Section 8: General Obligations of Data Fiduciary

Chapter: Obligations of Data Fiduciary

Maximum Penalty: Up to ₹250 Crore

Compliance Deadline: May 13, 2027

Direct Answer

Section 8 of India's DPDP Act 2023 (General Obligations of Data Fiduciary) accuracy, security safeguards, breach notification to Board and Data Principals, and erasure when purpose ends. It applies to all data fiduciaries. Non-compliance can attract penalties up to ₹250 Crore. Organisations should document controls, maintain audit evidence, and review this obligation before full enforcement expected from May 2027.

Overview

Accuracy, security safeguards, breach notification to Board and Data Principals, and erasure when purpose ends.

Key Points of Section 8

Who This Applies To

All Data Fiduciaries

Compliance Action Steps

  1. Deploy encryption and access controls
  2. Build breach notification runbook
  3. Automate retention/deletion

Practical Examples

  1. An e-commerce checkout collects phone numbers for delivery and marketing — Sections 4–6 require separate consents and a plain-language notice before payment.
  2. A fintech app performing KYC stores Aadhaar-linked data — Sections 5–8 require notice, security safeguards, and breach notification readiness.
  3. An HR platform onboarding employees processes government ID scans — legitimate use may apply for employment, but consent and notice still govern non-mandatory fields.

Statutory Text

General obligations of Data Fiduciary. 8(1): Responsible for compliance for all processing by it or its Processors, regardless of agreement. 8(2): Engage Processors only under valid contract for goods/services activities. 8(3): Ensure completeness, accuracy and consistency where data affects decisions or is disclosed to another Fiduciary. 8(4): Implement appropriate technical and organisational measures. 8(5): Protect personal data by reasonable security safeguards to prevent personal data breach. 8(6): On breach, notify the Board and each affected Data Principal in prescribed form and manner. 8(7): Erase data on consent withdrawal or when purpose ends unless law requires retention; cause Processors to erase. 8(8): Purpose deemed ended if Data Principal inactive for prescribed period. 8(9): Publish DPO or contact for processing queries. 8(10): Establish effective grievance redress mechanism. 8(11): No approach during periods without initiated contact for the specified purpose.

Source: Digital Personal Data Protection Act, 2023 (No. 22 of 2023), Gazette of India, Extraordinary, Part II—Sec. 1, 11 Aug 2023. Operative excerpts for reference; official Gazette text prevails.

Legal Provisions and Compliance Guidance

Section 8 — General Obligations of Data Fiduciary (Chapter: Obligations of Data Fiduciary)

Statutory overview

Accuracy, security safeguards, breach notification to Board and Data Principals, and erasure when purpose ends.

Plain-English requirements

1. Ensure accuracy and completeness of data

2. Implement reasonable security safeguards (8(5))

3. Notify Board and Data Principals of breaches (8(6))

4. Erase data when purpose fulfilled

Operational implications for Indian organisations

Data fiduciaries and processors should translate Section 8 into concrete controls: update privacy notices, train staff, adjust product flows, and maintain evidence that demonstrates compliance during audits or Board inquiries. Map this section to your Record of Processing Activities (RoPA) and link each control to an owner, review date, and evidence repository. Product managers should embed privacy-by-design checkpoints in sprint reviews; security teams should align SOC monitoring with obligations that carry penalty exposure; and legal teams should track DPBI guidance that interprets ambiguous phrases in the statute.

Relationship to DPDP Rules 2025

The DPDP Rules 2025 notified in January 2025 provide operational detail for many Chapter obligations — including timelines, formats, and registration requirements. Monitor Central Government notifications and DPBI guidance for sector-specific interpretations that refine how Section 8 is enforced. Rule updates may introduce new forms, registration portals, or technical standards that supersede informal industry practice — subscribe to official Gazette notifications rather than relying solely on vendor marketing materials.

Sector-specific considerations

For Data Fiduciary obligations, BFSI and health-tech organisations face heightened scrutiny on consent granularity, security safeguards, and breach notification. HR platforms processing employee data often rely on legitimate use but must still meet notice and accuracy duties.

Implementation playbook

  1. Publish privacy notices in plain language.
  2. Deploy granular consent capture.
  3. Implement retention and deletion jobs.
  4. Enable breach detection and notification runbooks.
  5. Train teams on withdrawal requests.

