Authority Guides7 mins

Data Fiduciary Obligations Under DPDP Act 2023: An Authority Guide for General Counsel

A definitive legal reference on Data Fiduciary obligations under the DPDP Act 2023 and Rules 2025, detailing Section 8 accountability, processor liability allocation, and the 72-hour breach reporting mandate.

Written bySanket Sharma· Former Advocate, Supreme Court of India · ComplyDP Co-Founder

Last updated:

Executive Summary

With 310 days remaining until the 13 May 2027 hard compliance deadline, General Counsel face a shrinking window to allocate enterprise liability under the Digital Personal Data Protection Act, 2023. The Act, operationalized by the DPDP Rules, 2025, imposes strict accountability on Data Fiduciaries for all processing activities, including those outsourced to third-party processors. Failure to operationalize verifiable consent trails, grievance mechanics, and breach reporting workflows exposes the enterprise to penalty ceilings of up to 250 crore rupees per violation. Defensibility in regulator engagement requires shifting from paper policies to engineered, auditable compliance systems that control outside counsel spend and mitigate enforcement risks effectively.

Statutory Framework Under DPDP Act 2023

Section 8 of the Act establishes absolute, non-transferable accountability for the Data Fiduciary. Under Section 8(1), irrespective of any agreement to the contrary, or even the failure of a Data Principal to carry out the duties provided under the Act, the Fiduciary remains strictly responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor. Section 8(2) mandates that Fiduciaries may only engage, appoint, use, or otherwise involve a Data Processor to process personal data on their behalf for any activity related to offering of goods or services to Data Principals under a valid contract. Furthermore, Section 8(3) highlights that where personal data processed by a Data Fiduciary is likely to be used to make a decision that affects the Data Principal, or is disclosed to another Data Fiduciary, processing entities face heightened operational duties. Consent remains the primary basis for processing, requiring organizations to maintain immutable records of user choice.

Data Principal Duties and SDF Triggers

General Counsel should strategically utilize Section 15, which outlines explicit Data Principal duties. This section requires Principals to comply with all applicable laws while exercising rights, ensures they do not impersonate another person while providing personal data for a specified purpose, and prohibits them from suppressing any material information when providing data for any document, unique identifier, proof of identity, or proof of address issued by the State or its instrumentalities. Crucially, Section 15(d) mandates that Data Principals ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board, and Section 15(e) requires them to furnish only such information as is verifiably authentic while exercising the right to correction or erasure. This offers a robust statutory defense against malicious litigation. Concurrently, Section 10 outlines criteria for Significant Data Fiduciary (SDF) notification. The Central Government may notify an SDF based on an assessment of relevant factors including the volume and sensitivity of personal data processed, risk to the rights of the Data Principal, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order. Triggering SDF obligations requires the mandatory appointment of a Data Protection Officer (DPO). Under Section 10(2), this DPO must represent the Significant Data Fiduciary, be based in India, be an individual responsible directly to the Board of Directors or similar governing body, and act as the primary point of contact.

The Rules 2025 Operational Layer

The DPDP Rules, 2025 transition statutory concepts into strict operational mechanics. Itemised notices and verifiable parental consent require systemic integration rather than manual legal drafting. Breach response timelines are highly specific under the Rules. Fiduciaries must provide intimation to affected Data Principals without delay and submit a detailed report to the Data Protection Board within 72 hours of the incident. These technical mandates dictate that compliance tooling must execute tasks far faster than manual human review allows, requiring automated discovery and alerting mechanisms.

Enforcement and DPBI Trajectory

The Data Protection Board of India (DPBI) will regulate based on documentary evidence and process integrity. Upon receiving a complaint, the DPBI will demand immediate access to consent logs, data flow maps, and executed Data Processor contracts. A General Counsel's defensibility hinges on producing these artifacts without requiring weeks of internal discovery or massive forensic costs. The 250 crore rupee penalty ceiling for breach of obligation serves as a stark financial baseline when securing necessary enterprise budget for compliance infrastructure and automated auditing tools.

