DPDP Act Data Integrity: Obligations for Data Fiduciaries

Introduction: the DPDP Act and why integrity matters

India's Digital Personal Data Protection Act 2023 (the DPDP Act) sets the ground rules for how personal data is collected, used and protected in India. Much of the conversation around it focuses on consent and purpose, but a quieter theme runs through the whole framework: data integrity — the expectation that personal data stays accurate, complete and unaltered while it is in your care. For a Data Fiduciary, "DPDP Act data integrity" is not an abstract idea; it is a practical question of whether you can show that a record has not silently changed, been corrupted, or been tampered with. This article explains the integrity-relevant obligations in plain terms and shows how a Data Fiduciary can evidence integrity safeguards using e-Dex (formerly Hash Calculator). It is general information, not legal advice.

Key obligations relevant to integrity

The DPDP Act frames several duties that bear directly on integrity, expressed here in plain terms rather than as a clause-by-clause legal reading:

Accuracy and completeness. The Act expects a Data Fiduciary to make reasonable efforts to ensure that personal data is accurate and complete, especially where that data is used to make decisions about an individual or is shared onward. Accuracy is hard to defend if you cannot demonstrate that a record is the same record you originally captured.

Reasonable security safeguards. A Data Fiduciary is expected to protect personal data with appropriate technical and organisational measures to prevent loss, unauthorised access and — importantly — unauthorised alteration. Integrity controls such as hashing and tamper-evidence are a natural part of that safeguard story.

Personal data breach handling. The Act treats unauthorised processing, accidental disclosure, alteration or loss of personal data as the kind of event you must handle responsibly. Being able to show which records changed, and when, makes breach assessment and notification far more credible.

These are principles, not the full text of the law. The exact wording, thresholds and rules under the DPDP Act and its subordinate rules should always be read as they currently stand, and applied with professional advice where the stakes warrant it.

How a Data Fiduciary can evidence integrity safeguards

Having a safeguard is one thing; being able to prove it worked is another. A simple, defensible pattern for evidencing integrity has three parts. First, capture a baseline: compute a cryptographic hash of each important file or dataset when it is created or received, so you have a fixed reference fingerprint. Second, re-hash periodically — on a schedule, at handover, or after any sensitive processing — and compare against the baseline; an identical hash means nothing changed, a different hash flags exactly what did. Third, keep signed integrity certificates and an audit trail of those checks, so the evidence is contemporaneous and verifiable rather than reconstructed after the fact. Recording several algorithms and an explicit MATCH / MISMATCH verdict over time turns "we take integrity seriously" into something you can actually show a regulator or auditor. For a deeper look at the certificate itself, see our guide to the compliance verification certificate.

A lightweight, offline approach — built in India

Evidencing integrity should not mean shipping personal data to a third-party cloud just to prove it has not changed — that would sit awkwardly against the spirit of data minimisation. e-Dex, built in Pune, India by Innovativa SoftTech, runs fully offline on your own Windows machine. Hashing files, comparing them against recorded values and generating integrity certificates all happen locally, so personal data never leaves your environment. e-Dex computes multiple algorithms per file — including SHA-256, SHA-512 and BLAKE3 — and produces a readable certificate with an overall verification result. Where you need stronger assurance, you can apply a digital signature with a Digital Signature Certificate on a USB token and attach an RFC-3161 trusted timestamp, so the certificate is bound to a signer and sealed to a point in time. It is a small, focused control that slots neatly into a wider data-protection programme without adding cloud exposure.

Important: evidence of integrity is not a compliance certification

To be clear about scope: e-Dex supports evidence of integrity; it does not certify DPDP compliance. Demonstrating that a file or dataset is unaltered is one technical control. Full compliance under the DPDP Act depends on your whole programme — lawful basis and consent, purpose limitation, retention, security organisation, breach response, grievance handling and governance — most of which sit well beyond any single tool. Treat the integrity certificate as the part of the picture it genuinely covers: trustworthy proof that a record has not changed. For the broader operational checklist, our file integrity compliance page lays out how integrity controls fit into day-to-day practice.

A note on legal advice

This article is general information, not legal advice. It summarises integrity-relevant themes in the Digital Personal Data Protection Act 2023 in plain terms and does not make clause-by-clause legal claims. How the Act and its rules apply to your organisation depends on your specific facts and on the current text of the law as notified. Always read the provisions as they stand and take professional advice where the stakes warrant it. e-Dex is a tool that helps you produce integrity evidence; it is not a substitute for counsel or for a compliance assessment.

Frequently Asked Questions

What does the DPDP Act 2023 say about data integrity?
India's Digital Personal Data Protection Act 2023 expects a Data Fiduciary to keep personal data accurate and complete, to apply reasonable security safeguards, and to handle personal data breaches responsibly. Integrity sits across all three ideas: data should not silently change, be corrupted, or be tampered with. The Act states obligations in principle; the precise wording and rules should always be read as they currently stand. This article is general information, not legal advice.

Who is a Data Fiduciary under the DPDP Act?
Under the Digital Personal Data Protection Act 2023, a Data Fiduciary is broadly any person or organisation that alone or with others determines the purpose and means of processing personal data. In practical terms most Indian businesses, government bodies and platforms that decide why and how personal data is handled fall into this role, and they carry obligations around accuracy, security and breach handling.

How can a Data Fiduciary evidence data integrity safeguards?
A practical approach is to record a cryptographic baseline of important files or datasets, re-hash them periodically, and keep signed integrity certificates plus an audit trail of the results. Recording multi-algorithm hashes and a MATCH or MISMATCH verdict over time gives you contemporaneous, verifiable proof that a record has not silently changed. e-Dex produces such certificates offline on your own Windows machine.

Does e-Dex make my organisation DPDP compliant?
No. e-Dex supports evidence of integrity — it helps you demonstrate that a file or dataset is unaltered through hashes, signed certificates and an audit trail. It does not certify or guarantee DPDP compliance, which depends on your full programme of consent, purpose limitation, security, breach response and governance. Treat e-Dex as one technical control that contributes to the integrity part of the picture.

Does evidencing data integrity require sending data to the cloud?
No. e-Dex runs fully offline on your own Windows machine, so hashing files, comparing them against recorded values and generating integrity certificates all happen locally and your personal data never leaves your environment. This data-minimising, offline approach is well suited to organisations that want to evidence integrity without exposing personal data to third parties.

Conclusion

Data integrity runs quietly through the DPDP Act 2023 — in the duty to keep personal data accurate and complete, in reasonable security safeguards against unauthorised alteration, and in credible breach handling. A Data Fiduciary that can baseline, re-hash and issue signed integrity certificates has turned a principle into something demonstrable. e-Dex gives you that capability offline, in minutes, with personal data never leaving your machine — supporting evidence of integrity as one focused control within your wider programme. See how integrity controls fit your practice on our file integrity compliance page, or download e-Dex free and start evidencing integrity today.