Back to Blog
LegalFebruary 5, 2025

What is a Data Fiduciary Under DPDPA? Roles and Responsibilities

Understanding the concept of Data Fiduciary, Significant Data Fiduciary, and their obligations under India's Digital Personal Data Protection Act 2023.

The DPDPA 2023 introduces the concept of "Data Fiduciary" - a central figure responsible for determining the purpose and means of processing personal data. This guide explains what it means to be a Data Fiduciary, when you become a Significant Data Fiduciary, and what obligations you must fulfill.

Definition of Data Fiduciary

Under Section 2(i) of the DPDPA 2023, a Data Fiduciary is defined as any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.

In simpler terms, if your organization decides why and how personal data should be processed, you are a Data Fiduciary. This includes:

  • Companies: Businesses collecting customer, employee, or vendor data
  • Startups: Digital platforms processing user information
  • Government bodies: Public authorities handling citizen data
  • Non-profits: Organizations managing donor or beneficiary data
  • Educational institutions: Schools and universities with student databases
  • Healthcare providers: Hospitals, clinics, and health tech platforms

Data Fiduciary vs Data Processor

It's important to distinguish between a Data Fiduciary and a Data Processor:

Data Fiduciary

  • Determines the purpose and means of processing
  • Bears primary responsibility for compliance
  • Example: An e-commerce company deciding to collect customer addresses for delivery

Data Processor

  • Processes personal data on behalf of the Data Fiduciary
  • Follows instructions from the Data Fiduciary
  • Example: A third-party logistics provider handling shipments for the e-commerce company

What is a Significant Data Fiduciary?

Under Section 10 of the DPDPA, the Central Government may notify certain Data Fiduciaries as Significant Data Fiduciaries based on specific criteria:

Criteria for Notification

  • Volume and sensitivity of data: Processing large volumes of personal data or highly sensitive categories
  • Risk to rights of Data Principals: Processing that poses significant risks to individual rights and freedoms
  • Potential impact on sovereignty and integrity: Operations that could affect India's sovereignty, security, or public order
  • Risk to electoral democracy: Processing that could influence democratic processes

Likely candidates for Significant Data Fiduciary status include:

  • Major social media platforms
  • Large e-commerce marketplaces
  • Financial institutions processing millions of transactions
  • Healthcare platforms with extensive patient data
  • Telecommunication service providers
  • Search engines and advertising networks

Obligations of Data Fiduciaries

1. Lawful Processing

Data Fiduciaries must process personal data only for lawful purposes with valid consent or other legal grounds as specified in the Act.

2. Notice and Transparency

Before or at the time of seeking consent, Data Fiduciaries must provide clear notice containing:

  • Description of personal data being collected
  • Purpose of processing
  • Manner of exercising rights (access, correction, erasure)
  • Details of grievance redressal mechanism

Notices must be available in English and all 22 scheduled languages of India, presented in clear and plain language.

3. Data Principal Rights

Data Fiduciaries must enable Data Principals to exercise their rights:

  • Right to access: Provide information about personal data being processed
  • Right to correction: Allow correction of inaccurate or incomplete data
  • Right to erasure: Delete personal data when purpose is fulfilled or consent is withdrawn
  • Right to nominate: Facilitate nomination of another person to exercise rights in case of death or incapacity

4. Data Security

Implement reasonable security safeguards to prevent personal data breaches. This includes:

  • Technical measures: Encryption, access controls, secure storage
  • Organizational measures: Security policies, employee training, incident response plans
  • Regular security audits and vulnerability assessments

5. Breach Notification

In case of a personal data breach, Data Fiduciaries must:

  • Notify the Data Protection Board of India in the prescribed manner
  • Inform affected Data Principals about the breach
  • Provide details of the breach, its impact, and remedial measures taken

6. Data Retention and Deletion

Personal data must not be retained beyond the period necessary for the specified purpose. Once the purpose is fulfilled or consent is withdrawn, data must be deleted unless retention is required by law.

