India’s data privacy landscape is at a turning point. With the final rules under the Digital Personal Data Protection (DPDP) Act expected soon, the regulatory framework is set to move from vision to execution. Released earlier this year, the draft DPDP Rules are critical—they not only activate the 2023 legislation but also provide a transition window for businesses to align with its requirements.

While much of the spotlight of DPDP Act has been on data fiduciaries—who determine the purpose and means of processing, data processor— who act on their behalf, now find themselves under growing pressure—facing complex operational risks and rising expectations, even without direct legal penalties under the Act.
The DPDP Act holds data fiduciaries accountable for ensuring personal data is processed securely, even if the actual processing is outsourced. Data processors are required to support the fiduciary in meeting these obligations, especially in breach scenarios. While the Act does not directly penalise processors, the consequences of non-compliance can be severe—both reputationally and contractually.
In the event of a breach, processors must report incidents promptly to the concerned fiduciary, enabling them to comply with statutory reporting obligations (72-hour breach notification). Delayed or incomplete communication can expose processors to contract breaches, legal disputes, and loss of business.
At first glance, it might appear that processors are shielded from penalties under the DPDP Act. Legally, all obligations and financial penalties rest with the fiduciary. However, the reality is more nuanced.
{{/usCountry}}At first glance, it might appear that processors are shielded from penalties under the DPDP Act. Legally, all obligations and financial penalties rest with the fiduciary. However, the reality is more nuanced.
{{/usCountry}}Processors today engage with multiple fiduciaries, each with their own contractual expectations, due diligence requirements, and breach notification clauses. In the event of a major data breach, a processor may not face a regulatory penalty—but multiple contractual liabilities, each tied to the number of affected fiduciary relationships.
For fiduciaries, the maximum penalty under the DPDP Act is capped at ₹250 crore. But for a processor, a single breach impacting multiple clients could multiply the exposure many times over, as each affected fiduciary may seek damages or invoke contractual penalties.
The risks faced by processors also depend on their maturity and governance practices:
- Low-governance processors: These are smaller vendors, often operating without formal data protection policies or security frameworks. Fiduciaries engaging such partners must impose strong contractual clauses and conduct rigorous due diligence. However, even well-worded contracts may offer little recourse if the processor is a fly-by-night operator or shuts down post-breach.
- Well-governed processors: These service providers typically follow strong compliance protocols and maintain a reputation to protect. Yet, the sheer volume of client-specific contracts, due diligence exercises, and breach obligations can become overwhelming. For them, the challenge lies not in readiness, but in scaling compliance across engagements.
This landscape presents an opportunity to consolidate the third-party ecosystem. Rationalising vendor relationships to include more reliable and well-governed processors can reduce risk and administrative overhead.
Processors can no longer wait to act until fiduciaries impose compliance frameworks as proactive data protection readiness is not just a regulatory expectation—it’s a business imperative.
Key steps processors should take:
- Map personal data flows: Understand what personal data you handle, where it resides, and how it moves across systems and geographies. This visibility is foundational to all privacy efforts.
- Implement technical and organisational safeguards
Adopt robust security controls—encryption, access controls, incident response protocols, and staff training—to mitigate breach risks. - Prepare for breach response: In a breach scenario, the fiduciary must notify the Data Protection Board within 72 hours. That means the processor must report to the fiduciary well before that. Define internal timelines, escalation procedures, and testing mechanisms for breach notification.
- Align with fiduciary expectations: Conduct readiness assessments and voluntarily adopt fiduciary-grade controls. Demonstrating a mature posture helps build trust, reduces friction in contracting, and positions the processor as a partner of choice.
- Centralise compliance efforts: Rather than managing compliance on a contract-by-contract basis, create a centralised privacy programme that can meet the needs of multiple clients simultaneously.
In this evolving regulatory climate, the role of data processors in the data protection ecosystem is only set to grow. While the DPDP Act places primary responsibility on fiduciaries, processors must not assume that they are insulated from consequences. The risk is real, and the cost of inaction is high.
The smart processors will not wait for fiduciaries to enforce compliance—they will lead with it. Those who adopt fiduciary-level discipline, transparency, and governance will not only reduce their liability but also differentiate themselves in a crowded marketplace.
The government has placed the DPDP Act at the top of its regulatory agenda. By completing multiple stakeholder consultations and directing ministries and industry to begin system alignments in advance, the government is signalling its intent to fast-track implementation and make data protection a cornerstone of India’s digital governance framework.
The message is clear: Data protection is not just a fiduciary’s duty. It’s everyone’s business.
This article is authored by Mini Gupta, partner, Cybersecurity Consulting, EY India.