dpdpact.co.in

This website belongs to KavachOne Solutions Pvt. Ltd., having its corporate office located in Noida, India.
image 1 removebg preview
Menu
Linkedin X-twitter Facebook
kavachone logo removebg preview
Menu

Data Fiduciary Obligations Under DPDP Act India: Complete Guide 2025 | KavachOne
⚖️ Data Fiduciary Guide

Data Fiduciary
Obligations
Under India's
DPDP Act

If your organisation determines why and how personal data is processed — you are a Data Fiduciary under India's DPDP Act 2023. Section 8 of the Act lays out comprehensive obligations covering consent, purpose limitation, security, accuracy, storage limits, breach response, and the rights of every individual whose data you hold. Non-compliance carries penalties up to ₹250 crore.

⚖️ Assess Your Obligations See All 7 Obligations ↓
⚖️ Data Fiduciary Obligations
7 Core Duties
🤝Collect lawfully & with consent§6–7
🎯Purpose limitation§8(2)
✏️Data accuracy§8(3)
🔒Security safeguards§8(5)
🗑️Data erasure when purpose ends§8(7)
🚨Breach notification§8(6)
👤Data principal rights response§11–14
7Core Data Fiduciary Obligations
₹250 CrMaximum DPDP Penalty
§8Primary Section Governing DF Duties
72 HrsBreach Notification to DPB
SDFAdditional Duties for Significant DFs
Who Is a Data Fiduciary?

Data Fiduciary vs Data Processor — Know Your Role

Your DPDP obligations depend entirely on which role your organisation plays. Getting this wrong is one of the most common compliance mistakes in India.

🏛️
Data Fiduciary
§2(i) DPDP Act
"Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data."
  • A bank that collects and uses customer KYC and transaction data
  • An e-commerce company that processes buyer purchase and delivery data
  • A hospital that maintains patient health records for treatment
  • A fintech startup that uses customer data to build credit scores
  • An EdTech platform that processes student learning data for analytics
  • An insurance company that collects policyholder health declarations
  • A social media platform processing user content and behaviour
  • All §8 obligations apply fully to Data Fiduciaries
⚙️
Data Processor
§2(k) DPDP Act
"Any person who processes personal data on behalf of a Data Fiduciary."
  • A cloud provider hosting a bank's customer data (processes, doesn't decide purpose)
  • A BPO handling customer support calls on behalf of a telecom company
  • An analytics vendor processing website visitor data for a retailer
  • A payroll processing company running HR data for an employer
  • An email delivery platform sending transactional emails on behalf of a SaaS
  • A call centre conducting customer surveys on a company's behalf
  • Processors must be bound by a Data Processing Agreement (DPA)
  • Processors have fewer direct obligations — but significant contractual ones
§8 Obligations

The 7 Core Data Fiduciary Obligations

Section 8 of the DPDP Act establishes the foundational duties of every Data Fiduciary. Each obligation is enforceable by the Data Protection Board — click each to see full requirements and action points.

