The GCC People Ops Compliance Checklist: POSH, Contract Labor, GDPR Data Flows, and More
May 4, 2026
May 4, 2026
Holly Hunt
India is now home to more than 2,100 global capability centers, and that number is climbing fast. With GCC revenue projected to cross $100 billion by 2030 and the workforce approaching three million professionals, the scale of what these centers manage (technically, commercially, and operationally) is staggering.
But scale brings scrutiny. People Ops teams at GCCs sit at the intersection of two legal realities: the labor regulations of the Indian state where the center operates, and the compliance frameworks their parent companies must satisfy at home, whether that's the EU's GDPR, the US's array of employment laws, or both. Getting that intersection right is not just a legal obligation. It is increasingly a prerequisite for the kind of trust that lets GCCs grow.
This checklist breaks down the most critical compliance domains GCC People Ops teams need to stay on top of in 2026.
What Does GCC Compliance Mean for People Ops Teams?
GCC compliance in the People Ops context refers to the full set of legal obligations an organization must satisfy when managing a workforce at an India-based global capability center. It spans Indian labor laws (which vary by state, workforce size, and nature of work) alongside data protection regulations with global reach.
Unlike a domestic Indian employer, a GCC People Ops function typically must satisfy both: the standards of the Indian statute and the expectations of a global parent whose regulators may audit practices halfway around the world. That dual accountability makes compliance architecture, not just compliance awareness, the real priority.
Did you know? Ceipal offers a complete Staffing OS that supports GCC compliance. Check out their GCC software and see how it can help navigate complex compliance needs.
1. POSH Act Compliance: What GCC Teams Need to Know in 2025
What is the POSH Act?
The Sexual Harassment of Women at Workplace (Prevention, Prohibition, and Redressal) Act, 2013, commonly known as the POSH Act, mandates that every employer in India with 10 or more employees establish an Internal Complaints Committee (ICC), implement a written anti-harassment policy, conduct mandatory awareness programs, and file an annual report with the District Officer.
For GCCs, which almost uniformly exceed this threshold, POSH compliance is non-negotiable.
What Changed in 2025
The compliance bar got higher. Effective July 14, 2025, amendments to the Companies (Accounts) Rules 2014 now require organizations to make detailed disclosures about POSH compliance—including the number of complaints filed, their resolution status, and the preventive measures in place—directly in the Board's Annual Report.
Earlier in 2025, the Supreme Court of India ordered a mandatory nationwide compliance survey, requiring organizations to certify their ICC status within six weeks of the order, with potential license renewal consequences for those found non-compliant.
GCC People Ops POSH Checklist
- Constitute a compliant ICC at every establishment (chairperson must be a senior female employee; at least half the committee must be women; one external member from an NGO or with legal expertise is required)
- Adopt and publish a written POSH policy
- Conduct annual awareness training for all employees, including remote workers
- Follow statutory investigation timelines: complaint forwarded to respondent within seven days, inquiry completed within 90 days, report issued within 10 days, employer action within 60 days
- File the ICC Annual Report with the District Officer by December 31 each year
- Prepare detailed POSH disclosures for the Board's Annual Report under the 2025 rules
For GCCs with operations across multiple locations, a separate ICC must exist at each establishment. This is a requirement that catches many organizations off guard as they scale.
2. Contract Labor (Regulation and Abolition) Act, 1970: Staying Compliant as Workforce Models Evolve
Why This Matters for GCCs
The hybrid, project-based nature of GCC work makes contract labor a common staffing model. Many GCCs engage vendor-supplied workers, third-party consultants, or facility management staff under contract arrangements. The Contract Labour (Regulation and Abolition) Act, or CLRA, governs these arrangements for any establishment employing 20 or more contract workers on any day in the preceding 12 months.
Key CLRA Compliance Requirements
- Registration: The principal employer (the GCC) must register with the Registering Officer before engaging contract labor. The contractor must separately obtain a license.
- Record maintenance: Both the principal employer and the contractor must maintain registers detailing the nature of work performed, wages paid, and the number of contract workers employed.
