DPDP Section 8 Decoded: The Eight Obligations Every Indian Data Fiduciary Must Meet

Last updated: May 18, 2026

Last updated: 7 May 2026 · Reading time: ~18 minutes · Audience: CISOs, DPOs, compliance leads, security architects.

Why Section 8 matters more than the rest of DPDP

If you read the Digital Personal Data Protection Act 2023 cover-to-cover, you’ll find 44 sections plus schedules. Section 8 — titled “General obligations of Data Fiduciary” — is the one that gets cited in 80% of regulatory action because it bundles the core operational duties: maintain accuracy, secure the data, respond to breaches, retain only what’s needed, and answer to data principals. Every other section in the Act either feeds into §8 or follows from it.

This guide walks through each sub-section of §8, what compliance looks like in practice, what evidence the Data Protection Board (DPB) will ask for during audit, and how the ₹250 crore §33 penalty maximum gets calculated when a §8 failure goes wrong.

Section 8(1) — Accuracy and completeness

The full text: “A Data Fiduciary shall, where the personal data processed by it is likely to be (a) used to make a decision that affects the Data Principal, or (b) disclosed to another Data Fiduciary, ensure its completeness, accuracy and consistency.”

What this means in practice: if your CRM, KYC system, claims-processing engine, or any other system is making automated decisions that affect a customer (loan approval, insurance underwriting, credit scoring, fraud flagging) — or sharing data with another business — you must be able to demonstrate the data is current and correct. Stale data is a §8(1) violation.

What auditors check

• Data refresh policies — how often is each high-risk data set re-validated? KYC: annually. Address: at every transaction. PAN: lifetime but re-verified at material change.
• Source-of-truth maps — for any data point, which system holds the authoritative version, and how do downstream systems sync?
• Correction workflows — when a Data Principal requests correction (their right under §12), how fast does it propagate to all systems holding the data?
• Data quality metrics — null rates, format-compliance rates, cross-system consistency rates. Not optional for SDFs.

Section 8(2) — Reasonable security safeguards

The most consequential sub-section. Quote: “A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act.”

The Act deliberately does not prescribe specific technical controls — that gets defined by the upcoming DPDP Rules. But the IT Act §43A and SPDI Rules 2011 provide the foundation: encryption, access control, secure development, incident management. Combined with sectoral overlays (RBI, SEBI, IRDAI, NHA), the practical baseline for 2026 is:

Technical controls

• Encryption at rest: AES-256 for databases, object storage, backups. HSM-backed keys for material data sets.
• Encryption in transit: TLS 1.2+ everywhere; mTLS for system-to-system; SSL Labs A+ rating for public endpoints.
• Access control: RBAC with least privilege; MFA mandatory for privileged access; periodic access reviews.
• Logging & monitoring: who accessed what, when, from where — immutable audit logs retained ≥180 days (CERT-In requires 180; DPDP audit may require longer).
• Vulnerability management: patch SLA tied to CVSS — critical <7 days, high <30, KEV-listed <24 hours.
• Network segmentation: production data segregated from dev/test; no flat networks.
• Backup & recovery: encrypted, geographically separated, tested quarterly.
• Secure development: code review, SCA, SAST/DAST in CI/CD, secrets management (Vault, AWS Secrets Manager).

Organisational controls

• Information Security Policy approved by board — actually read and acknowledged by staff.
• Role definitions — DPO, CISO, Data Stewards. Separation of duties for high-risk operations.
• Training — annual security awareness for all staff, role-specific for engineering and clinical/finance teams.
• Vendor / sub-processor management — contractual flow-down of obligations, periodic reviews.
• Incident response plan tested quarterly via tabletop exercise.

Section 8(3) — Accuracy of communications to Data Principal

Quote: “A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder.”

This dovetails with §8(2) but specifically about consent notices, privacy notices, and data principal communications. Notices must be clear, available in the language of choice from the 22 scheduled languages, and accurate about what processing actually happens. A privacy notice that under-discloses your sub-processors is a §8(3) violation.

Section 8(4) — Mechanism for grievance redressal

Every Data Fiduciary must have a published grievance-redressal mechanism with a defined response timeline. The DPDP Rules (when notified) are expected to set the timeline at 30 days for general grievances, 7 days for breach-related, 72 hours for child-data complaints.

Practical setup

• Dedicated email: privacy@yourcompany or dpo@yourcompany
• Web form on the privacy policy page — captures: name, contact, complaint nature, supporting docs
• Ticketing system that timestamps every step (received, acknowledged, investigated, resolved)
• Escalation to the DPO if not resolved in time
• Quarterly grievance metrics reported to the board / CEO

Section 8(5) — Erasure post-purpose-completion

Once the purpose for which personal data was collected is fulfilled, and there is no legal obligation to retain, the Data Fiduciary must erase the data — no need for the Data Principal to request it. This is one of the most operationally complex requirements because it means every system holding personal data needs:

• A defined retention period per data category
• An automated erasure / pseudonymisation routine
• Coverage across primary stores AND backups AND derivatives (analytics warehouses, ML training data, search indexes, log data)
• Evidence trail showing what was erased when

Sectoral retention requirements complicate this — RBI says 8 years for banking, IRDAI says 10 years for insurance, medical records typically 3-10 years, tax records 7 years. The §8(5) erasure clock starts after the longest applicable retention period elapses.