1
🤝 Collect Personal Data Lawfully
Valid consent or Legitimate Use required before any collection
§6, §7
Before collecting any personal data, a Data Fiduciary must establish a valid legal basis — either explicit, informed consent under §6 or a Legitimate Use ground under §7. Processing without a valid legal basis is the most fundamental DPDP violation. Consent must be freely given, specific to each purpose, and as easy to withdraw as to give.
  • Map every data collection point to a legal basis (Consent or Legitimate Use)
  • Deploy DPDP-compliant consent notices at every collection point
  • Collect only the minimum data necessary for the stated purpose
  • Maintain a consent audit log with timestamp and version
  • Enable one-click consent withdrawal for all consent-based processing
  • Document Legitimate Use grounds in ROPA for non-consent processing
⚠️ Penalty for processing without consent: Up to ₹200 crore
2
🎯 Limit Processing to Stated Purpose
No secondary use beyond the purpose for which data was collected
§8(2)
Personal data collected for a specific purpose must only be used for that purpose. A Data Fiduciary cannot repurpose data without obtaining fresh consent for the new purpose. This applies to analytics, cross-sell, product development, and any other secondary use that goes beyond what was originally communicated to the data principal.
  • Document the specific purpose for every data collection activity in ROPA
  • Implement technical controls preventing use of data beyond stated purposes
  • Obtain fresh consent before repurposing data for new uses
  • Audit analytics and data science workflows for purpose compliance
  • Train product and engineering teams on purpose limitation requirements
  • Review any data-sharing arrangements for purpose consistency
⚠️ Penalty for purpose violation: Up to ₹150 crore
3
✏️ Ensure Data Accuracy & Completeness
Reasonable steps to ensure data is accurate, complete, and consistent
§8(3)
Data Fiduciaries must take reasonable steps to ensure personal data is accurate and complete — especially where it is likely to be used for decisions that materially affect the data principal. This obligation intersects with the data principal's Right to Correction — inaccurate data must be corrected on request within 30 days.
  • Implement periodic data quality review processes for key customer records
  • Provide self-service profile update mechanisms for data principals
  • Process Right to Correction requests within 30 days
  • Propagate corrections to all processors holding the data
  • Flag data of uncertain accuracy in automated decision systems
  • Validate data at point of collection to reduce inaccuracy at source
⚠️ Penalty for accuracy violations: Up to ₹150 crore
4
🔒 Implement Appropriate Security Safeguards
Technical and organisational measures proportionate to the risk
§8(5)
Every Data Fiduciary must implement reasonable security safeguards to prevent personal data breaches — including unauthorised access, disclosure, alteration, and destruction. Safeguards must be proportionate to the sensitivity of the data processed and the risks of breach. The DPDP Act imposes the highest penalty in the legislation for failures to implement adequate security.
  • Encrypt personal data at rest and in transit — especially sensitive PII
  • Implement access controls — role-based, least-privilege principles
  • Deploy intrusion detection and security monitoring systems
  • Conduct regular penetration testing and vulnerability assessments
  • Implement data loss prevention (DLP) controls for personal data
  • Security review for every new product or feature processing personal data
⚠️ Penalty for security failures: Up to ₹250 crore — highest in the Act
5
🗑️ Erase Data When Purpose is Fulfilled
Personal data must not be retained beyond its processing purpose
§8(7)
A Data Fiduciary must erase personal data — and direct its processors to erase — as soon as it is reasonable to believe that the purpose for which it was collected is no longer served. Consent withdrawal also triggers erasure unless another legal basis applies. Data cannot be retained indefinitely simply because it may be useful in the future.
  • Define and document retention periods for every data category in ROPA
  • Implement automated data deletion triggers based on retention schedules
  • Instruct processors to delete data when the purpose ends — require deletion certificates
  • Process Right to Erasure requests within 30 days
  • Maintain deletion logs as evidence of compliance for DPB
  • Review backup and archive policies — retention applies to backups too
⚠️ Penalty for unlawful retention: Up to ₹150 crore
6
🚨 Notify Data Breaches to DPB & Principals
72-hour DPB notification and full affected-principal notification
§8(6)
On becoming aware of a personal data breach — any unauthorised access, disclosure, alteration, or destruction of personal data — the Data Fiduciary must notify the Data Protection Board within 72 hours. Every affected data principal must also be notified. Notification must include the nature of the breach, data affected, likely impact, and remediation steps taken.
  • Maintain a documented breach detection and escalation process
  • Train incident response team on 72-hour DPB notification requirement
  • Prepare DPB and data principal notification templates in advance
  • Integrate breach response with ConsentiQo for automated principal notification
  • Conduct annual breach response simulation (tabletop exercise)
  • Maintain breach register — even breaches not requiring DPB notification
⚠️ Penalty for failure to notify: Up to ₹200 crore
7
👤 Fulfil Data Principal Rights
Access, correction, erasure, portability, nomination, grievance — all within 30 days
§11–14
Data Fiduciaries must honour all seven data principal rights under §11–14: the right to access a summary of data held, correction of inaccurate data, erasure, portability, nomination, grievance redressal, and consent withdrawal. All rights must be fulfilled within 30 days (except consent withdrawal which must be actioned immediately) at no cost to the data principal.
  • Deploy a Data Principal Rights Portal for self-service request submission
  • Publish DPO / Grievance Officer contact details on website and privacy notice
  • Implement DSAR intake, routing, and 30-day deadline tracking system
  • Integrate ROPA with rights fulfilment for data location and compilation
  • Instruct all processors to cooperate with rights requests within 5 days
  • Maintain a DSAR register — every request, response, and outcome logged
⚠️ Penalty for rights violations: Up to ₹150 crore
Significant Data Fiduciary

Standard DF vs Significant Data Fiduciary — What Changes?

