The hidden accountability: Why data processors must take DPDPA seriously

While the Digital Personal Data Protection Act, 2023 (DPDPA) places primary liability on Data Fiduciaries rather than Data Processors, a casual observer might conclude that processors operate in a low-risk environment with minimal compliance obligations.

This interpretation would be profoundly mistaken. While processors may not face direct regulatory penalties under the DPDPA, they operate within an ecosystem of contractual liability, reputational risk, and business consequences that makes compliance equally—if not more—critical to their commercial survival. Under the DPDPA, a ‘Data Processor’ is fundamentally distinguished from a Data Fiduciary by one critical characteristic: ‘decision-making authority over personal data’.

A processor processes personal data ‘on behalf of’ the fiduciary, following the fiduciary's instructions. This distinction matters because liability and accountability flow from decision-making authority. The entity that determines ‘why’ and ‘how’ personal data is processed bears primary responsibility for ensuring that processing complies with legal requirements.

Fiduciaries make those decisions; processors implement them.

The DPDPA explicitly places compliance responsibility on fiduciaries. A fiduciary is responsible for complying with the DPDPA in respect of any processing undertaken by it or on its behalf by a processor. This provision is unambiguous—the fiduciary cannot contract out of its legal obligations. Even if a processor causes a breach, the fiduciary remains accountable to the Data Protection Board of India (DPB) and to affected Data Principals.The absence of direct regulatory liability under DPDPA does not mean processors operate without consequence. In fact, processors face three powerful sources of accountability that can be commercially devastating: contractual indemnification, transformation into fiduciaries through unauthorized processing, and market exclusion through failed vendor due diligence.The DPDPA requires fiduciaries to engage processors ‘under a valid contract’.

In practice, this means Data Processing Agreements that allocate responsibility and liability between the parties. A well-drafted Data Processing Agreement will include ‘indemnification clauses’ requiring the processor to compensate the fiduciary for losses arising from the processor's breach of its obligations. If a processor suffers a data breach due to inadequate security measures, the fiduciary may be fined by the DPB with penalties of up to ₹250 crore for significant breaches.

The fiduciary will then pursue the processor for indemnification, seeking to recover the full amount of the regulatory penalty, remediation expenses, and reputational damages.Fiduciaries will also impose comprehensive security obligations on processors and to enforce obligations under the DPDPA through contractual remedies. A processor that fails to encrypt data, fails to implement access controls, or fails to detect unauthorized access in violation of its contractual commitments faces not just reputational harm but potentially existential financial liability through indemnification claims.The second accountability mechanism is even more consequential: a processor that exceeds its mandate and processes personal data for purposes beyond those authorized by the fiduciary transforms itself into a fiduciary for that unauthorized processing. The practical consequence is that unauthorized processing exposes the processor to direct regulatory liability as a fiduciary for that processing as well as civil liability for breaching the agreement with the fiduciary.

The distinction between processor and fiduciary is functional, not formal, and is determined by actual conduct rather than contractual labels.The third accountability mechanism is market-driven rather than legal: Fiduciaries facing regulatory scrutiny and potential penalties will implement rigorous vendor due diligence processes to assess processors before engagement. A processor with weak security practices, inadequate incident response capabilities, or poor compliance track records will simply be excluded from consideration by sophisticated fiduciaries.

This creates a competitive dynamic where compliance becomes a market differentiator and non-compliance becomes a disqualification.Beyond avoiding liability, robust compliance creates commercial advantages. Processors that can demonstrate superior data protection capabilities command premium pricing because they reduce risk for fiduciaries. Compliance certifications and audit reports become marketing collateral that differentiates processors in competitive bidding.

Processors with strong compliance track records gain access to enterprise clients and regulated industries (financial services, healthcare, education) that smaller, non-compliant processors cannot serve.Conversely, processors that suffer breaches or fail assessments face reputational damage that extends far beyond individual client relationships. In an interconnected market where vendor due diligence is standard practice, a single significant breach can trigger contract terminations across a processor's entire client base as nervous fiduciaries seek to distance themselves from risky vendors.

The cost of non-compliance is not merely the indemnification liability from one breach—it is the potential collapse of the entire business.The absence of direct regulatory liability under DPDPA is an illusion—processors face indemnification claims that can exceed regulatory fines, transformation into fiduciaries through unauthorized processing that exposes them to direct liability, and market exclusion through failed vendor due diligence that eliminates business opportunities. Processors that invest in robust security measures, comprehensive compliance programs, and third-party certifications will thrive in this environment.

Written by: Akshayy S. Nanda, Partner at Saraf & Partners