DPDP Act · Section 8

DPDPA Section 8: Duties of a data fiduciary

DPDPA Section 8 explained: a data fiduciary's duties for accuracy, security safeguards, breach notification, retention and erasure, grievance redressal and accountability for processors.

In short

Section 8 of the DPDP Act sets out the core duties of a data fiduciary: ensure data is accurate and complete where it may affect the data principal or a decision, take reasonable security safeguards to prevent breaches, notify the Data Protection Board and affected persons of a breach, erase personal data once the purpose is served or consent is withdrawn, publish the contact of a person who can answer questions, and have a grievance-redressal mechanism. The fiduciary remains accountable even when a processor handles the data.

Last updated 2026-06-03

Security safeguards and breach notification

A data fiduciary must take reasonable security safeguards to prevent a personal data breach, including where a processor holds the data. Failure to take such safeguards is the single most heavily penalised obligation under the Act.

On becoming aware of a breach, the fiduciary must notify the Data Protection Board and each affected data principal in the form and manner the Rules prescribe. Have an incident-response runbook ready so these notifications can go out within the required timelines.

Retention and erasure

Personal data must be erased once the purpose is no longer being served and retention is not required by law, and on withdrawal of consent. In practice that means purpose-based retention schedules and a deletion process, not indefinite storage.

ConsentX supports this with configurable retention and an erasure audit trail, so deletion is provable rather than assumed.

Accountability and processors

A data fiduciary may engage a processor only under a valid contract, and remains accountable for the data. You must publish the contact details of a Data Protection Officer or a person able to answer questions about processing, and operate a grievance-redressal mechanism for data principals.

This page is a plain-English summary of the Digital Personal Data Protection Act, 2023 for general information and is not legal advice. Confirm your obligations with qualified counsel.

All DPDPA sections DPDP Act explained DPDPA overview ConsentX for India

Meet this DPDPA requirement with ConsentX

DPDPA-native consent, Section 9 age-gate and verifiable receipts. Start free or take the DPDPA quiz.

Get started free Take the DPDPA quiz

DPDPA Section 8 questions

What security does Section 8 require?+

Reasonable security safeguards to prevent a personal data breach, including where a processor holds the data. This is the most heavily penalised duty under the Act.

When must personal data be erased under the DPDPA?+

When the purpose is no longer being served and retention is not legally required, and on withdrawal of consent, unless a law requires you to keep it.

Is a data fiduciary responsible for its processors?+

Yes. The fiduciary remains accountable for the data even when a processor handles it, and may engage a processor only under a valid contract.

More DPDPA sections

DPDPA Section 5: Notice DPDPA Section 6: Consent and withdrawal DPDPA Section 7: Certain legitimate uses DPDPA Section 9: Children's data DPDPA Section 10: Significant Data Fiduciaries DPDPA Sections 11-14: Data principal rights DPDPA penalties: Section 33 and the Schedule