

A Data Fiduciary is any person or business that decides the purpose and means of processing personal data. In plain language: if you decide what customer data to collect and what to do with it, the DPDP Act calls you a Data Fiduciary, and the full legal responsibility for protecting that data sits with you.
The bar is low by design. Collecting even one customer's email digitally makes you a Data Fiduciary. There is no small-business exemption, so startups, MSMEs, clinics, schools, and agencies all carry the same core duties. The people whose data you hold are called Data Principals, and they now hold enforceable rights over their data.
No cost. No obligation. Get your compliance gap report.
These are the core obligations every Data Fiduciary carries under the Act.
| Aspect | Data Fiduciary | Data Processor |
|---|---|---|
| Role | Decides the purpose and means of processing | Processes data on the fiduciary's behalf |
| Typical example | Your business collecting customer data | Cloud host, payroll provider, marketing agency |
| Legal responsibility | Full responsibility under the Act | Contractual obligations to the fiduciary |
| Liability for vendor mistakes | Yes, the fiduciary stays legally responsible | Answerable to the fiduciary via contract |
This is the point most businesses get wrong: "our vendor handles the data" is not a defence. If your payroll provider or cloud vendor leaks your customers' data, the Data Protection Board comes to you. That is why vendor contracts are mandatory, and why checking them is part of our free audit.
The government can designate high-volume or high-risk businesses as Significant Data Fiduciaries (SDFs), based on the volume and sensitivity of data processed and the risk involved. SDFs carry extra duties, and failures cost up to ₹150 crore per violation.
A Data Protection Officer based in India, senior enough to report to the board, with a published contact for grievances.
Yearly audits by an independent auditor to verify that data protection obligations are actually being met.
Periodic Data Protection Impact Assessments plus due diligence on algorithms that process personal data.
Finance, insurance, and other data-heavy sectors are the most likely SDF candidates. Not sure if you would qualify? That is one of the questions our free audit answers.
Check My Fiduciary Obligations, FreeConsent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Building fiduciary compliance takes 2-6 months, so the safe window to start is now.
The Data Fiduciary role is one piece of the Act. Our main guide covers deadlines, penalties, rights, consent, and everything else in one place.
Learn Everything About DPDP ComplianceAny entity that decides the purpose and means of processing personal data. If your business collects even one customer's email digitally, you are a Data Fiduciary with full legal responsibility for that data, including for what your vendors do with it.
The fiduciary decides why and how data is processed and carries full legal responsibility. A processor, like a cloud host or payroll provider, handles data on the fiduciary's behalf under a contract. Even then, the fiduciary remains legally responsible for the processor's mistakes.
A business designated by the government based on data volume, sensitivity, and risk. SDFs must appoint an India-based DPO reporting to the board, run annual independent audits and periodic DPIAs, and perform algorithmic due diligence. SDF duty failures carry penalties up to ₹150 crore.
Yes. The DPDP Act has no size or turnover exemption. Startups, MSMEs, shops, clinics, and agencies that handle digital personal data are all Data Fiduciaries with the same core obligations.
One free audit tells you exactly which fiduciary obligations you already meet, and which ones could cost you.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.