The term "Data Fiduciary" appears 97 times across the DPDP Act, 2023. It is the Act's load-bearing concept. Every obligation, every penalty ceiling, every compliance requirement flows from one question: are you a Data Fiduciary?
Most Indian businesses are. And most of them have not yet grasped what that means.
I reviewed the privacy documentation of over 30 Indian SaaS companies last quarter. Not one of them used the term "Data Fiduciary" correctly in their privacy policies. Several still referenced the old IT Act's "body corporate" framework. A handful had copied GDPR-style "data controller" language and assumed it was equivalent. It is not. The DPDP Act creates a distinct legal category with its own obligations, and treating it as a synonym for GDPR's "controller" will leave gaps in your compliance program.
Key Takeaways
- Under Section 2(i) of the DPDP Act 2023, a Data Fiduciary is any person who determines the purpose and means of processing personal data, whether alone or jointly with others.
- Data Fiduciaries bear full compliance responsibility under Section 8, even when processing is outsourced to a Data Processor.
- Obligations include: providing notice before collecting consent, implementing reasonable security safeguards, notifying breaches within 72 hours, and erasing data when the purpose is fulfilled.
- The penalty for a security failure leading to a breach is up to ₹250 crore per violation. Non-compliance with basic obligations can attract up to ₹50 crore.
- As of February 2026, there is no small business exemption. Every entity that determines the purpose and means of processing personal data is a Data Fiduciary.
What is a Data Fiduciary Under the DPDP Act?
Section 2(i) of the Digital Personal Data Protection Act, 2023 defines a Data Fiduciary as "any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data."
Three words do the heavy lifting here: purpose, means, and determines.
Purpose is the "why." Why are you collecting this email address? To send order confirmations. To run marketing campaigns. To share with a third-party analytics vendor. Each purpose triggers separate obligations under the Act.
Means is the "how." What systems process the data? What security controls protect it? How long do you retain it? Where is it stored?
Determines is the critical qualifier. If your organisation makes the decisions about what data to collect, why to collect it, and how to process it, you are the Data Fiduciary. Not your IT vendor. Not your cloud provider. Not the developer who built your CRM. You.
This is true regardless of your company's size, revenue, or headcount. The DPDP Act does not include a small business threshold or turnover exemption. A 10-person startup collecting customer email addresses for a waitlist page is a Data Fiduciary under the same definition as Reliance Jio.
For a complete walkthrough of how the DPDP Act structures its framework, see our complete guide to the DPDP Act 2023.
How is a Data Fiduciary Different from a Data Processor?
This distinction is where most confusion lives. Section 2(k) defines a Data Processor as "any person who processes personal data on behalf of a Data Fiduciary." The key phrase: on behalf of.
A Data Processor follows instructions. A Data Fiduciary gives them.
| Aspect | Data Fiduciary | Data Processor |
|---|---|---|
| Definition | Determines purpose and means of processing (Section 2(i)) | Processes data on behalf of a Data Fiduciary (Section 2(k)) |
| Decision authority | Decides what data to collect, why, and how | Follows the Fiduciary's instructions |
| Compliance obligation | Bears full compliance responsibility under the Act | Bound by contract; no direct obligations under the Act |
| Breach notification | Must notify DPBI and affected Data Principals | Must notify the Data Fiduciary |
| Consent collection | Responsible for obtaining valid consent | Not responsible for consent |
| Penalty exposure | Up to ₹250 crore per violation | No direct penalty under DPDP (contractual liability only) |
| Example | An e-commerce company collecting customer data | AWS hosting the e-commerce platform's database |
Here is the subtlety that trips up Indian businesses: the same organisation can be both a Data Fiduciary and a Data Processor, depending on the context. A payroll software company is a Data Processor when it processes salary data on behalf of its client companies. But it is a Data Fiduciary for its own employees' data, and for the personal data it collects from visitors on its marketing website.
Crucially, Section 8(1) of the DPDP Act places all compliance obligations on the Data Fiduciary, "irrespective of any agreement to the contrary." You cannot outsource your legal responsibility by inserting a clause in your vendor agreement that says "the processor bears all liability." The Act does not recognise such clauses.
What are the Obligations of a Data Fiduciary?
Section 8 of the DPDP Act sets out eight categories of obligation. Each one carries its own penalty ceiling if breached. Here is what they require in practice.
1. Provide Notice Before Collecting Consent (Section 5)
Before collecting personal data, a Data Fiduciary must provide a clear notice to the Data Principal specifying:
- What personal data is being collected
- The specific purpose for which it will be processed
- How the Data Principal can exercise their rights under the Act
- How to file a complaint with the Data Protection Board of India
The DPDP Rules 2025 specify that this must be a standalone notice, accessible and readable on its own. Burying it in paragraph 47 of your Terms of Service does not qualify.
2. Obtain Valid Consent (Section 6)
Consent under the DPDP Act must be free, specific, informed, unconditional, and demonstrated through a clear affirmative action. Pre-ticked checkboxes, implied consent through continued browsing, and bundled consent toggles all fail this standard.
