DPDPA Compliance
You Are a Data
Fiduciary.
Now What?
The DPDPA does not ask whether you want to be a Data Fiduciary. If you process personal data of Indian citizens, you are one. Statutory obligations follow automatically.
Get Fiduciary Compliance AdviceStandard Data Fiduciary
Every covered entityAny entity that processes digital personal data and determines the purpose and means of that processing. Covers all sectors, all sizes, no minimum threshold.
→Lawful basis for all processing
→Purpose limitation
→Data minimisation
→Security safeguards
→Breach notification
→Data Principal rights
Significant Data Fiduciary
Central Govt designatedEntities designated by the Central Government based on data volume, sensitivity, and potential impact on national security or public order.
→All standard obligations
→DPIA mandatory
→Mandatory DPO appointment
→Algorithmic audits
→Consent Manager required
→Enhanced cross-border rules
The Eight Obligations
What DPDPA Requires Every Data Fiduciary to Do
These are not guidelines. They are statutory obligations with penalty consequences. Each has an operationalisation requirement that most enterprises have not yet addressed.
01
Obtain Lawful Consent
Consent must be free, specific, informed, unconditional, and unambiguous — obtained through a clear affirmative action. Pre-ticked boxes, bundled consent, and consent buried in terms do not qualify under DPDPA.
Do This Now
Audit every consent touchpoint in your customer and employee journeys. Rebuild non-compliant consent flows before the Rules are notified.
02
Issue a Notice Before Processing
Before or at the time of obtaining consent, a Data Fiduciary must provide a notice specifying the personal data to be collected, the purpose of processing, and how Data Principals can exercise their rights.
Do This Now
Review every data collection form, app onboarding flow, and sign-up page. Every one must have a DPDPA-compliant notice.
03
Limit Processing to Stated Purpose
Personal data collected for one purpose cannot be used for another. Cross-purpose processing without fresh consent is a violation — regardless of whether the original consent was valid.
Do This Now
Map your data flows. Identify every downstream use beyond the original collection purpose. Fresh consent is required for each new use.
04
Implement Security Safeguards
Reasonable and appropriate technical and organisational measures must be implemented to prevent personal data breaches. The standard is documented, proportionate safeguards — not aspirational intentions.
Do This Now
Document your security architecture. Gap-assess it against DPDPA expectations. The documentation matters as much as the implementation.
05
Erase Data When Purpose Is Met
When the purpose of processing is served or when consent is withdrawn, the data must be erased. There is no lawful basis for indefinite retention. Deletion is the default — not retention.
Do This Now
Implement a documented data retention and deletion policy across all systems. Define a timeline for every data category you hold.
06
Notify Breaches Promptly
In the event of a personal data breach, the Data Fiduciary must notify both the Data Protection Board and affected Data Principals. The notification must be in the prescribed form. Timelines are pending under the Rules.
Do This Now
Build a breach incident response plan now. Assign roles, define escalation triggers, and prepare template notifications before you need them.
07
Honour Data Principal Rights
Data Principals have the right to access their data, correct inaccuracies, erase data, know the identities of processors, and file grievances. A functioning mechanism is required for each right — not just a policy.
Do This Now
Build the rights mechanism before enforcement. A missing mechanism is an automatic violation regardless of whether anyone has exercised the right yet.
08
Supervise Data Processors
The Data Fiduciary remains responsible for the actions of its Data Processors. Every vendor that processes personal data on your behalf must be bound by a DPDPA-compliant Data Processing Agreement.
Do This Now
Audit every vendor contract. Add DPDPA DPA clauses before the Rules are notified. Your vendor's non-compliance is your penalty.
Data Principal Rights
Rights Your Systems Must Support
Data Principals — your customers, employees, users — have enforceable rights under DPDPA. You need a functioning mechanism for each. A policy document is not a mechanism.
Right to Access
Every Data Principal can request a summary of personal data being processed about them and the processing activities being carried out by the Data Fiduciary.
Right to Correction
Data Principals can request correction of inaccurate or misleading personal data and completion of incomplete data held by the Data Fiduciary.
Right to Erasure
When the purpose of processing is served or consent is withdrawn, Data Principals can request erasure of their personal data from all systems.
Right to Withdraw Consent
Consent must be as easy to withdraw as it is to give. Upon withdrawal, the Data Fiduciary must cease processing unless another lawful basis exists.
Right to Grievance Redressal
Every Data Fiduciary must provide a functioning grievance mechanism. Complaints must be acknowledged and resolved within prescribed timelines.
Right to Nominate
Every Data Principal can nominate another person to exercise their data rights in the event of death or incapacity.
AMLEGALS Advisory
From Classification
to Compliance
Knowing you are a Data Fiduciary is the start. Building the compliance architecture that satisfies the statutory obligations is the work.
Our approach is the TCL Framework™ — Technical, Commercial, Legal. Most advisors deliver one. AMLEGALS delivers all three simultaneously, because DPDPA compliance sits at the intersection of all three.
Fiduciary Classification Assessment
Determine your Data Fiduciary classification — standard or Significant — and understand the complete obligation set that applies to your specific business.
Obligations Gap Analysis
Assess your current posture against all statutory obligations. Identify what is missing before the Data Protection Board does.
Data Principal Rights Architecture
Build the technical and operational mechanism for access, correction, erasure, and grievance — fully DPDPA compliant across all channels.
Ongoing Compliance Monitoring
Continuous monitoring across all fiduciary obligations — consent validity, retention compliance, breach readiness, and vendor oversight — delivered as a structured governance service.