Navigating Compliance Challenges: A Roadmap for GCCs in Regulatory Frameworks

Posted On - 3 September, 2024 • By - Aurelia Menezes

Data Localization and Cross-Border Data Transfer Compliance

  • Legal Framework: Data localization and cross-border data transfers in India are governed by the “Information Technology Act, 2000,” the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011” (SPDI Rules), and the “Personal Data Protection Bill, 2019” (PDPB) (expected to be enacted as the Personal Data Protection Act). The GCC, especially if handling sensitive personal data or information (SPDI), must ensure compliance with data localization norms and restrictions on cross-border data transfers.
  • Data Localization Requirements: The GCC must comply with data localization requirements under the PDPB, which mandates that certain categories of personal data (critical personal data) must be stored and processed only in India. Sensitive personal data can be transferred outside India only under specific conditions and with explicit consent from the data subject.
  • Cross-Border Data Transfer: The GCC must ensure that any transfer of personal data outside India is in compliance with the SPDI Rules and the PDPB. This includes obtaining necessary approvals, ensuring adequate protection levels in the recipient country, and executing standard contractual clauses with the data recipient.
  • Data Retention and Deletion: The GCC must adhere to data retention norms as prescribed under the IT Act and the PDPB, ensuring that personal data is retained only as long as necessary for the purposes for which it was collected. Once the retention period expires, data must be securely deleted or anonymized.
  • Privacy Impact Assessment (PIA): The GCC should conduct a PIA for all data processing activities, particularly those involving cross-border data transfers, to assess and mitigate privacy risks. The PIA should be documented and reviewed periodically.

Employment Law and Labour Compliance

  • Employment and labour laws in India are governed by multiple statutes, including the “Industrial Disputes Act, 1947,” the “Factories Act, 1948,” the “Payment of Wages Act, 1936,” the “Minimum Wages Act, 1948,” the “Employees’ Provident Funds and Miscellaneous Provisions Act, 1952,” and the “Code on Wages, 2019” (which is part of the new labour codes expected to be fully implemented soon).
  • Compliance: The GCC must ensure that all employment contracts comply with the provisions of the Indian Contract Act, 1872, and labour laws. Contracts should clearly define terms of employment, wages, working hours, leave entitlements, termination conditions, and dispute resolution mechanisms.
  • Wage Compliance: The GCC must comply with the minimum wage requirements as stipulated under the Minimum Wages Act and the Code on Wages. The GCC must register with the Employees’ Provident Fund Organization (EPFO) and the Employees’ State Insurance Corporation (ESIC) to provide social security benefits to eligible employees. This includes timely contributions to the Provident Fund, Employees’ Pension Scheme, and the ESIC, as well as maintaining accurate records.
  • Occupational Health and Safety (OHS): The GCC must ensure a safe working environment in compliance with the Factories Act, 1948, and the Occupational Safety, Health and Working Conditions Code, 2020. This includes implementing safety protocols, conducting regular safety audits, and providing necessary training to employees.
  • Dispute Resolution and Grievance Redressal: The GCC must establish internal mechanisms for resolving employment disputes and grievances, in compliance with the Industrial Disputes Act and the new labour codes. This includes forming Grievance Redressal Committees and adhering to the dispute resolution processes prescribed by law.

Environmental Law Compliance

  • Environmental regulations in India are governed by the “Environment (Protection) Act, 1986,” the “Air (Prevention and Control of Pollution) Act, 1981,” the “Water (Prevention and Control of Pollution) Act, 1974,” and the “Hazardous and Other Wastes (Management and Transboundary Movement) Rules, 2016.” If the GCC’s operations involve any environmental impact, it must comply with applicable environmental laws, obtain necessary clearances, and implement pollution control measures.
  • Environmental Clearances: The GCC must obtain environmental clearances from the Ministry of Environment, Forest, and Climate Change (MoEFCC) or the State Environmental Impact Assessment Authority (SEIAA) for any projects that have significant environmental impacts. This includes conducting Environmental Impact Assessments (EIAs) and public consultations as required under the Environment (Protection) Act.
  • Pollution Control: The GCC must ensure compliance with the Air and Water Acts by obtaining the necessary consents from the State Pollution Control Board (SPCB) or the Pollution Control Committee (PCC). This includes implementing pollution control measures, monitoring emissions and effluents, and submitting periodic reports to the authorities.
  • Hazardous Waste Management: If the GCC generates hazardous waste, it must comply with the Hazardous and Other Wastes Rules, 2016. This includes obtaining authorization from the SPCB, maintaining records of waste generation, storage, treatment, and disposal, and submitting annual returns.
  • Sustainability Initiatives: The GCC should adopt sustainability practices, such as waste minimization, water and energy conservation, and the use of renewable energy sources, in line with global best practices and corporate social responsibility commitments.