Section 8(6) — Personal data breach notification

The breach-response clause. On detection of a personal data breach, the Data Fiduciary must notify both the Data Protection Board and each affected Data Principal. The DPDP Rules specify timing — current expectation is 72 hours to DPB and “without delay” to Data Principals.

What “without delay” means

Globally aligned with GDPR’s interpretation: as soon as practicable, weighted against ensuring the notification is accurate and useful. The DPB is unlikely to accept a delay justified by “we wanted to be sure” — provisional notification within hours, with updates as facts develop, is the safer pattern.

What the breach notification must contain

• Description of the breach (what happened, when, how detected)
• Categories and approximate number of Data Principals affected
• Categories and approximate volume of personal data records affected
• Likely consequences for Data Principals
• Mitigation measures taken or proposed
• Contact details of the DPO or equivalent

Parallel obligations to coordinate

• CERT-In Direction April 2022: 6-hour notification of “significant” cyber incidents
• RBI / SEBI / IRDAI sectoral: immediate notification of material incidents
• NHA (for healthcare): per HDM Policy
• SEC §6(1)(c) (US-listed entities): 4 business days for material incidents
• GDPR (EU customers): 72 hours to supervisory authority

Build the runbook as a single playbook that triggers all applicable notifications in parallel — they are not sequential. Most teams discover too late that their incident-response plan only addressed one regulator.

Section 8(7) — Children’s data protection

Cross-references §9 — verifiable parental consent for under-18 users, prohibition on tracking and behavioural advertising targeted at children, restrictions on processing likely to cause harm. For most Indian platforms, the operational implication is age-gating at signup and a separate consent flow for minors. EdTech, gaming, and social media bear the highest design cost.

Section 8(8) — Data Protection Officer (for Significant Data Fiduciaries)

Read together with §10. SDFs must appoint a DPO based in India who reports to the Board / equivalent governance body. The DPO is the contact point for the DPB and Data Principals. Independence is structural — the DPO cannot also hold a role with conflicting interest (e.g., the CISO with KPIs tied to product delivery).

DPO responsibilities

• Independent oversight of DPDP compliance programme
• Conducting periodic Data Protection Impact Assessments (DPIAs)
• Coordinating with the DPB during audits and investigations
• Handling Data Principal complaints escalated from grievance-redressal
• Internal training and awareness
• Annual report to the Board

How §8 violations translate to ₹250 crore penalties

Section 33 read with the schedule sets the penalty matrix. Violations of §8 obligations attract:

The DPB applies these as maximum ceilings — actual penalty determined considering factors in §33(2): nature, gravity, and duration of violation; type and nature of personal data affected; whether the violation was repeated; gain or loss as a consequence; mitigation measures taken; and whether the Data Fiduciary is acting in good faith.

RingSafe perspective — practical compliance roadmap

Building DPDP §8 compliance is a 6-month programme for most mid-sized Indian businesses. Sequence we recommend:

• Months 1-2: Discovery. Map every system holding personal data. Build the data inventory and processing register. Classify by sensitivity. This work is reusable across DPDP, ISO 27001, SOC 2.
• Months 2-3: Gap assessment. Where do current security controls fall short of §8(2)? Where do retention practices conflict with §8(5)? Where is grievance redressal weak (§8(4))? Document, prioritise.
• Months 3-4: Remediation. Close critical gaps first — encryption, MFA, audit logging, incident-response plan. These are the controls regulators ask about first.
• Months 4-5: Process. Stand up DPO function (if SDF), grievance-redressal workflow, breach-response runbook, vendor-management programme.
• Months 5-6: Evidence. Build the evidence locker. Run the first internal data audit. Train staff. Update privacy notice. Run a tabletop exercise on breach response.

What to do this week

1. Read your privacy notice. When was it last updated? Does it accurately describe your sub-processors and cross-border transfers?
2. List your retention periods. For every data category — customer master, transaction history, support tickets, marketing — what’s the retention rule and what triggers erasure?
3. Test your breach response. Pick a scenario: ransomware on the customer DB. Walk through: who detects, who decides notification, what’s said to DPB at hour 1, hour 6, hour 24, hour 72. Do you have the contacts? Do you have the templates?
4. Check MFA coverage. Which accounts CAN bypass MFA? If any privileged accounts can, that’s your starting point.
5. Schedule a DPDP gap assessment. External, independent — not your internal team marking their own homework. RingSafe runs structured DPDP §8 assessments covering all eight sub-sections with auditor-defensible evidence output.

Sources & further reading

• Digital Personal Data Protection Act 2023 (full text) — Ministry of Electronics & Information Technology.
• RingSafe DPDP pillar page — broader overview.
• DPDP Readiness Checklist — 5-minute self-assessment.
• DPDP Penalty Calculator — estimate your worst-case exposure.

Related engagement → How we delivered DPDP Act readiness for a multi-million-user fintech