COMPLIANCE ROUTE FROM GDPR TO DPDPA: MANAGING THE SHIFT IN REGULATORY EXPECTATIONS

PART III

1. As India prepares to operationalize the Digital Personal Data Protection Act, 2023 (“DPDPA”), many organisations assume that an existing General Data Protection Regulations, 2016 (“GDPR”) compliance framework will translate seamlessly to the Indian context. Our previous parts of the blog challenges this assumption by examining the foundational differences between the two regimes and illustrating how the DPDPA reshapes lawful processing and consent at a structural level. Part III builds on this analysis by examining how these differences play out in weightage of obligations and compliance amongst parties in the value chain.

   I. OBLIGATIONS OF DATA FIDUCIARY

   

2. The DPDPA states that a data fiduciary shall, irrespective of any agreement to the contrary, remain responsible for complying with the provisions of DPDPA and DPDP Rules for any processing undertaken by it or on its behalf by a data processor [1]. This includes responsibility for implementing reasonable security safeguards to prevent personal data breaches [2]. DPDP Rules further requires data fiduciaries to incorporate appropriate contractual provisions obligating data processors to adopt such safeguards [3]. As a result, the data fiduciary retains full responsibility for compliance under the DPDPA, including for lapses attributable to the data processor in implementing reasonable security safeguards. Even where a non-compliance arises due to the actions or omissions of the data processor, the data fiduciary remains accountable.
   

3. The GDPR also places primary responsibility on the data controller, but it recognizes that processors are independently required to implement appropriate technical and organisational measures as required under the statute [4]. In addition, a processor is also liable to the controller for the actions of any sub-processor [5]. The GDPR also makes the processor liable for the damage caused by processing where it has not complied with its obligations specifically or where it has acted outside or contrary to lawful instructions of the controller [6].

   
   

4. For instance, a retail company deploys an AI-powered customer support chatbot developed and hosted by a third-party AI vendor. The chatbot is instructed to process customer names and order numbers solely to resolve delivery queries. Over time, the model begins prompting users to share additional information, such as medical conditions affecting delivery preferences or financial hardship, and stores these responses to improve future interactions.
   

   Under the DPDPA, the AI vendor would qualify as a data processor. Even though the chatbot’s behaviour exceeds the scope of the fiduciary’s instructions and arises from the vendor’s model design, the retail company remains fully accountable for the unlawful processing and any failure to implement reasonable security safeguards. Under the GDPR, while the retailer (as controller) would still bear primary responsibility, the AI vendor could be directly liable for acting outside the controller’s lawful instructions and for failing to implement appropriate technical and organisational measures.
   

5. Accordingly, organisations operating under the DPDPA will need to exercise heightened oversight over their data processors, including more prescriptive contractual clauses and closer monitoring of processor compliance, as liability under the regime rests squarely with the data fiduciary.

   II. PERSONAL DATA BREACH NOTIFICATION

   

6. Under the DPDPA, data breach reporting is stricter than under the GDPR. Any personal data breach must be reported to both the Data Protection Board of India and the affected data principals [7], regardless the nature of risk unlike the GDPR [8].
   

7. The DPDP Rules require that this notification be made without delay, and that a detailed report be submitted to the Board within 72 hours of becoming aware of the breach. The law does not provide any thresholds or exemptions, meaning that, in practice, all breaches are reportable.
   

8. These obligations do not operate in isolation and will apply in addition to existing requirements [9]. Under the Indian Computer Emergency Response Team (CERT-In) Directions, 2022, organisations are required to report specified cybersecurity incidents, including data breaches and data leaks within six hours of noticing or being informed of such incidents. In many cases, a personal data breach under the DPDPA particularly one involving unauthorized access, exfiltration, or system compromise will also qualify as a reportable cybersecurity incident under the CERT-In framework.
   

9. For entities operating in the telecom sector, breach response is further complicated by the Telecom Cyber Security Rules, 2024. These rules require telecom entities to report any “security incident” affecting their telecom network or services to the Central Government within six hours of becoming aware of the incident and within 24 hours, the entity must provide additional details. Where a telecom-related incident involves personal data such as subscriber information, call data records, or location data, the same incident may trigger parallel obligations under the DPDPA, CERT-In directions, and the telecom cybersecurity regime.

   
   

   III. INTRODUCTION OF SIGNIFICANT DATA FIDUCIARIES AND CONSENT MANAGERS

   

10. The DPDPA introduces two new concepts: Significant Data Fiduciaries and Consent Managers.
    

    A. Certain organizations may be designated as Significant Data Fiduciaries based on factors such as the volume and sensitivity of personal data processed, the potential impact of processing on the rights of data principals, and considerations relating to the sovereignty, security, and integrity of India. Entities classified as Significant Data Fiduciaries are subject to enhanced compliance obligations, including the appointment of an independent resident data protection office, data auditor and the conduct of periodic data protection impact assessments B. Consent Managers are entities incorporated in India and registered with the Data Protection Board that operate independently of data fiduciaries. They provide interoperable platforms through which data principals can give, manage, review, and withdraw consent for the processing of their personal data. Consent managers are engaged by data fiduciaries to manage consent on behalf of data principals. Organisations operating outside India may consider integrating with a registered Consent Manager. While the DPDPA does not mandate the use of a consent manager, leveraging such an entity can facilitate more effective and demonstrable compliance with consent-related obligations.
    

11. The DPDPA introduces rights and obligations narrows that will affect product design, marketing practices, vendor management, and incident response. Many processing activities that are routine under GDPR will require closer scrutiny, tighter purpose limitation, or fresh consent in the Indian context.

Check our PART I and PART II.

Footnotes :

[1] Section 8(1), DPDPA, 2023.

[2] Section 8(5), DPDPA, 2023; Rule 6(1), DPDP Rules, 2025.

[3] Rule 6(1)(f), DPDP Rules, 2025.

[4] Article 28(1), GDPR, 2016.

[5] Article 28(4), GDPR, 2016; Article 32, GDPR, 2016.

[6] Article 82(2), GDPR, 2016.

[7] Rule 7, DPDP Rules 2025.

[8] Article 34 (1), GDPR, 2016

[9] Section 38 (1), DPDPA, 2023.

Please feel free to reach out to our Team to discuss any of the Technology Law, Competition Law, International Trade and Policy Issues.