India’s Digital Personal Data Protection Act (DPDPA), 2023, has marked a historic step in the country’s journey toward a rights-based digital data framework. At the heart of this law lies the concept of a Data Fiduciary—an organization or individual that determines the purpose and means of processing personal data. Whether it’s a startup, a bank, a healthcare app, or a global tech giant operating in India, if they collect and use digital personal data, they’re a Data Fiduciary under this Act.
The law introduces a new set of core obligations for Data Fiduciaries that reshape how businesses handle, secure, and govern user data. These obligations are not just legal checkboxes—they reflect a broader cultural shift: from data ownership to data stewardship.
In this post, we’ll explore:
- What it means to be a Data Fiduciary
- The key obligations under the DPDPA
- Best practices for compliance
- How the public benefits from these rules
- Practical examples across industries
🔍 Who Is a Data Fiduciary?
According to Section 2(i) of the DPDPA, a Data Fiduciary is any person, company, or entity that determines the purpose and means of processing personal data.
This includes:
- E-commerce platforms
- Telecom companies
- EdTech startups
- Hospitals and healthcare providers
- Banks and NBFCs
- Government departments
- SaaS companies collecting Indian user data
✅ Example: A food delivery app that collects a user’s name, address, and location data to fulfill orders is a Data Fiduciary.
There’s also a special class: Significant Data Fiduciaries (SDFs)—entities handling large-scale or sensitive data with heightened obligations (we’ll cover this later).
🧾 Core Obligations for All Data Fiduciaries
Let’s break down the key duties and expectations for Data Fiduciaries under India’s data protection law.
📌 1. Lawful and Purpose-Limited Processing
Fiduciaries must process personal data only for lawful purposes and in a manner fair and reasonable to the data principal (user).
They must:
- Avoid deceptive or excessive data collection
- Collect data that’s necessary for the intended purpose
- Not repurpose data without fresh consent
❌ Wrong: Asking for access to photos or contacts to offer a food delivery service.
✅ Right: Asking only for address and phone number to deliver the order.
📌 2. Informed Consent and Notices
Fiduciaries must provide clear, plain-language notices before or at the time of collecting data, explaining:
- What data is being collected
- Why it is being collected
- How it will be used
- Users’ rights
- How to contact the grievance officer
Consent must be:
- Free, informed, specific, unambiguous, and affirmative
- Revocable at any time
- Available in multiple Indian languages
🧠 Example: An EdTech app must provide a popup consent form explaining how it uses student learning data, in both English and Hindi.
📌 3. Grievance Redressal Mechanism
Fiduciaries must designate a Grievance Officer, reachable by email or portal, to handle user complaints within 7 days.
This ensures that users have accessible routes to raise concerns, whether it’s about data misuse, incorrect data, or denial of rights.
🧾 Public Benefit: A user unhappy with a bank sharing their contact details with marketing partners can contact the grievance officer and request redress.
📌 4. User Rights Fulfillment
Data Fiduciaries must enable users (called Data Principals) to:
- Access their data
- Correct or update inaccurate data
- Delete data that’s no longer necessary
- Withdraw consent
These requests must be processed promptly and transparently.
✅ Example: A user can ask a shopping site to delete their order history and saved payment data after closing their account.
📌 5. Security Safeguards
Organizations must implement reasonable security measures to protect personal data against unauthorized access, disclosure, or breach. This includes:
- Encryption
- Access control
- Data masking
- Regular audits and vulnerability assessments
They must also ensure privacy by design—embedding security into systems and processes from the start.
⚠️ Breach Duty: If a data breach occurs, the fiduciary must notify both the Data Protection Board of India (DPBI) and the affected users.
📌 6. Data Minimization
Fiduciaries should collect the minimum amount of data necessary for the task at hand. Over-collection is not only non-compliant—it’s risky.
❌ Bad Practice: Asking for PAN card just to register for a newsletter.
✅ Good Practice: Asking only for email to send marketing content.
📌 7. Retention Limitation
Personal data should not be retained longer than necessary. Fiduciaries must define retention schedules and delete data when:
- It’s no longer required
- The user withdraws consent
- Legal obligations have ended
📌 8. Children’s Data Obligations
If processing data of users under 18, fiduciaries must:
- Obtain verifiable parental consent
- Avoid behavioral tracking or targeted advertising
- Ensure stricter safeguards
👨👩👧 Example: A kids’ learning app must not track how long a child watches videos to send push ads, even if the parent gave initial consent.
📌 9. Data Sharing and Transfers
Fiduciaries must ensure that data shared with processors or third parties is protected under:
- Written contracts
- Defined purposes
- Equivalent security standards
They’re also responsible for breaches that happen due to negligence of vendors or partners.
🔗 Example: A fitness app sharing user health data with a third-party analytics tool must ensure it’s anonymized and secure.
📌 10. Duty to Report Breaches
Every data breach—whether internal or due to a vendor—must be reported to the Data Protection Board of India as soon as possible.
Failure to do so can lead to financial penalties up to ₹250 crore.
🔎 Additional Obligations for Significant Data Fiduciaries (SDFs)
Entities classified as SDFs due to the volume, sensitivity, or risk of their data processing (like banks, large tech firms, telecoms) must:
- Appoint a Data Protection Officer (DPO) based in India
- Conduct regular Data Protection Impact Assessments (DPIA)
- Perform independent audits
- Implement advanced access controls
🧠 Example: A major digital payments company handling millions of transactions must appoint a DPO and conduct risk assessments on how user KYC data is stored.
🧑💼 How the Public Benefits from These Fiduciary Duties
The obligations of Data Fiduciaries are not just internal checklists—they empower the everyday digital user. Here’s how:
🛡️ 1. More Transparency
Users know what’s being collected and why.
🔐 2. Better Control
Users can delete old accounts, correct details, or revoke permissions.
🧾 3. Less Spam
With data sharing governed by consent, users can stop unwanted messages.
🧠 4. Safer Ecosystem
Security mandates reduce the risk of identity theft, fraud, or phishing.
📣 5. Voice and Redress
Everyone gets access to a complaint system—and beyond that, the Data Protection Board.
🧭 Tips for Organizations to Comply Effectively
- Appoint a Privacy Lead even if you’re not an SDF
- Maintain a consent dashboard for user transparency
- Implement audit trails to show compliance during inspections
- Educate employees on the DPDPA and data hygiene
- Review vendor contracts for security clauses
- Leverage tools like OneTrust, Priva, BigID, or Microsoft Purview for data governance
⚖️ Final Thoughts: Compliance Is Not a Burden—It’s a Trust Strategy
The DPDPA is more than a regulatory requirement—it’s a public trust initiative. It demands that organizations become custodians of user data, not exploiters.
For Data Fiduciaries, it’s a chance to:
- Build stronger customer relationships
- Stand out with privacy-first branding
- Mitigate legal and reputational risk
💡 Remember: Data is not just a business asset—it’s someone’s digital identity. Handle it with care.
