Data Fiduciary Under the DPDP Act

If you collect personal data digitally, this role, and its responsibilities, is yours
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

Who Is a Data Fiduciary Under the DPDP Act?

A Data Fiduciary is any person or business that decides the purpose and means of processing personal data. In plain language: if you decide what customer data to collect and what to do with it, the DPDP Act calls you a Data Fiduciary, and the full legal responsibility for protecting that data sits with you.

The bar is low by design. Collecting even one customer's email digitally makes you a Data Fiduciary. There is no small-business exemption, so startups, MSMEs, clinics, schools, and agencies all carry the same core duties. The people whose data you hold are called Data Principals, and they now hold enforceable rights over their data.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

What a Data Fiduciary Must Do

These are the core obligations every Data Fiduciary carries under the Act.

  • Take clear consent before collecting personal data, with no pre-ticked boxes and withdrawal as easy as giving consent
  • Publish plain-language privacy notices in English plus any of the 22 scheduled Indian languages
  • Keep data accurate and delete it when the purpose is served or consent is withdrawn
  • Honour user rights: access, correction, erasure, and grievances resolved within 90 days
  • Implement security safeguards: encryption, access controls, MFA, logging, and backups
  • Report every breach: users without delay, plus a detailed report to the Board within 72 hours (see breach reporting rules)
  • Sign contracts with every processor that touches your data
  • Protect children's data with verifiable parental consent for under-18s

Data Fiduciary vs Data Processor: Who Carries the Risk?

AspectData FiduciaryData Processor
RoleDecides the purpose and means of processingProcesses data on the fiduciary's behalf
Typical exampleYour business collecting customer dataCloud host, payroll provider, marketing agency
Legal responsibilityFull responsibility under the ActContractual obligations to the fiduciary
Liability for vendor mistakesYes, the fiduciary stays legally responsibleAnswerable to the fiduciary via contract

This is the point most businesses get wrong: "our vendor handles the data" is not a defence. If your payroll provider or cloud vendor leaks your customers' data, the Data Protection Board comes to you. That is why vendor contracts are mandatory, and why checking them is part of our free audit.

Significant Data Fiduciary: The Higher Bar

The government can designate high-volume or high-risk businesses as Significant Data Fiduciaries (SDFs), based on the volume and sensitivity of data processed and the risk involved. SDFs carry extra duties, and failures cost up to ₹150 crore per violation.

India-Based DPO

A Data Protection Officer based in India, senior enough to report to the board, with a published contact for grievances.

Annual Independent Audits

Yearly audits by an independent auditor to verify that data protection obligations are actually being met.

DPIAs & Algorithmic Checks

Periodic Data Protection Impact Assessments plus due diligence on algorithms that process personal data.

Finance, insurance, and other data-heavy sectors are the most likely SDF candidates. Not sure if you would qualify? That is one of the questions our free audit answers.

Check My Fiduciary Obligations, Free

Fiduciary Duties Come with Deadlines

Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Building fiduciary compliance takes 2-6 months, so the safe window to start is now.

Want the Complete DPDP Picture?

The Data Fiduciary role is one piece of the Act. Our main guide covers deadlines, penalties, rights, consent, and everything else in one place.

Learn Everything About DPDP Compliance

Data Fiduciary: Frequently Asked Questions

Who is a Data Fiduciary under the DPDP Act?

Any entity that decides the purpose and means of processing personal data. If your business collects even one customer's email digitally, you are a Data Fiduciary with full legal responsibility for that data, including for what your vendors do with it.

You Are a Data Fiduciary. Are You a Compliant One?

One free audit tells you exactly which fiduciary obligations you already meet, and which ones could cost you.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.