The legal definition of a Data Fiduciary
Section 2(i) of the Digital Personal Data Protection Act 2023 defines a Data Fiduciary as:
"…any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data."
This is a broad definition. The key phrase is "determines the purpose and means." If your organisation decides what personal data to collect, why to collect it, and how to use it — you are a Data Fiduciary.
The term "person" in the Act includes individuals, companies, government bodies, partnership firms, and any other legal entity. Size does not matter. A sole proprietor collecting customer phone numbers for a delivery service and a large e-commerce platform collecting data at scale are both Data Fiduciaries — the obligations differ only if the larger entity is additionally designated as a Significant Data Fiduciary.
Ask yourself: does my organisation decide what personal data to collect and why to collect it? If yes, you are a Data Fiduciary under the DPDP Act, and you must comply with all obligations the Act places on Data Fiduciaries.
Who is — and is not — a Data Fiduciary
The Data Fiduciary role becomes clearer with examples across sectors:
The distinction matters because Data Processors have limited obligations under the DPDP Act — they must follow the Data Fiduciary's instructions and implement reasonable security, but they do not independently carry the consent, notice, and Data Principal rights obligations.
Data Fiduciary vs Data Processor: the key differences
Significant Data Fiduciaries — the higher-obligation category
The DPDP Act creates a special category: the Significant Data Fiduciary (SDF). Section 10 of the Act allows the Central Government to designate any Data Fiduciary as a Significant Data Fiduciary if it meets certain criteria.
The criteria for SDF designation
The government will consider these factors when designating SDFs:
- Volume of personal data processed: Organisations that process personal data at scale — millions of users or large databases — are at elevated risk of designation.
- Sensitivity of personal data: Processing categories like health data, financial data, biometric data, or data about children increases the likelihood of SDF designation.
- Risk to Data Principals: If a breach or misuse of your data would cause significant harm to individuals, that elevates risk of designation.
- National security and public order: Organisations that could pose risks to national security if compromised — critical infrastructure, government contractors, telecoms — are priority candidates.
- Impact on democracy: Social media platforms and news aggregators that could influence public discourse are specifically contemplated.
What additional obligations do SDFs face?
If designated as a Significant Data Fiduciary, your organisation must:
- Appoint a Data Protection Officer (DPO) based in India, responsible for ensuring compliance and acting as the contact point for Data Principals and the Data Protection Board.
- Conduct periodic Data Protection Impact Assessments (DPIAs) for all current and new data processing activities.
- Submit to independent data audits by an accredited external auditor, which will assess your compliance with the Act's obligations.
- Ensure the DPO reports to the Board of Directors and has sufficient authority and resources to perform their function.
- Implement additional standards as the government may specify for SDFs — these are expected to include algorithmic transparency requirements for platforms making automated decisions that affect individuals.
The government is expected to designate the first batch of SDFs in 2026. Large consumer fintech apps, health platforms, major e-commerce marketplaces, and social media companies operating in India are the most likely first designees.
The six obligations every Data Fiduciary carries
Every Data Fiduciary — regardless of size, sector, or SDF status — must comply with these six obligations under the DPDP Act:
- Valid consent: Obtain free, specific, informed, and unambiguous consent before processing personal data. Consent must be granular (separate consent for each distinct purpose) and withdrawable at any time.
- Notice to Data Principals: Before or at the time of collecting personal data, provide a clear notice in plain language explaining what data is collected, the specific purpose, and how individuals can exercise their rights.
- Honour Data Principal rights: Respond to requests from individuals to access their data, correct inaccuracies, erase their data (right to be forgotten), and nominate someone to exercise their rights on their behalf.
- Implement security safeguards: Put in place reasonable technical and organisational measures to prevent personal data breaches. The standard is "reasonable" — scaled to the sensitivity of data and the risk of processing.
- Breach notification: Notify the Data Protection Board and affected individuals promptly after a personal data breach. Based on the DPDP Rules 2025, this is expected to be a 72-hour notification window.
- Children's data: Obtain verifiable parental consent before processing data of individuals under 18, and do not process children's data in ways that could harm their well-being or track their behaviour.
Data Fiduciary vs GDPR Data Controller
For organisations already familiar with GDPR, the mapping is straightforward:
- GDPR Data Controller = DPDP Act Data Fiduciary
- GDPR Data Processor = DPDP Act Data Processor
- GDPR Data Subject = DPDP Act Data Principal
- GDPR Supervisory Authority = DPDP Act Data Protection Board of India
The conceptual difference is intentional. The DPDP Act chose "Data Fiduciary" — a term borrowed from trust law — to signal that organisations handling personal data hold a position of trust relative to the individuals whose data they hold. A fiduciary has a duty of care, not just a legal obligation. This framing is reflected in the Act's requirements: consent must be as easy to withdraw as to give; data must be erased when the purpose is served; individuals must be able to access and correct their own data without friction.
The word "fiduciary" is not accidental. The legislature wanted to signal that holding personal data is a position of trust, not just a technical activity subject to compliance.
What a Data Fiduciary should do now
If you are a Data Fiduciary under the DPDP Act — which means if you process any personal data of Indian individuals — here is what you should be doing now, ahead of the May 2027 enforcement date:
- Confirm your status: Assess whether you are a Data Fiduciary or a Data Processor in each of your processing activities. In some cases you may be both — a Data Fiduciary for customer data and a Data Processor for a client's data.
- Map your personal data flows: Create an inventory of all personal data your organisation processes — what it is, where it comes from, where it is stored, who accesses it, and how long you keep it.
- Assess your consent mechanisms: Review every customer touchpoint where you collect data and test whether your current consent processes meet the DPDP Act standard.
- Draft DPDP-compliant notices: Update your privacy notices and consent forms to meet the Act's requirements — plain language, specific to each purpose, available in the user's language.
- Prepare for rights requests: Build or configure a mechanism to receive and respond to Data Principal rights requests within the prescribed timelines.
- Implement breach detection and notification: Ensure your security monitoring can detect breaches promptly and that your incident response process can trigger notification within 72 hours of detection.
- If you may be an SDF, start earlier: DPO appointment, DPIA processes, and audit readiness require months of preparation. Don't wait for the designation — prepare as if it's coming.