Skip to content
🚨 DPDP Rules 2025: Compliance Deadline 44 weeks awayRead handbook →

India's Consent Manager Deadline Is Four Months Away — and 1,800 GCCs Are Unprepared

The DPDP Act's consent manager framework activates November 13, 2026. A new legal analysis warns India's GCCs face a unique infrastructure problem no one has solved.

D
DPDPBot Research Team
🕐 10 min read

#India's Consent Manager Deadline Is Four Months Away — and 1,800 GCCs Are Unprepared

Four months from now, on November 13, 2026, India's Consent Manager framework goes live under the Digital Personal Data Protection (DPDP) Act. For most companies, this deadline has been an afterthought — everyone has been watching the "real" enforcement date of May 2027. But a fresh analysis published by Bar and Bench on July 3, 2026 makes the case that India's 1,800+ Global Capability Centers — the back-office and technology operations that multinationals run out of cities like Bengaluru, Hyderabad, and Pune — face a specific, structural compliance problem that the November deadline will force into the open.

The analysis, authored by Siddhi Ghatlia and Khusbu Jasani of ALMT Legal, is the first dedicated legal treatment of how the Consent Manager construct interacts with the GCC operating model. The conclusion is uncomfortable: most large GCCs are running on shared global infrastructure that was never designed to route consent signals from Indian residents to third-party intermediaries — and retrofitting that infrastructure in four months is not a small task.


The DPDP Rules, 2025 — notified by MeitY on November 14, 2025 — created a new category of regulated entity in India: the Consent Manager. Under Section 6(6) of the Act and Rule 4, a Consent Manager is an India-incorporated company with a minimum net worth of ₹2 crore that registers with the Data Protection Board of India (DPBI) to serve as a single point of contact for Indian data principals.

The function is specific. A Consent Manager enables an individual — the data principal, in DPDP terminology — to give, manage, review, and withdraw consent across multiple data fiduciaries through one interoperable platform. A person who has shared their data with a hospital, a payment app, and an e-commerce platform should, in theory, be able to manage all of those consent records in one place through their chosen Consent Manager, rather than logging into three separate privacy dashboards.

Critically, Consent Managers are required to operate on a "data-blind basis." They orchestrate consent signals but cannot access, use, or profit from the underlying personal data. They are infrastructure, not intermediaries with data access.

For data fiduciaries — the companies that actually collect and process data — the obligation is one of interoperability. Regardless of which registered Consent Manager a data principal chooses to use, the data fiduciary's systems must be technically capable of receiving that consent signal and acting on it. A company cannot require its users or employees to use one specific Consent Manager. The choice belongs to the data principal.

That last point is where GCCs run into serious trouble.


#Why GCCs Are a Special Case

India's Global Capability Centers are not typical data fiduciaries. A GCC is usually a wholly-owned subsidiary of a foreign parent company — a captive operation providing services back to the parent entity. Think of an American bank's technology center in Hyderabad, or a German automotive company's engineering hub in Bengaluru. According to NASSCOM's 2026 GCC Landscape Report, India now hosts over 1,800 such centers, employing nearly two million professionals and generating $64.6 billion in revenue in FY2024.

The key operational characteristic of a GCC is that it almost never runs its own isolated technology stack. It shares HR systems, identity management platforms, payroll infrastructure, and communication tools with its parent and with sister entities across the globe. An employee's data in a GCC's Bengaluru office typically sits in the same Workday or SAP instance as their counterpart in Frankfurt or New York.

This creates two compliance problems under the DPDP Act.

First: The DPDP Act applies to the processing of digital personal data within India. An Indian employee of a GCC is a data principal under the Act. When that employee's HR records, biometric attendance data, or payroll information is processed on a shared global system, the Indian-resident data co-mingles with foreign employee data in ways that make clean segregation technically difficult and operationally expensive.

Second: Even if the GCC could segregate, it cannot standardize. Because the data principal — the Indian employee — has the right to choose which Consent Manager they use, the GCC's systems must be architected to receive consent signals from potentially many different registered Consent Managers, not a single one that the GCC could pre-integrate. Building one integration is a project. Building interoperability with a marketplace of registered Consent Managers is an architecture.


#The Critical Carve-Out — and Its Limits

The ALMT Legal analysis identifies one important relief valve for GCCs. The DPDP Act contains a carve-out that removes consent obligations for the processing of foreign personal data by an Indian entity acting under contract with a foreign principal. Put simply: if a GCC is processing data about non-Indian employees or customers purely as a contracted service provider for its overseas parent, that processing falls outside the Act's consent framework.

This is meaningful. A GCC in Chennai processing customer data from Germany or the United States for its parent company can rely on this carve-out for that foreign data stream.

But it does not solve the core problem. The carve-out applies to foreign personal data, not Indian personal data. The Indian employees of the GCC, Indian contractors, Indian customers whose data the GCC processes locally — all of these individuals are data principals under the DPDP Act. Their data does not benefit from the carve-out. And because most shared infrastructure systems do not cleanly separate Indian and non-Indian data at the processing layer, GCCs cannot simply invoke the carve-out to cover everything and move on.

