Duties of Businesses (Data Fiduciaries)

Being a Data Fiduciary under DPDPA comes with specific, enforceable duties. These go beyond obtaining consent — they cover how you store data, who you share it with, and how you respond when things go wrong.

1. Implement Reasonable Security Safeguards

Section 8(5) of DPDPA requires every Data Fiduciary to implement appropriate technical and organisational measures to protect personal data from breaches.

What this means in practice:

• Encrypt sensitive personal data at rest and in transit
• Restrict access to personal data on a need-to-know basis
• Use strong authentication for systems containing personal data
• Conduct regular security reviews of your data storage practices
• Maintain access logs for systems holding sensitive data

Penalty for failure: Up to ₹250 crore per instance.

2. Ensure Data Accuracy

You must take reasonable steps to ensure the personal data you process is accurate and up to date, particularly where decisions affecting individuals are made based on that data.

Practical steps:

• Build mechanisms for customers to update their contact details
• Periodically review and update employee records
• Remove or flag data that is clearly stale or inaccurate

3. Data Minimisation — Collect Only What You Need

Under the Act's principles, you should collect only the personal data that is necessary for the stated purpose. Collecting data "just in case" or for undefined future uses is not compliant.

Practical steps:

• Review every form you use and remove unnecessary fields
• Question whether each data element you collect has a defined, documented purpose
• Avoid retaining complete datasets when only partial data is needed

4. Purpose Limitation

Personal data collected for one purpose must not be used for another purpose without fresh consent or a legitimate legal basis.

Common violations:

• Using email addresses collected for order confirmations to send marketing
• Using CV data collected for one role to pitch the candidate for other roles without consent
• Using student contact information collected for admissions to sell other courses

5. Storage Limitation — Do Not Retain Data Longer Than Necessary

Under Section 8(7), Data Fiduciaries must delete personal data once the purpose for which it was collected is fulfilled, unless retention is required by law.

Practical steps:

• Define retention periods for each category of data
• Build or schedule deletion processes
• Communicate retention periods to Data Principals in your Privacy Notice

6. Engage Only Compliant Data Processors

If you use third-party services (cloud storage, ATS, email platforms, analytics tools) that process personal data on your behalf, you must enter into Data Processing Agreements with those vendors.

Practical steps:

• List all tools and services that process personal data
• Check whether they have signed DPAs available
• Review their security practices and certifications

7. Respond to Data Principal Rights Requests

Businesses must be able to receive, verify, and respond to requests from individuals to access, correct, or erase their data. This requires:

• A designated point of contact
• A process for verifying the identity of the requester
• SLAs for responding to requests
• Documentation of outcomes

8. Notify the Data Protection Board of Breaches

In the event of a personal data breach, businesses must notify the Data Protection Board and affected individuals as prescribed. See the Data Breach topic for full details.

9. Maintain Accountability Records

While DPDPA does not prescribe a specific record-keeping format, good practice — and likely regulatory expectation — includes maintaining:

• A record of processing activities
• Records of consent given (timestamp, version of consent notice)
• Records of rights requests and responses
• Documentation of data processor agreements