Data Fiduciary Obligations Under the DPDPA 2023

Under the Digital Personal Data Protection Act, 2023, a "Data Fiduciary" is any person — including a company, firm, association of persons, or individual — who alone or in conjunction with others determines the purpose and means of processing personal data. The term draws from the concept of fiduciary duty, signalling that organisations entrusted with personal data bear a heightened responsibility towards the individuals whose data they hold. Whether you are a hospital maintaining patient records, a fintech company processing financial data, or an e-commerce platform managing customer profiles, you are likely a Data Fiduciary under the Act.

The cornerstone of a Data Fiduciary's obligations is the requirement to obtain valid consent before processing personal data. Consent must be free, specific, informed, unconditional, and unambiguous, and must be given through a clear affirmative action. The Data Fiduciary must provide a notice — in clear and plain language — informing the Data Principal of the personal data being collected, the purpose of processing, and the manner in which they may exercise their rights. Importantly, consent can be withdrawn at any time, and the Data Fiduciary must make the process of withdrawal as easy as the process of giving consent.

Data Fiduciaries are required to process personal data only for the specific, clear, and lawful purpose for which consent was obtained. This principle of purpose limitation prohibits the use of personal data for secondary purposes without fresh consent. Closely related is the principle of data minimisation — organisations should collect only such personal data as is necessary for the stated purpose. These twin principles require Data Fiduciaries to conduct a thorough review of their data collection practices and eliminate the collection of data that is excessive or irrelevant to the stated purpose.

Every Data Fiduciary must implement reasonable security safeguards to prevent personal data breaches. The Act does not prescribe a specific technical standard, but organisations are expected to adopt industry-standard measures commensurate with the sensitivity of the data they process. In the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board of India and each affected Data Principal in the prescribed form and within the prescribed timeline. Failure to notify attracts a penalty of up to ₹200 crore, making breach response planning a critical component of any compliance programme.

The Central Government may designate certain Data Fiduciaries as "Significant Data Fiduciaries" based on the volume and sensitivity of personal data processed, the risk to the rights of Data Principals, and the potential impact on national security and public order. Significant Data Fiduciaries face additional obligations: they must appoint a Data Protection Officer based in India, engage an independent data auditor to conduct periodic audits, and undertake Data Protection Impact Assessments for high-risk processing activities. These enhanced obligations reflect the heightened responsibility borne by organisations that process data at scale.