Anti-Bribery and Corruption Compliance

  • Anti-bribery and corruption laws in India are governed by the “Prevention of Corruption Act, 1988,” the “Companies Act, 2013,” and the “Lokpal and Lokayuktas Act, 2013.” The GCC must ensure that its operations and employees comply with anti-bribery and corruption laws, avoiding any involvement in corrupt practices.
  • Anti-Bribery Policy: The GCC must adopt and enforce an anti-bribery policy in compliance with the Prevention of Corruption Act. This policy should clearly outline prohibited conduct, including offering, accepting, or soliciting bribes, and establish procedures for reporting and investigating suspected bribery incidents.
  • Third-Party Due Diligence: The GCC must conduct due diligence on third-party vendors, contractors, and partners to ensure that they comply with anti-corruption laws. This includes obtaining representations and warranties in contracts, conducting periodic audits, and implementing monitoring mechanisms.
  • Training and Awareness: The GCC must provide regular training to employees on anti-bribery laws and the company’s anti-bribery policy. Employees should be made aware of the consequences of engaging in corrupt practices and encouraged to report any suspicious activities through a whistleblower mechanism.
  • Internal Controls and Reporting: The GCC must implement internal controls to prevent, detect, and report bribery and corruption. This includes maintaining accurate financial records, conducting regular audits, and reporting any incidents of bribery to the relevant authorities.

Cybersecurity and Information Technology Compliance

  • Cybersecurity and IT compliance in India are governed by the “Information Technology Act, 2000,” the “Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021,” and the “Cybersecurity Framework by CERT-In.” The GCC must ensure the protection of its IT infrastructure, data, and information systems from cyber threats and comply with applicable cybersecurity regulations.
  • Cybersecurity Policy: The GCC must implement a comprehensive cybersecurity policy that aligns with the guidelines issued by the Indian Computer Emergency Response Team (CERT-In). This policy should cover aspects such as access controls, data encryption, incident response, and disaster recovery.
  • Data Protection and Privacy: The GCC must ensure the protection of personal data and sensitive information in compliance with the IT Act and the PDPB. This includes implementing data encryption, secure data storage, and access control measures.
  • Incident Reporting: In the event of a cybersecurity breach, the GCC must report the incident to CERT-In as per the mandatory reporting requirements. The GCC should also have an incident response plan in place to mitigate the impact of the breach and prevent future occurrences.
  • Employee Training and Awareness: The GCC must provide regular cybersecurity training to its employees to ensure they are aware of the latest threats, phishing scams, and safe practices for handling sensitive information. Employees should also be trained on the company’s IT policies and incident reporting procedures.
  • Code of Conduct: The GCC must develop and implement a Code of Conduct that sets forth the ethical principles and legal standards expected of all employees, contractors, and agents. The Code should address issues such as bribery, corruption, conflicts of interest, and confidentiality.
  • Whistleblower Policy: The GCC must establish a whistleblower policy in accordance with the Companies Act, 2013, and the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015. The policy should provide a secure and confidential channel for employees to report unethical conduct or legal violations without fear of retaliation.
  • Ethics Committees and Compliance Officers: The GCC should appoint ethics committees and compliance officers to oversee the implementation of the ethics and compliance program. These individuals should be responsible for investigating allegations of misconduct, conducting compliance audits, and ensuring adherence to the Code of Conduct.
  • Monitoring and Reporting: The GCC must implement mechanisms to monitor compliance with the ethics and compliance program. This includes regular audits, compliance reports, and corrective actions in cases of non-compliance.

Health, Safety, and Environmental Compliance

  • Health, safety, and environmental (HSE) compliance in India is governed by the “Environment Protection Act, 1986,” the “Factories Act, 1948,” the “Occupational Safety, Health and Working Conditions Code, 2020,” and various state-level regulations. 
  • Environmental Impact Assessments (EIA): If the GCC’s operations involve significant environmental impact, it must conduct an Environmental Impact Assessment (EIA) as per the EIA Notification, 2006, under the Environment Protection Act. The EIA report must be submitted to the Ministry of Environment, Forest and Climate Change (MoEFCC) for approval.
  • Pollution Control and Waste Management: The GCC must comply with the Air (Prevention and Control of Pollution) Act, 1981, the Water (Prevention and Control of Pollution) Act, 1974, and the Hazardous Waste Management Rules, 2016. This includes obtaining necessary consents from the Pollution Control Board and ensuring proper waste management practices.
  • Occupational Health and Safety (OHS): The GCC must implement OHS policies and practices in accordance with the Occupational Safety, Health and Working Conditions Code, 2020. This includes providing a safe working environment, conducting risk assessments, and ensuring the use of personal protective equipment (PPE).
  • Emergency Response Plans: The GCC must develop and implement emergency response plans to address potential health, safety, and environmental incidents. This includes fire safety drills, spill response procedures, and evacuation plans.
  • Compliance Audits: The GCC must conduct regular HSE compliance audits to ensure adherence to environmental laws and occupational safety standards. This includes monitoring emissions, waste disposal, and workplace safety practices.

Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) Compliance

  • AML and CTF compliance in India are governed by the “Prevention of Money Laundering Act, 2002” (PMLA), the “Unlawful Activities (Prevention) Act, 1967” (UAPA), and guidelines issued by the Financial Intelligence Unit-India (FIU-IND).
  • Customer Due Diligence (CDD): The GCC must implement customer due diligence procedures to verify the identity of clients, customers, and business partners. This includes conducting KYC (Know Your Customer) checks, monitoring transactions, and maintaining records as required under the PMLA.
  • Suspicious Transaction Reporting (STR): The GCC must report suspicious transactions to the FIU-IND in accordance with the PMLA. This includes transactions that are unusually large, involve high-risk countries, or appear to lack a legitimate purpose.
  • Sanctions Screening: The GCC must conduct sanctions screening against lists issued by the United Nations, the Indian government, and other relevant authorities. This includes ensuring that the GCC does not engage in transactions with sanctioned individuals, entities, or countries.
  • AML/CTF Training: The GCC must provide regular training to employees, particularly those involved in financial transactions, on AML and CTF laws, red flags, and reporting obligations.
  • Collaboration with Authorities: The GCC must cooperate with law enforcement agencies and regulatory authorities in AML/CTF investigations. This includes providing information, responding to requests, and ensuring that records are available for inspection.

Labour and Employment Law Compliance

  • Labour and employment laws in India are governed by the “Industrial Disputes Act, 1947,” the “Minimum Wages Act, 1948,” the “Employees’ Provident Funds and Miscellaneous Provisions Act, 1952,” the “Payment of Gratuity Act, 1972,” and the “Code on Social Security, 2020.” 
  • Employment Contracts: The GCC must ensure that all employment contracts comply with Indian labour laws, including provisions for wages, hours of work, leave entitlements, and termination conditions. The contracts should also address issues such as non-compete clauses, confidentiality, and intellectual property rights.
  • Wages and Benefits: The GCC must comply with the Minimum Wages Act and other relevant laws to ensure that employees are paid fair wages. This includes providing statutory benefits such as provident fund contributions, gratuity, and maternity leave.
  • Workplace Safety and Welfare: The GCC must comply with the Occupational Safety, Health and Working Conditions Code, 2020, to ensure a safe and healthy working environment. This includes providing adequate ventilation, sanitation facilities, and protective equipment.
  • Employee Grievance Redressal: The GCC must establish a grievance redressal mechanism in accordance with the Industrial Disputes Act and other relevant laws. This includes setting up internal committees to address employee complaints and disputes.
  • Social Security Compliance: The GCC must comply with the Code on Social Security, 2020, which mandates contributions to provident funds, pension schemes, and insurance for employees. This also includes timely payment of contributions and filing of returns with the Employees’ Provident Fund Organisation (EPFO).
  • Compliance with Equal Opportunity Laws: The GCC must ensure compliance with laws related to equal opportunity, non-discrimination, and prevention of sexual harassment. This includes implementing policies in line with the “Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013,” and ensuring that all employees are treated fairly regardless of gender, caste, or religion.

Data Localization and Sovereignty

  • Data localization in India is governed by the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011” under the IT Act, 2000, and sector-specific regulations such as the Reserve Bank of India’s guidelines on payment data.The GCC must ensure that data collected and processed within India complies with data localization requirements, particularly in sectors such as banking, finance, and telecommunications.
  • Storage of Sensitive Data: The GCC must ensure that sensitive personal data and critical information are stored on servers located within India as per the IT Rules and any sector-specific regulations. This includes financial data, health records, and government-related data.
  • Cross-Border Data Transfers: The GCC must comply with legal requirements for cross-border data transfers, including obtaining consent from data subjects and ensuring that the recipient country provides adequate data protection. This may involve entering into Standard Contractual Clauses (SCCs) or other data transfer agreements.
  • Compliance with RBI Guidelines: If the GCC operates in the financial sector, it must comply with the RBI’s guidelines on data localization, particularly regarding payment data. This includes ensuring that payment-related data is stored only in India and reporting any data breaches to the RBI.
  • Sector-Specific Compliance: The GCC must ensure compliance with any sector-specific data localization

Conclusion

In conclusion, navigating the complex regulatory landscape is crucial for Global Capability Centers (GCCs) operating in India. Compliance with various frameworks, including data localization, employment law, environmental regulations, and anti-bribery statutes, is essential not only to avoid legal penalties but also to maintain operational integrity and corporate reputation. By proactively addressing these compliance challenges through robust policies, regular audits, and employee training, GCCs can ensure they remain aligned with both local and international legal standards, thereby safeguarding their operations and fostering sustainable growth.

Contributed by – Sambhram Shetty

King Stubb & Kasiva,
Advocates & Attorneys

Click Here to Get in Touch

New Delhi | Mumbai | Bangalore | Chennai | Hyderabad | Mangalore | Pune | Kochi
Tel: +91 11 41032969 | Email: info@ksandk.com