Related provisions

Section 8 should be read alongside Section 6, Section 7, Section 9, Section 10. Indian compliance programmes typically map these sections together in privacy impact assessments, vendor due diligence questionnaires, and board reporting packs. Cross-referencing prevents siloed fixes — for example, improving consent under Section 6 without updating notice under Section 5 leaves residual regulatory risk.

Documentation and evidence

Maintain version-controlled policies, system logs, consent records, training attendance, and DPIA outputs that reference Section 8. During a Data Protection Board inquiry, documented good-faith compliance efforts can influence remedial directions and penalty outcomes. Evidence should be tamper-evident where possible — immutable consent logs, WORM storage for audit trails, and timestamped policy approvals strengthen your position.

Financial exposure: The Act's penalty schedule links violations of this section to fines Up to ₹250 Crore. The Data Protection Board of India (DPBI) will consider severity, duration, intent, and remediation when determining penalties. Proportionate penalties mean startups and MSMEs are not automatically capped at the statutory maximum, but repeated or negligent breaches increase exposure significantly.

Audit and Board inquiry preparedness for Section 8

When the Data Protection Board opens an inquiry, investigators typically request: (a) your privacy notice and consent records tied to general obligations of data fiduciary; (b) RoPA entries referencing Section 8; (c) training records for staff handling relevant workflows; (d) technical evidence such as access logs, encryption configurations, or deletion confirmations; and (e) correspondence with Data Principals on related rights requests. Proactively assemble a section-specific evidence bundle quarterly. Ensure accuracy and completeness of data; Implement reasonable security safeguards (8(5)). Platforms like Complynz automate control mapping and evidence collection so legal teams can respond to DPBI requests within days rather than weeks.

Enforcement timeline

The Act passed in August 2023. DPDP Rules were notified in November 2025. Consent Manager registration opens November 2026. Full operational enforcement is expected from May 2027 — organisations should complete gap remediation before that date. Early movers gain competitive advantage with enterprise buyers and government tenders that increasingly require demonstrable DPDP readiness.

Related DPDP Rules 2025

Frequently Asked Questions

What does DPDP Act Section 8 require?

Section 8 (General Obligations of Data Fiduciary) requires that accuracy, security safeguards, breach notification to Board and Data Principals, and erasure when purpose ends. It applies to all data fiduciaries.

Who must comply with Section 8 of the DPDP Act?

All Data Fiduciaries

What is the compliance deadline for DPDP Section 8?

DPDP Rules 2025 introduced a phased 18-month implementation window. While some provisions are being rolled out from 2025–2026, full enforcement with DPBI penalty powers is expected from May 2027. Organisations should implement Section 8 controls before that date.

What penalty applies for violating DPDP Section 8?

Violations related to Section 8 can attract financial penalties Up to ₹250 Crore under the DPDP Act penalty schedule, depending on breach severity and Board assessment. The DPBI considers factors including duration of non-compliance, number of Data Principals affected, whether the breach was intentional, and remedial steps taken before or after discovery.

How do I implement DPDP Section 8 in my organisation?

Start with a gap assessment mapping Section 8 requirements to your current privacy programme, product flows, and vendor contracts. Assign an internal owner, implement missing controls, document evidence in a central repository, and schedule quarterly reviews. Automated GRC platforms reduce manual effort and help maintain continuous compliance as rules evolve.

Does Section 8 apply to startups and small businesses in India?

Yes, unless a specific exemption notification applies to your organisation class. Section 8 (General Obligations of Data Fiduciary) applies to all data fiduciaries. Startups may receive targeted exemptions under Section 17, but core obligations around consent, security, and rights typically remain. Budget-constrained teams should prioritise high-penalty sections first.

How does Section 8 relate to GDPR or other global privacy laws?

Section 8 is India's standalone requirement under the DPDP Act 2023. Organisations already GDPR-compliant must still map DPDP-specific obligations — consent standards, DPBI enforcement, penalty caps, and Rules 2025 timelines differ from EU law. Apply the higher protection standard where laws overlap and maintain separate India-specific documentation.

Suggested Next Step

Breach Notification Templates — Prepare Board and Data Principal notification templates before an incident.

Back to Complete DPDP Guide

DPDP implementation support

  • Gap assessment & remediation roadmap (INR 49,999+)
  • Breach runbook & DPBI templates
  • SDF / DPO / DPIA programs

DPDP consulting services | hello@complynz.com