- Welfare obligations: Principal employers are ultimately responsible for ensuring that contractors provide the statutory amenities required under the Act (canteens, restrooms, first aid, and drinking water) if the contractor defaults.
- Wage compliance: Contract workers must receive wages that meet the applicable minimum wage standards. Delays or deductions that violate the Payment of Wages Act expose the principal employer as well as the contractor to liability.
- Prohibition on perennial work: The CLRA prohibits engaging contract labor for work that is of a permanent or perennial nature. People Ops teams need to review roles regularly to ensure contract arrangements are not being used for what are functionally core, ongoing functions.
Non-compliance can result in fines, imprisonment, and cancellation of registration. These are consequences that surface quickly during labor inspections or audits ahead of client reviews.
3. GDPR Data Flows and the DPDP Act: A Dual Compliance Reality
The Cross-Border Data Challenge for GCCs
A GCC by definition processes data on behalf of its parent organization. That data very often includes the personal data of employees, customers, or citizens residing in the EU—which means GDPR applies, regardless of where the processing happens. A GCC in Bengaluru processing the HR records of European employees is a GDPR data processor, subject to the full weight of Article 28 obligations, including Data Processing Agreements, technical and organizational security measures, and data subject rights handling.
Simultaneously, India's Digital Personal Data Protection (DPDP) Act, with rules notified in November 2025, is now coming into force in phases through 2027, bringing a comparable domestic framework.
DPDP Act: Key 2025–2027 Milestones
- November 2025: Data Protection Board of India provisions went live
- November 2026: Consent manager provisions take effect
- May 2027: All remaining substantive provisions of the DPDP Act become enforceable
What the Dual Framework Means in Practice
The good news: India's DPDP Act adopts a rights-based, accountability-driven approach that is broadly compatible with GDPR, making it possible to build a unified compliance program rather than two parallel ones. The key difference is that where GDPR offers six legal bases for processing, the DPDP Act relies primarily on consent and a narrow set of "legitimate uses." GCCs that are already GDPR-compliant should extend their data mapping and governance frameworks to cover Indian data subjects.
GCC People Ops Data Compliance Checklist
- Execute Data Processing Agreements (DPAs) between the GCC and its parent organization covering all cross-border data transfers
- Map all personal data flows: where it originates, who accesses it, where it is stored, and which vendors touch it
- Review contracts with cloud providers, payroll processors, background check vendors, and any third-party analytics tools
- Document the legal basis for every major HR data processing activity (onboarding, performance management, benefits, etc.)
- Establish a process for handling Data Subject Access Requests and deletion requests from employees in the EU
- Implement technical safeguards: encryption at rest and in transit, access controls, and breach detection
- Begin DPDP Act readiness work now, particularly around consent mechanisms and data fiduciary obligations, ahead of the May 2027 enforcement date
4. EPF, ESI, and Statutory Benefits: The Foundation Layer
Before addressing any specialized compliance, GCC People Ops teams need clean operations on the basics. The Employees' Provident Fund (EPF) and Employees' State Insurance (ESI) schemes are mandatory for establishments above the applicable employee thresholds, and errors here are both common and costly.
Key Obligations
- EPF: Both employer (12% of basic salary) and employee (12%) contributions are required. GCCs must register under the Employees' Provident Funds and Miscellaneous Provisions Act, 1952, and ensure monthly filings are accurate and on time.
- ESI: Applicable to establishments with 10 or more employees (in most states) where employees earn up to ₹21,000 per month. Employer contribution is 3.25%; employee contribution is 0.75%.
- Professional Tax: Levied by state governments, rates vary, and People Ops must track state-specific thresholds and filing deadlines.
- Shops and Establishments Act: Each state has its own version. GCCs must register their premises and comply with state-specific rules on working hours, leave entitlements, and employment conditions.
5. The Shops and Establishments Act and State-Specific Requirements
India's labor law framework is simultaneously central and deeply local. The Shops and Establishments Act, for instance, is a state-level statute, meaning a GCC with offices in Karnataka, Maharashtra, and Telangana operates under three different sets of rules governing leave, working hours, overtime, and employee registers.
