Introduction
Under the Digital Personal Data Protection Act (DPDPA), 2023, which is set to become fully enforceable by 2025, the Government of India has laid out specific responsibilities for entities called data fiduciaries. A data fiduciary is any person, company, or organization that determines the purpose and means of processing personal data. These obligations are designed to ensure accountability, transparency, and the protection of individual privacy. All businesses that handle personal data in digital form must comply with these obligations, whether they collect it directly or receive it from another party.

Obligation 1: Obtain Valid and Informed Consent
Data fiduciaries must obtain clear, informed, and specific consent from users before collecting their personal data. The consent must be given voluntarily and must be based on clear information about what data will be collected and for what purpose. Consent should not be obtained by default or as a precondition for accessing unrelated services. Users should also have the right to withdraw their consent at any time.

Example
If a shopping website like Flipkart wants to collect data to send promotional emails, it must show users a checkbox asking for their consent. It cannot automatically assume consent or make it a hidden part of the terms and conditions.

Obligation 2: Purpose Limitation
Personal data must be collected only for specific, lawful, and stated purposes. A business cannot collect data for one reason and then use it for another unrelated purpose without obtaining additional consent from the user.

Example
If a travel site like MakeMyTrip collects a user’s passport number for flight booking, it cannot later use this information for unrelated services like insurance marketing unless it gets separate consent.

Obligation 3: Data Minimization
Only data that is strictly necessary for fulfilling the stated purpose should be collected. Businesses should avoid asking for excessive or irrelevant information from users.

Example
An app that delivers groceries should only ask for name, address, contact number, and payment information. It should not ask for personal details like marital status or religion unless required by law or a specific service.

Obligation 4: Storage Limitation
Data fiduciaries must not retain personal data longer than necessary. Once the purpose for which the data was collected is fulfilled, the data should be deleted or anonymized. Businesses must set internal retention timelines and ensure old or unused data is cleared periodically.

Example
If an online learning platform like Byju’s collects user data for course access, it should delete the data once the course ends and the student no longer needs the service.

Obligation 5: Accuracy of Data
Data fiduciaries are required to keep personal data accurate and up-to-date. They must provide a mechanism for individuals to review and correct their data.

Example
If a user’s delivery address changes on Amazon, the platform must allow the user to update their information and ensure the new address is used for all future orders.

Obligation 6: Implement Security Safeguards
Businesses must implement reasonable technical and organizational security measures to protect personal data from unauthorized access, disclosure, or breach. These include encryption, firewall protection, access controls, employee training, and breach detection systems.

Example
A financial app like PhonePe must ensure that user data is encrypted, login credentials are securely stored, and regular security audits are conducted to detect vulnerabilities.

Obligation 7: Grievance Redressal Mechanism
Data fiduciaries must provide an effective and responsive grievance redressal system. Users should be able to file complaints related to their data, consent, deletion requests, or misuse, and businesses must resolve these within the time specified by law.

Example
If a user contacts Paytm with a complaint about unauthorized data sharing, Paytm must investigate the issue and provide a formal resolution within the legal time frame.

Obligation 8: Enabling User Rights
Data fiduciaries are responsible for enabling individuals to exercise their rights under the Act. These include the right to access personal data, the right to correct or delete it, the right to withdraw consent, and the right to be informed about how data is used.

Example
If a user of Swiggy wants to delete their account and associated data, Swiggy must allow the user to initiate the deletion request and confirm once the data has been removed from its systems.

Obligation 9: Breach Notification
In the event of a data breach, the data fiduciary must inform the affected individuals as well as the Data Protection Board of India. The notification must be made promptly, including details of the nature of the breach and steps taken to minimize its impact.

Example
If a cyberattack exposes customer emails and phone numbers at Ola, the company must immediately notify the affected users and report the incident to the Board with a full explanation.

Obligation 10: Appointment of Data Protection Officer (for SDFs)
Organizations that are classified as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data they process must appoint a Data Protection Officer (DPO). The DPO will be responsible for ensuring compliance, managing grievances, and acting as the point of contact with the Data Protection Board.

Example
A telecom company like Jio would be considered a Significant Data Fiduciary and must appoint a qualified DPO to oversee all data protection responsibilities within the company.

Obligation 11: Conducting Data Protection Impact Assessments (DPIAs)
SDFs must conduct regular assessments of the potential risks their data processing activities pose to individuals. These assessments help in identifying vulnerabilities and applying safeguards to reduce risk.

Example
An insurance company that uses automated algorithms to assess customer profiles must carry out DPIAs to ensure its system does not unfairly discriminate or expose users to harm.

Obligation 12: Cross-Border Data Transfer Compliance
Data fiduciaries can transfer personal data outside India only to countries approved by the central government. Even after the data is transferred, fiduciaries must ensure that the data continues to be processed in a manner that protects individual rights.

Example
A company like Google India can store or process user data on servers in the US only if the US is among the countries notified by the government and all protective safeguards are maintained.

Obligation 13: Maintain Records and Audit Trails
Data fiduciaries are required to maintain records of their data processing activities, including when consent was taken, how long the data was stored, who accessed it, and when it was deleted. This is important for audits and demonstrating compliance.

Example
A food delivery app like Zomato should keep an internal log of every user consent interaction, data sharing with delivery partners, and data deletion request history for verification purposes.

Obligation 14: Accountability and Transparency
Data fiduciaries must publish a privacy policy, clearly outline how personal data is handled, and be transparent about any data-sharing with third parties. They are also accountable for ensuring that all their third-party vendors or processors comply with DPDPA regulations.

Example
If Myntra outsources its customer support to a third-party agency, it must ensure that the agency handles personal data with the same level of security and compliance required under Indian law.

Conclusion
The DPDPA 2023 places significant responsibilities on data fiduciaries to manage personal data ethically, securely, and transparently. These obligations reflect a broader shift toward recognizing data privacy as a fundamental right in India. For businesses, this means redesigning data systems, rewriting privacy policies, setting up grievance redressal procedures, implementing technical safeguards, and ensuring organizational compliance. Non-compliance can attract penalties of up to ₹250 crore, reputational loss, and possible suspension of operations. Companies that embrace these changes proactively will not only avoid penalties but also build stronger relationships with users, win trust, and position themselves for sustainable success in a privacy-first digital economy.