If you want to understand the DPDP Act, start with the data fiduciary. It is the role on which almost every obligation in the law hangs, and the role most businesses will find themselves occupying. Get the definition right and the rest of dpdp compliance falls into place; get it wrong and you may either over-engineer your programme or, worse, miss duties that genuinely apply to you.
A data fiduciary is, in plain terms, the organisation that decides why and how personal data is processed. That decision-making power is what makes it accountable to the individuals whose data it holds — the data principals — and to the Data Protection Board of India.
This guide explains who qualifies as a data fiduciary, the full set of obligations the role carries, how it differs from a data processor, and what a fiduciary should do to meet its responsibilities under the Act and the 2025 Rules.
The definition: who decides why and how
Under the DPDP Act, a data fiduciary is any person — including a company, firm, or other body — that, alone or in conjunction with others, determines the purpose and means of processing personal data. The defining feature is control: the fiduciary is the one that decides what data is collected, for what reason, and how it will be used.
This test is functional rather than formal. You do not become a fiduciary by calling yourself one; you become one by exercising decision-making power over personal data. A startup founder choosing what customer data to collect, an HR team deciding how to process employee records, and a marketing team selecting what to do with leads are all acting for a data fiduciary.
A helpful way to test the role is to ask, for each dataset you hold, who chose to collect it and decided what it would be used for. Wherever the answer is your organisation, you are the fiduciary for that data and the Act's duties attach to you, regardless of where the data is physically stored.
Why the fiduciary carries most of the duties
The word fiduciary is deliberate. It signals a relationship of trust: because the organisation holds power over someone else's personal data, the law imposes a duty of care toward that person. That framing — inherited from years of drafting debate — is why the bulk of the Act's obligations rest here rather than on processors or individuals.
In practice this means the fiduciary is the entity the Board will hold responsible if something goes wrong. Even where data is handled by third parties, the fiduciary remains answerable to the data principal, which is why managing your processors well is part of managing your own risk.
This duty-of-care framing also shapes how regulators are likely to judge you. An organisation that can show it took its responsibilities seriously — with documented controls and good-faith effort — will be treated very differently from one that ignored them, even where an incident occurs.
Core obligations of a data fiduciary
The Act loads the fiduciary with a recognisable set of duties. Before processing on the basis of consent, it must give a clear, itemised notice and obtain valid consent. It must process data only for the stated purpose, keep it accurate, and retain it no longer than necessary before erasing it.
It must implement reasonable security safeguards to prevent breaches, report breaches to the Board and affected individuals within the prescribed timelines, honour data principal rights such as access and correction, and provide a grievance-redressal mechanism. Where it engages processors, it must do so under a valid contract.
None of these obligations are exotic; together they form a coherent programme. The work is to translate each duty into a concrete process with a named owner, evidence that it operates, and a review cadence, so that compliance is demonstrable rather than merely intended.
Fiduciary versus processor
The distinction that confuses people most is fiduciary versus processor. A processor handles personal data on the fiduciary's behalf and under its instructions — a cloud host, a payroll vendor, an email platform. The processor does not decide the purpose of processing; it executes the fiduciary's decisions.
The simplest test is to ask who decides why the data is being processed. If your organisation makes that call, you are a fiduciary. If you merely act on another organisation's instructions, you are a processor for that activity. The same company can be a fiduciary for its own customer data and a processor for a client's data simultaneously.
Misclassifying the relationship is a common and costly error. Assuming you are merely a processor when you actually decide the purpose leaves your real obligations unmet, so it is worth documenting the fiduciary-versus-processor analysis for each significant data flow.
Joint and multiple fiduciaries
The Act recognises that more than one organisation can determine the purpose and means of processing together. In group structures, partnerships and platform businesses, several entities may share decision-making over the same data, making each a fiduciary for that processing.
Where this happens, clarity matters. Each fiduciary should understand its share of the obligations, and contracts or internal arrangements should make explicit who handles notices, rights requests and breach reporting, so that nothing falls through the cracks between organisations.
The risk in joint arrangements is diffusion of responsibility. Where everyone assumes someone else is handling notices or breach reporting, gaps appear, so a short written allocation of duties between joint fiduciaries is a cheap and valuable safeguard.
Significant data fiduciaries: a heavier tier
The Act allows the Government to designate certain fiduciaries as significant data fiduciaries based on the volume and sensitivity of the data they process and the risks involved. These organisations face extra duties: appointing a Data Protection Officer based in India, conducting Data Protection Impact Assessments, and commissioning independent data protection audits.
Most businesses will be ordinary fiduciaries, but high-volume platforms and data-intensive operators should plan for the possibility of designation, because the additional obligations take real time and resource to stand up.
Because designation can arrive with limited lead time, large data handlers should pre-position the governance an SDF needs. Treating SDF readiness as a contingency plan, rather than a surprise, turns a potentially disruptive notification into a routine step.
Free resource
The Ultimate Guide to the DPDP Act
A practical, plain-English handbook to the DPDP Act & 2025 Rules — scope, roles, consent, safeguards and a readiness path.
What a fiduciary should do in practice
Becoming a compliant fiduciary follows a logical sequence. Map the personal data you hold and tie each use to a lawful basis. Rewrite notices and consent capture so they meet the Rules. Implement security safeguards, build rights and grievance workflows, and contract properly with your processors.
Then operationalise it: assign owners to each obligation, keep records that demonstrate compliance, and monitor continuously rather than treating the work as a one-off. A fiduciary that can show its decisions and its controls is in a far stronger position than one that merely intends to comply.
Recordkeeping deserves special emphasis. Under a regime where the fiduciary must answer to the Board, the difference between compliant and non-compliant is often simply whether you can produce evidence — notices issued, consents captured, controls operating — on request.
The bottom line
If your organisation decides why and how personal data of people in India is processed, you are a data fiduciary, and the DPDP Act's central obligations apply to you. The role is demanding but well defined, and the duties map onto a manageable programme of notices, consent, security, rights and recordkeeping.
Treat the fiduciary relationship as what its name implies — a position of trust — and the compliance work becomes less about avoiding penalties and more about being a responsible custodian of the data people entrust to you.
Adopting that custodial mindset early also future-proofs you. As guidance and Board decisions refine what the duties mean in practice, an organisation already operating to the spirit of the Act will adapt far more easily than one that built only to the bare letter.
Free consultation
Need help getting DPDP-ready?
Talk to our compliance team — we’ll map your gaps against the Act and the 2025 Rules.