Vahura Insights

As India’s leading executive search firm, we have noticed that Global Capability Centers (GCCs) are making their first legal hires. Yet, compliance is an area that hasn’t received as much attention as legal. 

Legal and compliance roles may overlap, but they serve distinct functions. Legal teams handle contracts, disputes, regulatory filings, and strategic advice, often addressing issues as they arise. Compliance, meanwhile, focuses on proactively ensuring adherence to laws, regulations, and ethical standards by identifying risks and setting up preventive systems.

When it comes to GCCs, compliance has historically taken a backseat since these centres were initially focused on cost-efficient operations. But as they evolve into innovation hubs and take on more strategic roles in the organisational network, there is increasing awareness of the need to be less reactive and more proactive about regulatory risk management. That’s where the role of the Compliance Officer comes to the forefront. 

Why compliance frameworks are crucial in India

The compliance landscape in India is far more complex and extensive than many companies initially anticipate. Beyond adhering to basic corporate laws, organisations must also navigate a regulatory environment that places significant emphasis on critical areas like Prevention of Sexual Harassment (POSH) compliance, Anti Money-Laundering (AML) regulations, data privacy, and governance frameworks.

Non-compliance can have serious legal and reputational consequences. Companies have been known to pay hefty fines and be forced to enter into draining legal battles for not having their house in order. PwC’s State of Compliance 2023 Survey found that 70%-80% of companies face compliance challenges, primarily related to regulatory changes and managing operational risks.​ Non-compliance with various regulatory frameworks in India can result in significant penalties, often depending on the specific laws being violated. For example, penalties for non-compliance under the Digital Personal Data Protection Act can range from INR 10000 to INR 250 crore, depending on the nature and severity of the violation.

Building a culture of compliance and ethical practice

While legal teams ensure a company’s broader obligations are met, compliance officers, however, take a more proactive role by identifying and mitigating risks before they become problems. This includes developing systems and processes that prevent non-compliance, such as implementing anti-bribery measures, ensuring data privacy, or setting up financial monitoring to avoid fraud. For GCCs, embedding compliance into their operational framework from the start helps them stay ahead of local and international regulatory requirements. A proactive and strategic approach to housekeeping ensures that there are fewer obstacles in the growth path of GCCs.

Why GCCs need compliance from the start

At Vahura, we strongly believe that compliance shouldn’t be an afterthought—it should be integral to the foundation of a GCC. The 2024 Ethics & Compliance Program Effectiveness Report, a recent study by US-based compliance and ethics advisory LRN Corporation, highlights that organisations with high-performing ethics and compliance (E&C) programs see significantly improved business outcomes, including reduced risks. Specifically, companies with robust compliance systems are not only less likely to face legal and regulatory issues, but they are also more likely to improve operational performance.

A case of non-compliance: €35 Million fine for employee data privacy breach

In an example of non-compliance with data privacy laws, the German subsidiary of a European retail company faced a substantial fine due to extensive and unauthorised monitoring of its employees. The company, which operates several service centers in Germany, was found to have collected and stored detailed personal information on hundreds of its employees. This data, which included sensitive information such as vacation experiences, illness symptoms, and medical diagnoses, was kept in network drives for performance evaluations dating back several years.

The local data protection authority investigated the matter and found that the company had violated privacy regulations by excessively monitoring its employees, storing personal data without consent, and failing to comply with data protection laws. As a result, the company was fined €35.2 million. The fine sent out a strong message about adhering to the General Data Protection Regulation (GDPR) and similar regulations.

Conclusion

The experience of the retail giant may be resonant to India-based GCCs because similar kinds of data may be processed here. Even if the data protection law is new to India and there isn’t much evidence to see how it may work in practice, it will be prudent for India-based GCCs to have systems in place to ensure compliance. A Compliance Officer can be key to such initiatives.

Overall, staying on top, and even ahead of, regulatory requirements can work out as a big competitive advantage for organisations. Healthy compliance practices ensure that the company can focus on core competencies and growth. The compliance function itself benefits greatly from a strategic approach. It is no longer merely about dotting the i’s and crossing the t’s. It’s about compliance leaders having a seat at the table and contributing proactively to what the future of service delivery from India-based GCCs could look like.

Sign up for updates