The compliance work has to be done. The question is whether it can be done in four months.


#What Happens on November 13, 2026

The Consent Manager framework does not immediately impose consent obligations on all data fiduciaries. What activates on November 13 is the registration and oversight regime for Consent Managers themselves — the window opens for entities to register with the DPBI, and the technical standards for interoperability come into force.

The full substantive compliance obligations — consent notices, data principal rights, breach notification, and the penalty provisions — are scheduled for May 13, 2027, at the end of the Act's 18-month transition period.

This phasing might tempt GCC compliance teams to defer action. That would be a mistake for two reasons.

One: MeitY has been floating a proposal, discussed at a January 2026 stakeholder consultation and reported by Mondaq, to compress the compliance window for Significant Data Fiduciaries. Under that proposal, entities classified as SDFs — which would include many large GCCs given their data volumes — could face an accelerated November 2026 deadline for substantive compliance, six months ahead of the general schedule. The SDF list has not been published, but the criteria (volume of data processed, use of AI for profiling, operating at scale) describe a large share of India's GCC population.

Two: The consent manager architecture is not a policy paper exercise. Building the technical capability to receive consent signals from multiple registered Consent Managers requires changes to identity management systems, API integrations, data architecture, and vendor contracts. Given the approval chains, procurement cycles, and global technology governance that govern most multinational companies, four months is, at best, enough time to complete a project that started planning three months ago.


#The GDPR Overlay Makes This More Complicated, Not Less

Many of India's largest GCCs serve European parent companies subject to the General Data Protection Regulation. These companies often assume that GDPR compliance provides sufficient coverage for India, since the two frameworks share concepts — consent, purpose limitation, data subject rights, breach notification.

The assumption is partly correct and partly dangerous. GDPR and the DPDP Act differ in important ways. GDPR recognizes six lawful bases for processing personal data, with consent being just one. The DPDP Act treats consent as the primary — in most cases, the only — lawful basis for processing. A GCC that has documented "legitimate interests" as its GDPR basis for processing employee monitoring data may have no DPDP-compliant basis for the same activity under Indian law.

The Consent Manager framework adds a third layer of divergence. GDPR has no equivalent construct. EU-parented GCCs that have built consent management platforms for GDPR compliance may find that those platforms do not map to the DPDP Consent Manager specification, which requires registration in India, interoperability with the DPBI's systems, and data-blind operation under Indian governance requirements.

Convergence between GDPR and DPDP Act compliance is possible, but it requires deliberate architecture, not the assumption that one framework's compliance automatically satisfies the other. The Consent Manager framework analysis from Bar and Bench makes clear that GCCs operating in India need India-specific legal and technical assessment, not a copy-paste of their European playbooks.


#What GCCs Should Be Doing Right Now

The ALMT Legal analysis identifies four priority actions for GCCs ahead of November 2026. These are not aspirational — they are the minimum architecture required to receive a Consent Manager signal and act on it.

Map the Indian data principal population. Identify every processing activity within the GCC that involves personal data of Indian residents — employees, contractors, Indian customers whose data is processed locally. This is the boundary of the Act's application and the starting point for all compliance decisions.

Assess the contractual basis for foreign data streams. For processing activities that involve foreign personal data under contract with the parent entity, document the basis for relying on the carve-out. This is a legal analysis, not a technical one, but it must be done formally to provide a defensible record.

Build for interoperability, not a single integration. The architecture question is not "which Consent Manager will we use" but "how will our systems receive consent signals from any registered Consent Manager." This requires an API-based approach that treats the Consent Manager as an external service, not a single approved vendor.

Review the Significant Data Fiduciary exposure. If the GCC meets the threshold criteria — processing personal data at significant scale, using AI for profiling, operating in sensitive sectors like healthcare or finance — the compliance window may be compressed to November 2026, not May 2027. Get a legal opinion before the MeitY notification arrives.

The DPDP Act's /resources page and the DPBI's published technical standards are the authoritative sources for the technical specifications of Consent Manager interoperability. Organizations building a consent management platform for DPDP compliance should review those specifications before committing to any vendor solution.


#The Broader Signal

India's approach to privacy regulation is moving faster than most multinationals anticipated when the DPDP Act was passed in August 2023. The rules arrived in November 2025. The Data Protection Board has been constituted. The consent manager framework is four months from activation. MeitY is considering accelerating the timeline for large data fiduciaries.

The regime is no longer theoretical. For GCCs — companies that process the personal data of nearly two million Indian professionals — the compliance question is no longer whether to act but how fast. The Bar and Bench analysis from July 3 is the first dedicated roadmap for the GCC sector. It will not be the last. The next one may arrive alongside an enforcement action.


Sources: Bar and Bench, July 3, 2026 | Mondaq — MeitY timeline compression | India Briefing — DPDP compliance timeline | NASSCOM GCC Landscape 2026

Automate your DPDP compliance

Capture consent, honour data principal rights, and stay audit-ready — all in one platform.

Start free trial