Who is a Data Fiduciary Under the DPDP Act? Obligations, Risks, and What You Must Do Now
The Classification That Changes Everything
Under the DPDP Act, 2023, the most consequential question your business will face is not how much data you hold or how sensitive it is.
It is whether you are a Data Fiduciary.
If you are — and most businesses are — you carry the primary legal responsibility for everything that happens to that data. The obligations, the rights of individuals, the penalties: all of it flows from this classification.
What the Term Means
The word fiduciary is borrowed from trust law. A fiduciary is someone entrusted to act in another's interest — a trustee, a guardian, a professional holding power over something that matters to someone else.
The DPDP Act applies it to data deliberately. It signals that businesses do not own their customers' personal data. They hold it in trust.
The Act defines a Data Fiduciary as any person who, alone or jointly with others, determines the purpose and means of processing personal data. Two words carry the legal weight: purpose and means.
- Purpose — why is this data being collected?
- Means — how is it being stored, used, and managed?
If your business is making those decisions, you are the Fiduciary. It does not matter whether you process the data in-house or outsource it to a vendor.
A Test You Can Run Right Now
Three questions. Answer honestly.
Do you decide what personal data to collect? Do you decide what to do with it once you have it? Do you exercise any discretion over how it is stored, shared, or deleted?
If the answer to the first two is yes, you are almost certainly a Data Fiduciary. If the answer to all three is no, you may be a Data Processor — but read on before drawing that conclusion.
The distinction matters. But when in doubt, treat yourself as a Fiduciary. The stakes of misclassifying downward are considerably higher.
Who Qualifies in Practice
- An e-commerce platform collecting customer names, addresses, and purchase history — Data Fiduciary
- A hospital maintaining electronic patient records — Data Fiduciary
- A payroll software company processing employee salary data strictly on client instructions — likely a Data Processor for its clients, who are the Fiduciaries
- A marketing agency running campaigns on a client's customer database — Data Processor. The client who owns that database is the Fiduciary
- An HR department managing employee personal data — Data Fiduciary
The pattern is consistent: if you have discretion over why data is collected and how it is used, the Act holds you responsible.
Your Obligations
Obtain valid consent. Before processing personal data, you need a lawful basis. For most businesses, that basis is consent. The Act is specific: free, informed, specific, and unambiguous consent — obtained before collection, not after.
Provide an itemised notice. The DPDP Rules 2025 specify what this notice must contain. It must list each category of data collected and its corresponding purpose, separately. It must be in plain language. It must be accessible — not buried in a footer.
Respect purpose limitation. Data collected for one purpose cannot be used for another without fresh consent. This is a hard rule, not a guideline.
Keep data accurate. If data is wrong and an individual tells you so, correct it promptly.
Delete data when the purpose is served. Once you no longer need data, it must be deleted. The Rules add a procedural requirement: individuals must be notified at least 48 hours before erasure.
Implement security safeguards. Reasonable technical and organisational measures to prevent unauthorised access, disclosure, or loss. System and processing logs must be retained for a minimum of one year.
Handle rights requests. Individuals can ask what data you hold about them, request corrections, and ask for erasure. You need a documented process with a named owner.
Report breaches within 72 hours. If personal data under your control is compromised, you must immediately notify affected individuals and the Board, and submit a full report within 72 hours.
Significant Data Fiduciaries — A Higher Standard
The Act creates a sub-category: Significant Data Fiduciaries. The government can designate any Data Fiduciary as "significant" based on the volume and sensitivity of data processed, risk to national security, or potential harm to individuals.
Significant Data Fiduciaries face additional obligations under the Rules:
- Appointing a Data Protection Officer based in India
- Conducting annual Data Protection Impact Assessments
- Submitting to annual independent audits
- Completing algorithmic fairness assessments
- Meeting stricter technical due diligence standards
The designation criteria are broad enough to reach mid-sized businesses in sensitive sectors — not just the largest technology platforms.
The Penalties
| Obligation Breached | Maximum Penalty |
|---|---|
| Inadequate security safeguards | ₹250 crore |
| Failure to notify a breach | ₹200 crore |
| Children's data obligations | ₹200 crore |
| Significant Data Fiduciary obligations | ₹150 crore |
| Any other breach | ₹50 crore |
Where to Start
Map your data. Understand what personal data your business holds, where it lives, who can access it, and what it is being used for. This is the foundation of everything.
Audit your consents. Every data collection point — website form, app sign-up, checkout flow, HR onboarding — needs to be assessed against the Act's consent standard.
Review your vendor contracts. If you share personal data with third parties, your contracts must reflect DPDP obligations — including data processing clauses and breach notification requirements.
Build your breach response plan. The 72-hour clock starts from when you become aware of a breach — not from when you finish investigating it.
The Bottom Line
Being a Data Fiduciary is not a technicality. It is a legal status with real obligations, enforceable rights on the other side, and a regulator with investigative powers and penalty authority.
Your customers' data is held in trust. The DPDP Act and Rules formalise what was always the right standard.