Section 6(4) further requires that withdrawal of consent must be as easy as giving it. If a user can consent with one click, you cannot require twelve steps to withdraw.
3. Process Only for the Stated Purpose (Section 8(1))
Data collected for one purpose cannot be repurposed without fresh consent. If a customer provided their phone number for delivery updates, you cannot add it to your promotional SMS list without a separate, explicit consent.
4. Ensure Data Accuracy (Section 8(3))
When personal data is used to make decisions affecting the Data Principal, or when it is shared with another Data Fiduciary, the data must be complete, accurate, and consistent. This obligation has teeth in sectors like lending, insurance, and hiring, where incorrect data can directly harm individuals.
5. Implement Reasonable Security Safeguards (Section 8(4))
Section 8(4) requires every Data Fiduciary to protect personal data through "reasonable security safeguards" to prevent breaches. The DPDP Rules 2025 have operationalised this requirement. The mandated safeguards include:
- Encryption, obfuscation, masking, or virtual tokenisation of personal data
- Strict access controls on computer resources handling personal data
- Continuous logging and monitoring of data access
- Retention of access logs for at least one year
- Verified backup and business continuity systems
This is the obligation with the highest penalty exposure: ₹250 crore for a failure that results in a personal data breach.
6. Notify Breaches Within 72 Hours (Section 8(6))
If a personal data breach occurs, the Data Fiduciary must notify both the Data Protection Board of India and each affected Data Principal. The DPDP Rules 2025 specify a 72-hour notification window to the Board. The clock starts when the breach is identified, not when the internal investigation concludes.
7. Erase Data When the Purpose is Fulfilled (Section 8(7))
Personal data must be erased once the purpose for which it was collected has been fulfilled and retention is no longer necessary for that purpose. The DPDP Rules 2025 add a specific provision: for certain data categories, if the Data Principal has not approached the Data Fiduciary for a specified period, the data must be erased after providing a 48-hour notice.
You cannot retain customer data indefinitely on the theory that "we might need it someday." Every retained record needs a defensible purpose.
8. Use Valid Contracts with Data Processors (Section 8(2))
When engaging any Data Processor, the Data Fiduciary must have a valid contract in place. This is not optional. Section 8(2) makes it a statutory requirement, and the Data Fiduciary remains liable for the Processor's actions regardless of what the contract says.
What Additional Obligations Apply to Significant Data Fiduciaries?
Section 10 of the DPDP Act creates a second, heightened compliance tier. The Central Government may designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on factors including the volume and sensitivity of data processed, risk to Data Principals' rights, and potential impact on sovereignty and national security.
SDFs face four additional obligations on top of everything listed above:
| Additional SDF Obligation | DPDP Act Reference | Practical Impact |
|---|---|---|
| Appoint a Data Protection Officer based in India | Section 10(2)(a) | Must be a senior officer who represents the SDF before the Board |
| Appoint an independent data auditor | Section 10(2)(b) | Annual compliance audit by a qualified, independent auditor |
| Conduct a Data Protection Impact Assessment | Section 10(2)(c) | Periodic assessment of risk to Data Principal rights from processing activities |
| Periodic compliance audit | Section 10(2)(b) | Auditor evaluates compliance across all Act obligations |
The penalty ceiling for SDF non-compliance is ₹150 crore, on top of any penalties for breaching the standard Data Fiduciary obligations.
As of February 2026, the Central Government has not yet published the criteria or notification designating specific entities as SDFs. This notification is expected before the May 2027 full enforcement date. Large technology platforms, major financial institutions, and telecom operators are widely expected to receive SDF designation.
What Penalties Does a Data Fiduciary Face for Non-Compliance?
The penalty structure under the DPDP Act is calibrated by violation type, with each category carrying its own ceiling:
| Violation | Maximum Penalty | Relevant Section |
|---|---|---|
| Failure to implement reasonable security safeguards leading to a breach | ₹250 crore | Schedule, Item 1 |
| Failure to notify the DPBI and affected Data Principals of a breach | ₹200 crore | Schedule, Item 2 |
| Non-compliance with children's data obligations | ₹200 crore | Schedule, Item 3 |
| Non-compliance with SDF-specific obligations | ₹150 crore | Schedule, Item 4 |
| Non-compliance with other obligations (consent, notice, retention, accuracy) | ₹50 crore | Schedule, Item 5 |
Note that these are per-violation ceilings, not annual caps. A Data Fiduciary with multiple systemic failures could face cumulative penalties significantly exceeding any individual ceiling. A company that simultaneously fails to obtain valid consent, lacks security safeguards, and then suffers a breach it fails to report could theoretically face penalties under three separate items of the Schedule.
The Data Protection Board has discretion in setting the actual penalty amount. Section 33 requires the Board to consider the nature, gravity, and duration of the contravention; the type of personal data affected; whether the fiduciary took voluntary corrective action; and any aggravating or mitigating circumstances.
How Do You Determine If Your Business is a Data Fiduciary?
If you need a practical test, ask these three questions about any personal data your organisation handles:
1. Did your organisation decide to collect this data? If you chose to add a sign-up form to your website, mandated phone numbers at checkout, or required Aadhaar for KYC, you decided to collect. That is a fiduciary decision.