The DPDP Act creates a two-tier system. Significant Data Fiduciaries (SDFs) — notified by the Central Government — face additional obligations beyond the standard §8 duties.

🏛️ Standard Data Fiduciary
🤝
Consent / Legitimate Use — required before any processing
🔒
Security safeguards — proportionate to data sensitivity
🚨
72-hour breach notification to DPB + affected principals
👤
Rights fulfilment — 7 data principal rights within 30 days
📋
ROPA maintenance — records of processing activities
🗑️
Data erasure when purpose is fulfilled
🔗
DPA with processors — contractual binding of all processors
⭐ Significant Data Fiduciary — All Above PLUS:
👤
Data Protection Officer (DPO)Additional — DPO resident in India, reports to Board, published contact
Annual Data Protection Impact AssessmentAdditional — mandatory for all significant processing, not just high-risk
🔍
Independent Data AuditAdditional — annual audit by empanelled Data Auditor reporting to DPB
📊
Algorithmic TransparencyAdditional — publish information on algorithms used in significant data processing
📝
Periodic DPB ReportingAdditional — mandatory compliance reports to Data Protection Board
🌐
Cross-Border Transfer RestrictionsAdditional — enhanced restrictions on transferring SDF data outside India
Who Becomes an SDF?
📊
Volume of Data
Processing personal data of very large numbers of data principals — likely millions for consumer-facing platforms
🔐
Sensitivity of Data
Processing sensitive categories at scale — financial, health, biometric, or children's data at significant volume
🇮🇳
National Security Risk
Data whose compromise could impact national security, public order, or sovereignty of India
🏗️
Critical Infrastructure
Processing data essential to critical national infrastructure — power grids, financial systems, telecom, healthcare
⚠️
Systemic Risk
Processing that, if misused or breached, could cause significant harm to a large number of people simultaneously
🌍
Cross-Border Impact
Processing that involves significant transfer of Indians' personal data outside India or creates international risk
Penalties

DPDP Penalty Schedule for Data Fiduciaries

The DPDP Act's penalty framework is among the most significant in Indian regulatory history. Know exactly what each violation costs — before it happens.

Violation DPDP Section Maximum Penalty Key Mitigation Evidence
Failure to implement adequate security safeguards §8(5) ₹250 Crore ISO 27001 certification, DPIA evidence, penetration test reports, security architecture documentation
Processing children's data without verifiable parental consent §9 ₹200 Crore Age verification system, parental consent audit log, cessation of processing on discovery
Failure to notify DPB and principals of data breach §8(6) ₹200 Crore Breach response plan, 72-hour notification evidence, principal notification logs from ConsentiQo
Processing personal data without valid consent or Legitimate Use §6, §7 ₹200 Crore Consent audit log with timestamps, ROPA documenting legal basis for all processing activities
Failure to fulfil data principal rights (access, correction, erasure, portability) §11–12 ₹150 Crore DSAR register with response timestamps, Rights Portal audit log, DPO review evidence
Non-compliance with additional Significant Data Fiduciary obligations §10 ₹150 Crore DPO appointment records, annual DPIA reports, Data Auditor engagement letters, DPB reports
Violations by Data Processors acting on behalf of a Data Fiduciary §8(3) ₹10 Crore DPA with processor, TPRA evidence, contractual breach notification obligations
Implementation Checklist

Data Fiduciary Compliance Checklist

24 actions across 6 categories — the foundational checklist every Data Fiduciary should complete before the DPDP Act's penalty provisions are enforced.

