DPDP Act 2023: What Data Processors and Vendors Must Do

Introduction

India’s Digital Personal Data Protection Act, 2023 (DPDP Act), changed the ground rules for any business that processes the personal data of Indian residents. It also changed what you must demand from every vendor that touches that data on your behalf.

This post translates the Act into a practical vendor compliance program: who is a data processor, which obligations flow through, what belongs in a DPDP-ready vendor contract, and how to document it all for the Data Protection Board.

Roles under the Act

1. Data Principal — the individual to whom the personal data relates.
2. Data Fiduciary — the entity that determines the purpose and means of processing.
3. Data Processor — a person who processes personal data on behalf of a Data Fiduciary.
4. Significant Data Fiduciary (SDF) — a Data Fiduciary designated based on volume, sensitivity, and impact; higher obligations apply.

In a vendor relationship, your organization is typically the Data Fiduciary, and the vendor is a Data Processor. The Fiduciary remains accountable to the Data Principal for the processor’s actions.

What flows through to your vendors

1. Purpose limitation — the vendor may process data only for the purposes in the contract.
2. Valid contract — a written contract governing the processing, including security safeguards.
3. Reasonable security safeguards — technical and organizational measures appropriate to the data.
4. Breach notification — the vendor must notify the Fiduciary of any personal data breach.
5. Data principal rights support — access, correction, erasure, grievance — the vendor must cooperate.
6. Data retention & deletion — the vendor must delete or return data when the purpose is fulfilled.
7. No onward transfer to sub-processors without contractual permission and flow-down terms.
8. Cross-border transfer — subject to Government of India restrictions; document the destination country.

Contracting essentials

Every vendor processing personal data must have a Data Processing Agreement (DPA) — or an equivalent data-protection schedule in the master agreement — covering:

1. Defined personal data categories, volumes, and processing purposes.
2. Security measures (encryption, access control, logging, retention).
3. Breach notification SLA (aim for ≤72 hours to Fiduciary; vendors should support your 72-hour external obligation).
4. Rights of audit and evidence review.
5. Sub-processor disclosure and consent.
6. Data-return/destruction obligations and certification at exit.
7. Cooperation with Data Principal rights requests.
8. Indemnity for processor breach of obligations.

Operational steps to enforce at scale

1. Inventory: list every vendor that processes personal data of Indian residents—Mark Significant processors.
2. DPA coverage: verify 100% of inventory has an executed DPA.
3. Data flow map: document what data, why, where, for how long, and to whom.
4. Questionnaire module: add a DPDP-specific module to your vendor assessment.
5. Continuous evidence: keep security certifications current and linked to the vendor record.
6. Incident runbook: define joint roles for a DPDP-reportable breach.
7. Rights fulfillment: define SLAs with vendors for access/correction/erasure requests.
8. Board reporting: surface DPDP coverage, exceptions, and incidents quarterly.

Penalties — why this matters to the CFO

The Act carries penalties up to INR 250 crore per instance for failure to take reasonable security safeguards, with other breaches attracting material fines. These are civil penalties imposed by the Data Protection Board and are in addition to sectoral regulator actions (e.g., RBI for BFSI).

How a TPRM platform helps

A modern TPRM platform operationalizes DPDP: it enforces DPA-on-file before any go-live, attaches DPDP-specific questionnaires by tier, tracks sub-processors per vendor, maps security controls to DPDP safeguards, and produces Board-of-India-ready reports on demand. ShieldRisk AI ships with a DPDP module, a CERT-In empanelled heritage, and BFSI-tuned templates.

Frequently Asked Questions

Does DPDP apply to my vendor if they process data outside India?

Yes. The Act applies to the processing of personal data of Indian residents, wherever it occurs. Cross-border transfer rules may apply additionally.

Is a SOC 2 enough to demonstrate 'reasonable security safeguards'?

SOC 2 Type II is strong evidence but not automatic proof. Combine it with DPDP-specific control attestations and your own residual-risk assessment.

Do I need a separate DPA for each vendor?

Not necessarily a separate document — a data-protection schedule within the master agreement is acceptable if it covers the required clauses.

Who notifies the Data Protection Board of a breach?

The Data Fiduciary. The vendor must notify the Fiduciary promptly so the Fiduciary can meet its external obligations.

How do SDF obligations differ?

Significant Data Fiduciaries carry additional duties, including appointing a Data Protection Officer and performing DPIAs. Push DPIA cooperation and DPO contact clauses into your vendor contracts.

Ready to modernize your vendor risk program?

ShieldRisk AI’s DPDP module ships preloaded with a processor questionnaire, DPA template language, and a data-flow map — all CERT-In-ready. Book a demo, and we’ll pilot against 10 of your vendors.

RBI Outsourcing Guidelines: A Step-by-Step Vendor Due Diligence Checklist

Inherent Risk vs. Residual Risk: A Clear Explainer with Examples