2. Did your organisation define why this data is being processed? If you determined that customer emails would be used for marketing newsletters, or that purchase history would feed your recommendation engine, you defined the purpose. Another fiduciary decision.
3. Did your organisation choose the systems and methods for processing? If you selected Razorpay for payments, AWS for hosting, or HubSpot for CRM, you chose the means. Fiduciary again.
If the answer to any of these is yes, you are a Data Fiduciary for that data. The entity on the other side, the one receiving your instructions and processing data according to your specifications, is likely your Data Processor.
Common Mistakes Indian Businesses Make About Data Fiduciary Status
Having reviewed dozens of compliance programs in the past year, I see the same errors repeatedly.
Mistake 1: "We're just a platform; our users are the Data Fiduciaries." Marketplace platforms, SaaS tools, and aggregator apps frequently make this argument. It rarely holds. If your platform determines what data is collected during registration, sets the privacy policy, and decides how long records are retained, you are the Data Fiduciary, not your sellers or end users.
Mistake 2: "Our cloud provider handles all the data, so they're responsible." AWS, Azure, and GCP are your Data Processors. They process data on your behalf, per your instructions. Section 8(1) is explicit: the Data Fiduciary bears compliance responsibility "irrespective of any agreement to the contrary." Your cloud provider's DPA does not transfer your obligations.
Mistake 3: "We don't collect sensitive data, so the Act doesn't apply to us." The DPDP Act does not distinguish between sensitive and non-sensitive personal data. A name, an email address, and a phone number are personal data under Section 2(t). If you collect any of these, you are processing personal data and the Act applies.
Mistake 4: "We'll deal with this when penalties start." Full enforcement begins May 13, 2027. Building compliant consent mechanisms, updating privacy notices, establishing Data Subject Request workflows, mapping data flows, and training staff takes most organisations six to twelve months. Waiting until the penalty regime activates leaves no margin for implementation.
Mistake 5: "We've copied our GDPR framework, so we're covered." GDPR compliance gives you a useful foundation but it is not sufficient. The DPDP Act does not recognise "legitimate interest" as a legal basis for processing. The children's data threshold is 18, not 16. Breach notification goes to the DPBI, not a supervisory authority. These are not cosmetic differences; they require genuine operational changes. For a detailed comparison of the two frameworks, see our complete guide to the DPDP Act 2023.
Frequently Asked Questions
Is every Indian company a Data Fiduciary under the DPDP Act?
Not every company, but nearly every company that handles customer or employee data digitally. Under Section 2(i) of the DPDP Act 2023, any entity that determines the purpose and means of processing digital personal data qualifies as a Data Fiduciary. There is no exemption based on company size, revenue, or employee count. If your business collects names, emails, phone numbers, or any other personal data and decides how that data is used, you are a Data Fiduciary.
What is the difference between a Data Fiduciary and a Data Controller?
The DPDP Act uses "Data Fiduciary" where the EU's GDPR uses "Data Controller." While the core concept is similar (the entity that decides what data to collect and why), the term "fiduciary" carries a stronger connotation of trust and duty under Indian law. More practically, the obligations differ: the DPDP Act does not include "legitimate interest" as a processing ground, applies a higher age threshold for children's data (18 vs. 16), and has its own breach notification regime through the DPBI rather than supervisory authorities.
Can a company be both a Data Fiduciary and a Data Processor?
Yes. This is common, particularly for B2B SaaS companies. A payroll software provider is a Data Processor for the employee data it handles on behalf of its clients, but a Data Fiduciary for its own employees' data and for visitor data collected through its website. The classification depends on context: for each category of personal data, you must determine whether you are deciding the purpose and means (Fiduciary) or acting on someone else's instructions (Processor).
Does the DPDP Act apply to sole proprietors and freelancers?
Yes, if they process personal data digitally and determine the purpose and means of processing. A freelance consultant who maintains a client database, a sole proprietor running an online store, or a CA firm handling client financial records digitally all qualify as Data Fiduciaries under Section 2(i). The Act's applicability is determined by the nature of data processing, not the legal structure of the entity.
When does a Data Fiduciary need to appoint a Data Protection Officer?
Only Significant Data Fiduciaries (SDFs) are required to appoint a DPO under Section 10(2)(a) of the DPDP Act. As of February 2026, the Central Government has not published the SDF designation criteria. Ordinary Data Fiduciaries are not required to appoint a DPO, though they must still designate someone to receive and respond to Data Principal grievances under Section 13.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
Determining your Data Fiduciary status is step one. The real work is building the consent mechanisms, security safeguards, breach protocols, and data retention policies the Act requires, and keeping them current as the Rules evolve. ComplyZero's self-serve platform helps Indian businesses implement DPDP compliance in minutes, not months: automated consent management, privacy notices in 22 Indian languages, and audit-ready compliance records, all without needing to hire a consultant.
Join the waitlist to get early access before enforcement begins in May 2027.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
ComplyZero handles the complexity for you: consent management, privacy notices in 22 languages, DSR workflows, and audit-ready compliance records. Get your business DPDP-ready in minutes, not months.