If you are a data fiduciary — the organisation that decides why and how personal data is processed — the DPDP Act places a substantial, but well-defined, set of duties on you. Understanding the full list is the starting point for any serious effort at dpdp compliance, because each obligation translates into a concrete process you have to build and be able to evidence.
The obligations are not arbitrary. They flow from a single idea: that an organisation holding someone else's personal data owes that person a duty of care. Notice, consent, security, accuracy, retention limits and breach reporting are all expressions of that underlying responsibility.
This guide walks through the core obligations of a data fiduciary one by one, explains what each requires in practice, and shows how they fit together into a coherent compliance programme rather than a checklist of disconnected rules.
Give notice and obtain valid consent
The first obligation is to provide a clear, itemised notice and, where you rely on consent, to obtain consent that is free, specific, informed, unconditional and unambiguous. The notice must describe the data and purpose and explain how to withdraw consent, exercise rights and complain to the Board.
This pairing of notice and consent is the gateway to most processing. Get it wrong and the lawful basis for everything that follows is undermined, which is why fiduciaries typically tackle notice and consent design first.
Where consent is not the basis, the fiduciary must instead rely on a defined legitimate use, and stay strictly within its boundary. Either way, every processing activity needs an identifiable, defensible basis.
In practice, the cleanest way to operationalise this is to require, for every new data use, an explicit answer to a single question: what is our lawful basis here? Making that a mandatory step in product and process design prevents the slow accumulation of processing that has never been properly justified.
Process only for the stated purpose
A fiduciary must limit processing to the purpose for which the data was collected. Purpose limitation prevents the quiet repurposing of data — collecting an email for delivery updates and later using it for unrelated marketing without a fresh basis.
In practice this means tying each dataset to a declared purpose and resisting the temptation to mine it for new uses simply because you have it. New purposes generally require new notice and consent.
Building purpose into your data map — recording why each category of data is held — makes this obligation enforceable internally and demonstrable to the Board.
Purpose limitation also protects you commercially. When data is tied to clear purposes, you avoid the reputational and regulatory damage that comes from customers discovering their information was used in ways they never expected or agreed to.
Keep personal data accurate and complete
The Act requires fiduciaries to ensure the personal data they process is accurate, complete and kept up to date, particularly where it is used to make decisions that affect the data principal or is disclosed to another fiduciary.
Inaccurate data is not just a quality problem; under the Act it is a compliance issue, because decisions made on bad data can harm the individual. This raises the stakes for data hygiene in areas like credit, employment and eligibility decisions.
Honouring the correction right is part of meeting this duty: when a person flags an error, fixing it across your systems keeps your data accurate and your processing lawful.
Where data feeds automated or high-impact decisions, accuracy obligations are sharpest, because an error can directly disadvantage a real person. Building validation, source-of-truth discipline and easy correction into those systems is both a compliance duty and simply fair to the people affected.
Implement reasonable security safeguards
Every fiduciary must protect the personal data in its control with reasonable security safeguards. The 2025 Rules give this substance, pointing to measures such as encryption or masking, access control with multi-factor authentication, and the retention of logs for at least a year.
This obligation carries the most financial weight, because failing to secure data that then suffers a breach can attract a penalty up to ₹250 crore. Security is therefore the single highest-leverage investment a fiduciary can make.
The duty extends to data held by your processors, which is why contracts and oversight of third parties are part of meeting your own security obligation.
It helps to treat the Rule 6 measures as a baseline rather than a ceiling. Encryption, multi-factor authentication and logging are the minimum the regulator expects; mature fiduciaries layer monitoring, testing and least-privilege access on top to genuinely reduce the chance of a breach.
Report breaches to the Board and individuals
When a personal data breach occurs, the fiduciary must notify both the Data Protection Board and the affected data principals. The Rules establish a two-tier duty: an immediate notice on becoming aware, followed by a fuller report, generally within 72 hours.
Meeting this timeline requires preparation. You cannot improvise breach reporting in the moment, so a tested incident-response runbook with pre-drafted templates and named owners is essential.
Failing to notify a breach is itself a serious failure under the Act, attracting penalties up to ₹200 crore, independent of any penalty for the underlying security lapse.
Because the clock starts on awareness rather than on full understanding, the discipline you most need is the willingness to notify on partial information and update later. Organisations that wait for certainty before reporting are the ones most likely to miss the window.
Limit retention and erase when done
Fiduciaries must not keep personal data longer than necessary for the purpose for which it was collected. Once that purpose is served, or consent is withdrawn, the data must generally be erased, unless retention is required by law.
This pushes organisations toward defined retention schedules and the technical ability to delete data reliably across primary systems, backups and processors. Indefinite data hoarding is precisely what the Act discourages.
Good retention practice also reduces risk: data you have securely deleted cannot be breached, and a smaller data footprint is cheaper and safer to protect.
Retention discipline is also a quiet security win: every record you no longer hold is a record that cannot be stolen, mishandled or surfaced in a breach. Treating deletion as a routine, scheduled activity shrinks both your risk and your storage costs.
Free resource
The Ultimate Guide to the DPDP Act
A practical, plain-English handbook to the DPDP Act & 2025 Rules — scope, roles, consent, safeguards and a readiness path.
Honour rights, grievances and processor duties
A fiduciary must enable data principals to exercise their rights — access, correction, erasure, nomination — and provide a readily available grievance-redressal mechanism that responds within the prescribed time.
Where it engages processors, the fiduciary must do so only under a valid contract, and remains accountable to the data principal for what those processors do. Choosing and overseeing processors well is therefore part of meeting your own obligations.
Significant Data Fiduciaries carry additional duties on top of all of this: appointing an India-based DPO, conducting Data Protection Impact Assessments, and undergoing independent audits.
The thread running through these duties is accountability that cannot be delegated away. You can outsource the processing, but not the responsibility, so the quality of your processor selection and oversight directly determines the quality of your own compliance.
Bringing the obligations together
Listed individually the obligations can look daunting, but they form a logical whole: know your data, have a basis to use it, be transparent, keep it accurate and secure, hold it no longer than needed, let people exercise their rights, and be ready if something goes wrong.
The practical path is to translate each duty into a named process with an owner, evidence that it operates, and a review cadence — then keep records that let you demonstrate compliance on request.
Approached this way, the fiduciary's obligations become a manageable programme that, once built, largely runs itself, rather than a perpetual scramble against an open-ended legal standard.
A useful litmus test is whether, for any obligation, you could produce evidence to the Board tomorrow. If the answer is no, that obligation is aspirational rather than real, and closing the gap between intention and evidence is the practical work of compliance.
Free consultation
Need help getting DPDP-ready?
Talk to our compliance team — we’ll map your gaps against the Act and the 2025 Rules.