Data fiduciaries

How data fiduciaries should engage processors for effective compliance

3 minute read 26 Sept 2025

Related topics

Data fiduciaries must actively manage processor contracts, security controls and compliance to meet DPDPA obligations.

Key considerations for engaging data processors

In brief

The DPDPA requires data fiduciaries to engage processors through a valid contract.
Data fiduciaries shall ensure that its data processors must halt processing immediately when consent is withdrawn, as mandated by the DPDPA.
Data fiduciaries are required to ensure that data processors delete personal data once it is no longer necessary, unless its retention is mandated by law.

The Digital Personal Data Protection Act, 2023 (DPDPA) and the Draft Digital Personal Data Protection Rules, 2025 (DPDP Rules) impose several obligations on data fiduciaries concerning the actions of their processors. The DPDPA defines a processor as any person who processes data on behalf of a data fiduciary. While processors do not have independent decision-making authority, their compliance is essential for ensuring data security and adhering to regulatory requirements.

Key considerations for engaging data processors

1. Processing under a valid contract

Section 8(2) of the DPDPA requires a data fiduciary to engage a processor only through a valid contract.

Securing the future: Navigating AI risks in an evolving digital world

Explore key AI security risks and how organizations can build resilient, ethical, and future-ready AI systems across industries.

To ensure a structured and transparent approach to data management, the contract must clearly define the scope, purpose and methods of processing. This is similar to the GDPR compliance requirement that a processor act based on documented instructions from the controller.

To mitigate risks and liabilities, contracts must incorporate safeguards that protect the data fiduciary and ensure compliance with the DPDPA. These contractual safeguards should include granting data fiduciaries the right to audit and monitor processor’s data processing activities, obtaining authorization from data fiduciary before appointing sub-processors, and ensuring compliance with confidentiality requirements. Additionally, data processing contracts should impose obligations on processors to assist with data subject requests and breach management, as well as restrict processors from transferring data to countries prohibited by the central government

2. Ensuring cessation of processing upon withdrawal of consent

Section 6(6) of the DPDPA requires that, upon withdrawal of consent by the data principal, the data fiduciary must ensure that both the data fiduciary and its processors cease processing the data within a reasonable time unless legally required to continue.

To uphold compliance, contracts should explicitly require data processors to promptly cease processing upon receiving instructions from the data fiduciary. This may require establishing clear mechanisms for timely execution of such requests, while maintaining records would help to demonstrate compliance and mitigating risks related to unauthorized processing.

3. Ensuring data deletion

Under Section 8(7)(b) of the DPDPA, a data fiduciary must ensure that its processor deletes any personal data shared for processing unless retention is required by law.

While the GDPR allows controllers to request either deletion or return of data, the DPDPA mandates deletion. To comply, data fiduciaries must implement oversight mechanisms to ensure the prompt and thorough erasure of data once the retention is no longer necessary.

4. Compliance with technical and organizational security measures

Sections 8(4), 8(5) of the DPDPA and Rule 6 of the DPDP Rules require data fiduciaries and, where applicable, processors to implement technical security measures and organizational security protocols, aligning with the GDPR’s emphasis on confidentiality, integrity and availability under Article 32.

Transforming data privacy:
DPDP Rules, 2025

India’s DPDP Rules, 2025, aim to enhance privacy and data protection, but ambiguities like consent and third-party risks need addressing.

Under Rule 6, the required security safeguards include encryption, obfuscation, access controls, maintaining data backups and continuous monitoring through logs and reviews to detect and prevent breaches. A key distinction from the GDPR is the DPDP Rules requirement to retain logs and personal data for at least one year to help detect unauthorized access, conduct investigations and ensure remediation. To ensure compliance with the DPDPA and DPDP Rules, data processing agreements between data fiduciaries and processors must clearly outline these security obligations. Failure to comply with these obligations could make the processor contractually liable, allowing the data fiduciary to recover fines and losses incurred due to a breach.

Engaging effectively with processors is crucial for DPDPA compliance and managing risks. By setting clear responsibilities, prioritizing security and maintaining regular oversight, data fiduciaries can ensure accountability and protect personal data. As data protection regulations evolve, it is important for businesses to stay proactive and update their data privacy and protection practice accordingly.

The article is written by Tiffy Isaac, Partner, Risk Consulting, EY India

Summary

Under the DPDPA 2023 and Draft Rules 2025, data fiduciaries must engage processors through valid contracts, ensure data deletion and cessation of processing upon consent withdrawal, and implement strict security measures. Fiduciaries remain accountable for processors’ actions, including compliance with confidentiality, breach management, and restrictions on cross-border data transfers.

Data Analytics Consulting services

Analytics consulting services at EY offers data analytics insights, analytics-as-a-service, strategy & data consulting to drive growth & manage risk.
Read more
Data Protection and Data Privacy Services

Data protection & privacy services at EY ensures data security, lifecycle management, compliance frameworks, risk assessment & strategic privacy solutions.
Read more
Technology transformation

Drive business growth with technology transformation solutions at EY - integrating tech, operations & architecture to build agile, data-driven organizations
Read more

Related articles

How innovation is shaping India’s key sectors

Explore how innovation in India leads growth across agriculture, energy, healthcare via agritech, clean energy, telemedicine, AI and sustainable tech.

EY India

Cyber insurance in India: From breach recovery to business resilience

Explore how AI, automation, and cybersecurity scoring are transforming Indian cyber insurance pricing, claims, and policies in a changing risk landscape.

Kartik Shinde

(AI)deation to Impact: Architecting the AI-First Workforce

AI workforce transformation in India’s IT services and BPM industry is redefining roles, productivity, and talent models for an outcome-led future.

Neha Sharma + 1

About this article

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.