People Ops teams should maintain a state-by-state compliance calendar and ensure that registration certificates are current at each location. A GCC opening a new facility in a Tier-2 city, which is an increasingly common growth strategy, must complete this registration before commencing operations.
6. Equal Remuneration and Pay Equity
The Equal Remuneration Act, 1976 requires that men and women receive equal pay for the same or similar work. For GCCs benchmarking against global parent company pay structures, this is especially important: imported compensation bands that were not designed with Indian pay equity law in mind can inadvertently create compliance exposure.
This is also an area of increasing scrutiny from a governance standpoint. Parent companies subject to EU pay transparency requirements (the EU Pay Transparency Directive began phasing in for large organizations in 2026) must ensure their GCCs can produce reliable pay equity data on request.
How Workforce Technology Reduces GCC Compliance Risk
The volume and variability of compliance obligations that GCC People Ops teams manage makes manual tracking a genuine liability. A missed ICC report, a late EPF filing, or a data processing agreement that was never updated after a vendor change: these are the kinds of gaps that surface during audits and damage relationships with parent organizations.
Purpose-built workforce management platforms address this by centralizing compliance tracking, automating filing calendars, maintaining audit trails for every HR decision, and flagging anomalies in contractor records before they become violations.
Ceipal's workforce management platform is built for exactly this kind of operational complexity, helping GCC People Ops teams manage contract workforce compliance, maintain complete employment records, and keep hiring and onboarding workflows in sync with evolving regulatory requirements.
Frequently Asked Questions About GCC Compliance in India
What compliance laws apply to GCCs in India?
GCCs operating in India are subject to a range of central and state-level labor laws, including the POSH Act, the Contract Labour (Regulation and Abolition) Act, the Employees' Provident Funds Act, the Employees' State Insurance Act, the Shops and Establishments Act, and the Digital Personal Data Protection Act. They may also be subject to the EU's GDPR if they process personal data belonging to EU residents.
Does GDPR apply to GCCs in India?
Yes. Any GCC that processes personal data on behalf of a parent organization located in the EU, or that processes data relating to EU residents, is subject to GDPR as a data processor. This includes executing Data Processing Agreements with the parent company and implementing appropriate technical safeguards.
What is the POSH Act, and how does it apply to GCCs?
The POSH Act (Sexual Harassment of Women at Workplace Act, 2013) requires every Indian employer with 10 or more employees to establish an Internal Complaints Committee, adopt a written anti-harassment policy, conduct employee awareness training, and file annual reports. GCCs must maintain separate ICCs at each office location and, as of July 2025, provide detailed POSH disclosures in their Board's Annual Report.
Is the DPDP Act the same as GDPR?
Not exactly. India's Digital Personal Data Protection Act, 2023 (DPDP Act) is India's domestic data protection law, drawing broad inspiration from GDPR but with important differences, including a narrower set of processing bases and a phased enforcement timeline running through May 2027. GDPR-ready organizations will find significant overlap but will need to adapt their programs to the DPDP Act's specific requirements.
What is the Contract Labour Act, and why does it matter for GCCs?
The Contract Labour (Regulation and Abolition) Act, 1970 regulates the use of contract workers in India. GCCs that engage contractor-supplied staff must register as principal employers, ensure their contractors are licensed, maintain detailed records, and verify that contract workers receive statutory wages and amenities. Principal employers are jointly liable when contractors fail to comply.
Building a Compliance-First People Ops Function
The GCC growth story in India is compelling, but it does not run on momentum alone. The organizations that will sustain their competitive advantage are those that treat compliance not as a cost center but as a capability: one that enables faster onboarding, cleaner audits, stronger parent company trust, and a workforce culture grounded in accountability.
For People Ops teams navigating this landscape, the starting point is visibility: knowing exactly which regulations apply, at which thresholds, in which states, and on which timelines. From there, the work is operational, building the systems, records, and review cadences that keep the organization ahead of the calendar rather than behind it.
Want to see a demo of the Ceipal product and how it can help with GCC compliance? Set up a demo today.
.png)