7. Grievance Redressal

Establish an effective grievance redressal mechanism to address complaints from Data Principals within prescribed timelines.

Additional Obligations for Significant Data Fiduciaries

Significant Data Fiduciaries have enhanced obligations under the DPDPA:

1. Data Protection Officer (DPO)

Must appoint a Data Protection Officer who is based in India. The DPO's responsibilities include:

  • Acting as the point of contact with the Data Protection Board
  • Representing the organization on data protection matters
  • Overseeing compliance with DPDPA requirements
  • Handling Data Principal grievances

2. Independent Data Auditor

Must appoint an independent Data Auditor to conduct regular audits of:

  • Compliance with the provisions of the Act
  • Effectiveness of security safeguards
  • Data processing activities
  • Risk assessment and mitigation measures

3. Data Protection Impact Assessment (DPIA)

Must conduct periodic Data Protection Impact Assessments to:

  • Identify and assess risks to Data Principal rights
  • Evaluate effectiveness of safeguards
  • Document processing activities and their purposes
  • Implement risk mitigation measures

Penalties for Non-Compliance

Data Fiduciaries face substantial penalties for violations:

  • Up to ₹250 crores for general non-compliance with Act provisions
  • Up to ₹200 crores for failure to implement reasonable security safeguards
  • Up to ₹250 crores for failure to notify data breaches
  • Up to ₹50 crores for failure to fulfill Data Principal rights

Learn more about penalties in our guide: DPDPA Penalties Explained: How to Avoid the ₹250 Crore Fine.

Practical Steps for Data Fiduciaries

Immediate Actions

  1. Identify your role: Determine if you're a Data Fiduciary or Data Processor for each processing activity
  2. Data inventory: Create a comprehensive inventory of all personal data you process
  3. Purpose documentation: Document the purpose for each data processing activity
  4. Consent review: Audit existing consent mechanisms and upgrade to meet DPDPA standards
  5. Notice preparation: Draft and publish privacy notices in required languages

Building Compliance Infrastructure

  1. Governance structure: Establish data protection governance with clear roles and responsibilities
  2. Security measures: Implement technical and organizational security safeguards
  3. Training programs: Conduct regular training for employees on data protection practices
  4. Vendor assessment: Evaluate Data Processors and ensure contractual compliance
  5. Incident response: Develop and test breach notification and response procedures
  6. Rights management: Create systems to handle Data Principal rights requests efficiently

💡 Pro Tip: Even if you're not designated as a Significant Data Fiduciary, adopting their enhanced obligations proactively demonstrates commitment to data protection and prepares you for potential future designation.

Working with Data Processors

When engaging Data Processors, Data Fiduciaries must:

  • Written agreements: Ensure contracts clearly define processing instructions and obligations
  • Security requirements: Specify security measures the processor must implement
  • Sub-processing: Control and approve any sub-processors
  • Audit rights: Retain rights to audit the processor's compliance
  • Data return/deletion: Include provisions for data return or deletion upon contract termination
  • Breach notification: Require immediate notification of any data breaches

Conclusion

Being a Data Fiduciary under DPDPA comes with significant responsibilities but also provides an opportunity to build trust with Data Principals through transparent and secure data practices. Whether you're a regular Data Fiduciary or a Significant Data Fiduciary, understanding and fulfilling your obligations is crucial for compliance and business success.

For a comprehensive implementation guide, check out our DPDPA compliance checklist.

Related Articles

→ What is DPDPA 2023? Complete Guide for Indian Businesses→ DPDPA Compliance Checklist for Startups in India→ Consent Management Under DPDPA: What You Need to Know

Need Help with DPDPA Compliance?

Our compliance automation platform helps Data Fiduciaries achieve and maintain DPDPA compliance efficiently. Get expert guidance and automated workflows.

Book a DemoView Pricing