🤝
Consent Architecture
  • All data collection points mapped to legal basis
  • DPDP-compliant consent notices deployed
  • ConsentiQo collecting and logging consent
  • One-click withdrawal mechanism live
📋
Records & Documentation
  • ROPA complete — all 12 mandatory fields
  • Purpose documented for every data collection
  • Retention schedules defined and enforced
  • Privacy notice updated to DPDP standards
🔒
Security Safeguards
  • Encryption for PII at rest and in transit
  • Access controls and least-privilege enforced
  • Annual penetration testing completed
  • PII Scanner monitoring all data stores
👤
Data Principal Rights
  • Rights Portal live for all data principals
  • DSAR intake and 30-day tracking active
  • Grievance Officer / DPO contact published
  • DSAR register maintained and current
🚨
Breach Response Readiness
  • Breach response plan documented and tested
  • 72-hour DPB notification workflow ready
  • Principal notification via ConsentiQo configured
  • Annual breach simulation conducted
🔗
Third-Party Governance
  • Vendor inventory complete — all processors identified
  • DPAs executed with all processors
  • TPRA assessments for Tier 1–2 vendors
  • Vendor breach notification SLAs agreed

Meet Every Data Fiduciary Obligation
with KavachOne

KavachOne's Privacy Suite is the only platform built specifically to address every Data Fiduciary obligation under India's DPDP Act — consent management, PII scanning, ROPA, DPIA, TPRM, breach response, and data principal rights, all in one integrated platform with a live compliance score.

⚖️ Start DPDP Assessment Explore ConsentiQo →
FAQs

Common Questions: Data Fiduciary Obligations

Can a single organisation be both a Data Fiduciary and a Data Processor at the same time?
Yes — an organisation can simultaneously hold both roles for different data flows. For example, a cloud SaaS company processes its customers' data as a Data Processor (acting on behalf of its enterprise customers), but processes its own employees' HR data and its own customers' account data as a Data Fiduciary (deciding the purpose and means). In practice, many organisations need to identify each data flow separately and determine the correct role for each — their ROPA should clearly distinguish between data processed as a Fiduciary and data processed as a Processor.
If a Data Processor causes a breach, who is liable under DPDP — the Fiduciary or the Processor?
The Data Fiduciary remains primarily liable to the DPB and to affected data principals — even if the breach occurred due to the processor's failure. The DPDP Act's notification obligations and penalty provisions run against the Fiduciary, not the Processor. However, if the breach resulted from the processor's failure to implement agreed security measures, the Fiduciary can seek recovery from the Processor under the contractual DPA. This is why DPAs must include clear security obligations, incident notification timelines (typically 24 hours from processor to fiduciary), liability, and indemnification provisions.
How does the DPDP Act define "reasonable" security safeguards — is ISO 27001 sufficient?
The DPDP Act does not prescribe a specific security standard — the obligation is to implement "reasonable security safeguards" proportionate to the nature and volume of personal data processed. ISO 27001:2022 certification is strong evidence of reasonable safeguards, and KavachOne strongly recommends it as a baseline for Data Fiduciaries processing significant volumes of personal data. However, ISO 27001 alone may not be sufficient for Significant Data Fiduciaries or those processing particularly sensitive data — additional sector-specific standards, enhanced technical controls, and annual DPIAs would typically be expected.
Does the DPDP Act apply to processing of employee personal data?
Yes — employers are Data Fiduciaries in relation to their employees' personal data. DPDP obligations apply to employee data collected during recruitment, employment, and post-employment. However, the DPDP Act recognises that many aspects of employment data processing — payroll, tax compliance, statutory reporting — fall under Legitimate Use grounds rather than requiring separate employee consent. Employers must map their employee data processing activities to Legitimate Use or consent basis, update employment contracts and privacy notices accordingly, and establish a mechanism for employees to exercise DPDP rights over their personal data.
When will the DPDP Act's penalty provisions actually come into force?
The DPDP Act received Presidential assent in August 2023, but its provisions — including the penalty framework — come into force through notification by the Central Government. As of 2025, the Data Protection Board is being constituted and the Rules under the Act are in the final stages of development. Most legal experts expect the Act's enforcement provisions to become operational in 2025–2026. Organisations should treat the present period as the compliance implementation window — those that are fully compliant before enforcement begins will have significant protection from the first wave of DPB scrutiny.
Data Fiduciary Obligations India DPDP Act Data Fiduciary What Is Data Fiduciary India Significant Data Fiduciary DPDP Data Fiduciary vs Processor India DPDP Act Section 8 DPDP Compliance Obligations 2025 Data Fiduciary Responsibilities India KavachOne Data Fiduciary DPDP Accountability India Data Protection Officer India DPDP DPDP Penalties India ConsentiQo DPDP Act 2023 India Data Fiduciary Checklist