Subscribe to the Non-Human & AI Identity Journal

Who is accountable when DPDP obligations fail?

The data fiduciary remains accountable for lawful processing, security, breach handling, and rights fulfilment, even when processors or platforms perform parts of the work. That means governance must include contracts, access controls, and evidence trails. Delegation does not remove responsibility under the statute.

Why This Matters for Security Teams

When DPDP obligations fail, the immediate question is usually not technical, it is governance: who owned the decision, who approved the processing, and who can prove the control operated as intended. For security teams, that matters because privacy obligations often intersect with identity, access, logging, retention, and third-party oversight. The data fiduciary cannot shift accountability simply by outsourcing hosting, analytics, or support functions. Current guidance suggests the fiduciary must still ensure that processors are bound, monitored, and auditable, with security controls aligned to the risk.

This is where many organisations misread responsibility. A processor may execute a task, but the fiduciary remains answerable for the legal basis, protective measures, and response readiness. That means access governance, evidence collection, and incident escalation need to be designed before an issue occurs, not after. Controls from NIST SP 800-53 Rev 5 Security and Privacy Controls are useful here because they translate accountability into concrete control ownership, monitoring, and recordkeeping. In practice, many security teams encounter DPDP accountability failures only after a vendor incident, rather than through intentional governance design.

How It Works in Practice

Accountability under DPDP should be treated as an operating model, not a contractual slogan. The data fiduciary needs documented ownership for each processing activity, a mapped list of processors and sub-processors, and evidence that controls are active across the lifecycle of personal data. That includes collection notices, consent handling where relevant, retention limits, access restriction, breach triage, and deletion workflows. The processor can support these obligations, but the fiduciary must be able to demonstrate that oversight exists and that security measures are proportionate.

A practical implementation usually includes:

  • clear internal ownership for privacy, security, legal, and vendor risk decisions;
  • processor contracts that define purpose limits, security requirements, incident notification, and audit rights;
  • access reviews for people, service accounts, and integrated tools that touch personal data;
  • logging and retention rules that preserve evidence without collecting unnecessary data;
  • testing for breach response, rights requests, and deletion handling across shared systems.

For control design, it is helpful to align the accountability model with ISO/IEC 27001 Information Security Management and CISA Zero Trust Maturity Model, because both reinforce the need for named ownership, least privilege, and verification rather than implicit trust. If identity governance is weak, the same issue often appears in service accounts, API keys, and automated workflows, which are easy to overlook until data exposure or failed deletion requests expose the gap. These controls tend to break down when data processing is fragmented across multiple cloud services and business teams because no single owner can see the full data flow.

Common Variations and Edge Cases

Tighter accountability often increases operational overhead, requiring organisations to balance faster delivery against stronger evidence and oversight. That tradeoff becomes visible in multi-vendor environments, where legal responsibility is centralised but execution is distributed across SaaS platforms, managed service providers, and internal engineering teams.

There is no universal standard for every edge case, but current guidance suggests the fiduciary should still maintain decision rights and assurance even when a processor performs most operational steps. The situation becomes more complex with joint processing arrangements, cross-border transfers, or workflows that combine personal data with automation and AI services. In those cases, the organisation should document who makes the processing decision, who can change the control, and who receives breach signals. If an AI or agentic workflow handles personal data, the accountability question extends to model inputs, tool permissions, and output handling as well.

Practical exceptions often appear in federated operating models, where regional teams handle local compliance tasks but corporate security owns the platform. In that setup, the key is not to assign blame after failure, but to predefine responsibility for monitoring, escalation, and remediation. A useful benchmark is whether a senior owner can answer three questions quickly: what data is processed, who can access it, and how evidence will be produced if regulators ask.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the technical controls, while EU AI Act define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OV-01 Governance oversight fits fiduciary accountability for outsourced processing.
NIST SP 800-63 Identity assurance matters where rights requests and access decisions rely on verified identity.
NIST Zero Trust (SP 800-207) Policy enforcement Zero Trust principles support continuous verification across fiduciary and processor access.
NIST AI RMF GOVERN AI workflows processing personal data require accountable governance and oversight.
EU AI Act If AI processes personal data, accountability must extend to system governance and documentation.

Ensure identity proofing and authentication support lawful access to personal-data workflows.