What is Mandatory Before Onboarding a Data Processor Under DPDP Act
Listen to This Article
In the digital economy, data is often called the “new oil.” But unlike oil, personal data is deeply tied to individual rights, privacy, and trust. With the introduction of the Digital Personal Data Protection Act, 2023 (DPDP Act), India has taken a major step toward regulating how personal data is handled, processed, and protected.
Get a callback
One of the most critical aspects of this law is how organizations (known as Data Fiduciaries) engage third parties (known as Data Processors) to process personal data on their behalf. If your organization uses vendors for cloud services, payroll, analytics, marketing, or IT support—you are already dealing with data processors.
But here’s the reality:
You can outsource processing—but you cannot outsource responsibility.
Understanding the Roles: Data Fiduciary vs Data Processor
Before starting into compliance requirements, let’s clarify roles:
| Role | Definition | Example |
| Data Fiduciary | Determines purpose and means of processing | Your company |
| Data Processor | Processes data on behalf of fiduciary | Cloud provider, payroll vendor |
The fiduciary is the “decision-maker,” while the processor is the “executor.”
Why Pre-Onboarding Compliance is Critical?
The DPDP Act introduces strict accountability principles:
- The fiduciary is legally responsible for data protection
- Any breach by a processor is treated as your failure
- Regulatory penalties can be substantial
Consequences of Ignoring Mandatory Steps
| Risk Type | Impact |
| Legal | Penalties, enforcement action |
| Financial | Heavy fines, compensation claims |
| Reputational | Loss of customer trust |
| Operational | Service disruption |
Mandatory Requirement #1: Data Processing Agreement (DPA)
A Data Processing Agreement (DPA) is the foundation of compliance. Without it, onboarding a processor is essentially unlawful under the DPDP framework.
Key Elements of a Strong DPA
| Clause | Explanation |
| Purpose Limitation | Clearly defines why data is processed |
| Instruction-Based Processing | Processor acts only on written instructions |
| Confidentiality | Limits access to authorized personnel |
| Security Safeguards | Requires encryption, masking, access control |
| Breach Notification | Mandatory reporting within 72 hours |
| Audit Rights | Allows fiduciary to inspect processor |
| Sub-processor Control | Requires approval before outsourcing |
| Data Retention & Deletion | Mandates deletion/return after use |
Why It Matters
A DPA:
- Protects your organization legally
- Defines accountability clearly
- Ensures enforceability in case of disputes
Mandatory Requirement #2: Comprehensive Due Diligence
Before trusting a vendor with personal data, you must verify their ability to protect it.
What Does Due Diligence Include?
- Legal Assessment
- Compliance with applicable laws
- History of regulatory violations
- Data protection policies
- Technical Assessment
- Encryption standards
- Network security architecture
- Data storage practices
- Operational Assessment
- Employee training programs
- Incident response plans
- Internal governance
- Certification Review
- ISO 27001
- SOC 2
- Other industry certifications
Due Diligence Checklist
| Category | Key Questions |
| Legal | Is the vendor compliant with data laws? |
| Security | Do they use encryption & MFA? |
| Infrastructure | Where is data stored? |
| Risk | Have they had breaches before? |
| Governance | Do they have a DPO or security team? |
This process is often called:
- Vendor Risk Assessment
- Third-Party Risk Management (TPRM)
Mandatory Requirement #3: Security Safeguards
The DPDP Act requires “reasonable security safeguards”—a flexible but critical standard.
Core Security Measures
- Encryption: Protects data from unauthorized access
- Access Control: Limits who can view or edit data
- Multi-Factor Authentication (MFA): Adds an extra layer of authentication
- Data Masking: Hides sensitive information from exposure
- Logging & Monitoring: Tracks suspicious activity and system events
Breach Notification Rule
One of the most important obligations:
The processor must notify the fiduciary within 72 hours of a breach.
Why This Matters:
- Enables quick response
- Reduces damage
- Ensures regulatory compliance
Mandatory Requirement #4: Sub-processor Governance
Data processors often rely on other vendors (sub-processors). This creates multi-layered risk.
- Prior Approval: Data Fiduciary must approve sub-processors before engagement
- Contractual Flow-down: Same data protection obligations must be imposed on sub-processors
- Monitoring: Continuous oversight of sub-processor activities is required
- Example: If a cloud provider uses another hosting provider, that sub-processor must also comply with DPDP standards
Mandatory Requirement #5: Purpose Limitation & Data Retention
The DPDP Act emphasizes data minimization and purpose limitation.
Key Principles
- Data must be used only for a specific purpose
- No indefinite storage allowed
- Data must be deleted after use
Retention Framework Example
| Data Type | Purpose | Retention Period |
| Customer Data | Service delivery | Contract duration |
| Employee Data | Payroll | As per law |
| Marketing Data | Campaigns | Until consent withdrawn |
Ongoing Compliance: Not a One-Time Task
Onboarding is just the beginning. Compliance must be continuous.
- Periodic audits
- Vendor reassessments
- Security updates
- Incident monitoring
Practical Compliance Workflow
| Step | Action |
| Step 1 | Identify data processing needs |
| Step 2 | Conduct vendor due diligence |
| Step 3 | Evaluate security posture |
| Step 4 | Draft and sign DPA |
| Step 5 | Approve sub-processors |
| Step 6 | Monitor continuously |
Advanced Best Practices
Build a Vendor Risk Framework
Maintain a centralized system tracking:
- Vendor risk scores
- Compliance status
- Audit results
Use Standardized Contracts
Pre-approved DPA templates reduce legal risks.
Automate Monitoring
Use tools for:
- Real-time alerts
- Compliance tracking
- Risk scoring
Train Internal Teams
Ensure employees understand:
- Vendor risks
- Data protection obligations
Real-World Scenario
Imagine onboarding a SaaS CRM platform:
| Without Compliance | With Compliance |
| No DPA | Strong contractual safeguards |
| Unknown security | Verified controls |
| No breach clause | 72-hour reporting |
| Uncontrolled sub-processors | Approved chain |
The difference is risk vs resilience.
Frequently Asked Questions
Q1. Is a DPA legally required under the DPDP Act?
A1. Yes, a Data Processing Agreement is mandatory to define and formalize processor obligations.
Q2. Can liability be transferred to the processor?
A2. No, the Data Fiduciary always retains primary responsibility under the law.
Q3. What qualifies as “reasonable security safeguards”?
A3. It includes industry-standard technical and organizational measures like encryption and access controls.
Q4. Is breach reporting strictly 72 hours?
A4. Yes, processors must report data breaches within 72 hours as a key compliance requirement.
Q5. Are sub-processors allowed?
A5. Yes, but only with prior approval and strict contractual and compliance controls.
Q6. How detailed should due diligence be?
A6. It must thoroughly cover legal, technical, and operational capabilities of the vendor.
Q7. What if a vendor refuses a DPA?
A7. You should not onboard them, as it creates serious compliance risks.
Q8. Is data retention mandatory to define?
A8. Yes, retention periods must be clearly defined—indefinite storage is not allowed.
Q9. Do start-ups need to comply?
A9. Yes, the law applies to all organizations regardless of size.
Q10. How often should compliance be reviewed?
A10. At least annually, or more frequently based on risk level.
