interchange of personal data with any nation, barring those specifically identified as backlisted by the central government.

Third-Party Vendor Management

Most GCCs depend on vendors to either store their data, or provide them with software / IT infrastructure. This brings additional risk, as these vendor data protection practices may be inconsistent with the organization or regulatory requirements. Regulatory scrutiny, as well as damage to reputation due to breaches or improper handling by third-party vendors expose the organization.

It is critical for risk mitigation to ensure that third-party vendors are subject to their same rigorous set of data protection policies. This should be done by vetting vendors, contracting robust requirements and auditing vendor data handling practices.

Data Protection Best Practices for GCCs

Such challenges determine that GCCs in India should take a proactive and holistic approach towards data protection. Here are some best practices organizations should adopt:

I) With strong security measures: Cybersecurity technologies such as encryption, firewalls, intrusion detection systems, multi-factor authentication (MFA) are key to protecting sensitive information from internal and external threats.

II) Employee Training: Train employees on data protection policies, secure data handling practices, and phishing and social engineering attacks.

III) Data Minimization and Retention: Implement data minimization principles by collecting and storing only the necessary data required for your business purpose. Ensure strict data retention and deletion policies to minimize the time for which personal data is stored unnecessarily.

IV) Create a Comprehensive Data Protection Policy: Establish a solid data protection framework, detailing how employees and third parties will handle user data securely.

V) Auditing and Monitoring Compliance: Ensure ongoing compliance with data protection regulations (e.g., the PRIVACY ACT, GDPR) through regular audits and monitoring. Appoint a Data Protection Officer (DPO) to ensure compliance and keep abreast of changing legal requirements.

VI) International Data Transfers: To ensure compliance with international data transfers for GCCs dealing within the cross-border context, it is imperative to implement safeguards like SCCs.

Conclusion

With GCCs in India growing and serving at the core of global business operations, data protection needs to be the pivotal aspect that GCCs ought to pass on through implementation for safer businesses by overcoming risks like breaches, regulatory violations or cyber-attacks. When following industry-recognized best practices, investing in security infrastructure and compliance initiatives to keep up with regulatory updates that impact their businesses, GCCs will continue to defend sensitive data while fostering trust from clients and consumers

Iqbal Tahir & Gaurav Kapur are corporate lawyers specialising in M&A, Information Technology, Insolvency and Real Estate. Views expressed are personal.