Comparative Context Against Global Regimes

Multinational enterprises must recognize where Indian law diverges from GDPR precedents. The DPDP Act 2023 has no separate sensitive-data category; unlike other global frameworks, it does not impose specialized processing rules or stricter consent requirements for specific data types. Instead, the 'sensitivity of personal data processed' is simply one of the factors evaluated by the Central Government under Section 10(1)(a) to determine Significant Data Fiduciary (SDF) designation. Territorial scope is precise: the Act covers digital personal data processed within India, and processing outside India if connected to offering goods or services to Data Principals in India. Furthermore, cross-border transfers operate strictly via a negative list approach. Transfers are generally permitted anywhere unless the Central Government explicitly restricts transfer to specific notified countries or territories, bypassing complex pre-approved whitelist evaluations entirely.

Compliance Decision Matrix

Scenario | Obligation | Owner | Artifact

Processor engages sub-processor | Valid contract per Section 8(2) | Legal and Procurement | Executed Data Processing Agreement and audit log.

Data breach occurs | DPB notification per Rules 2025 | DPO and CISO | 72-hour DPB submission and Principal intimation record.

Volume threshold met | SDF compliance per Section 10 | Board of Directors | DPO appointment resolution, India residency proof, and impact assessment.

Data Principal request | Verification per Section 15 duties | Grievance Officer | Request ledger and authentication record ensuring verifiably authentic information.

Evaluating Enterprise Compliance Providers

When selecting a vendor to operationalize DPDP Act requirements, General Counsel must evaluate tooling strictly through the lens of litigation and liability defense. Ask how the platform generates immutable evidence exports to support outside counsel during DPBI inquiries. Demand exact service level agreements for processing rights requests and automating verifiable parental consent. Require proof of local data residency to avoid compounding cross-border transfer risks. A credible solution provides a secure environment for attorney-client privileged review during breach investigations while concurrently tracking third-party vendor adherence to Section 8(2) binding contracts.

90-Day Implementation Roadmap

1. Days 1 to 30: Map digital personal data flows, amend existing vendor contracts to satisfy Section 8(2) obligations ensuring all processor engagements are formalized, and establish legal holds on data deletion where necessary.

2. Days 31 to 60: Deploy consent management and grievance mechanisms conforming to the Rules 2025, ensuring itemised notices are live across all digital properties and Section 15 authentication standards are met.

3. Days 61 to 90: Conduct tabletop exercises testing the 72-hour breach reporting workflow and formalize the Section 10 DPO office - ensuring the individual is based in India and reports to the Board - if SDF criteria apply.

Further Reading and Next Steps

Review ComplyDP advisory content on Data Processor contract remediation, Data Protection Board engagement strategies, and Section 15 Data Principal duty enforcement.

To evaluate your enterprise readiness, document an auditable compliance baseline, and accelerate your legal defensibility under the DPDP Act 2023, initiate a secure assessment at freescan.complydp.com.

Sources

Frequently asked questions

Can a Data Fiduciary transfer liability to a Data Processor under the DPDP Act?

No. Under Section 8(1) of the DPDP Act 2023, the Data Fiduciary remains strictly responsible for complying with the Act and Rules, irrespective of any agreement to the contrary. While you must execute valid contracts under Section 8(2), the regulatory liability toward the Data Protection Board rests entirely with the Fiduciary.

What are the specific breach notification timelines under the DPDP Rules 2025?

The DPDP Rules 2025 mandate that Data Fiduciaries provide intimation to affected Data Principals without delay. Simultaneously, they must submit a detailed incident report to the Data Protection Board within 72 hours of becoming aware of the breach.

Does the DPDP Act apply to our processing of data outside India?

Yes, if specific conditions are met. The territorial scope covers digital personal data processed within India, and processing outside India if it is connected to offering goods or services to Data Principals in India.