Who is a data fiduciary under DPDP? Plain-English guide for Indian businesses

By Ananya Reddy, DPO Practice Manager, Sirius Star Last updated 20 May 2026

A data fiduciary under DPDP is something your company became the day it collected its first personal data field, whether anybody on the leadership team realised it or not. Last quarter we ran a DPDP scoping call with Rakesh, the COO of a 280-person Bengaluru edtech. He opened with, “We are not collecting personal data, we are just helping kids learn.” Forty minutes later we had counted 92,000 student records on his servers, approx 18,000 of them belonging to children under 14, plus 3 years of parent payment data, teacher KYC, and Aadhaar-linked refund logs. That is the gap this post closes. Most Indian mid-size companies do not know they are a data fiduciary under DPDP until a notice arrives. By then the penalty math has already started.

On this page

• Data fiduciary, data processor, data principal: the three-role table
• What is a data fiduciary in plain English
• The 9 obligations every data fiduciary must meet
• Significant data fiduciary: are you crossing the threshold
• The penalty math: what a missed obligation actually costs
• A 5-step data fiduciary readiness checklist
• How to scope a DPO appointment without overpaying
• Frequently asked questions

This post explains what a data fiduciary under DPDP is, who qualifies, the nine obligations you signed up for by collecting personal data, and a 5-step readiness path your CFO will sign even if your legal team has quoted Rs.18 lakh a year for an in-house Data Protection Officer. How to get audit-ready in 90 days even if you have never written a privacy policy. Boss, this is not the kind of question you want your auditor asking first.

Data fiduciary, data processor, data principal: the three-role table

Before anything else, get the three DPDP roles straight. Most legal-team confusion comes from blurring these. The role you play is the role the law holds responsible. A data fiduciary under DPDP is not the same as a data processor and absolutely not the same as a data principal.

Most Indian mid-size companies are a data fiduciary for some data (their own customer records) and a data processor for other data (data their enterprise clients hand them to process). Both roles can sit inside the same company. The 9 obligations below apply only when you are the fiduciary.

What is a data fiduciary in plain English

Section 2(i) of the DPDP Act, 2023 defines a Data Fiduciary as “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.” Strip the legalese and the test is one sentence. If your company decides why this data is being collected and how it is being used, you are a data fiduciary under DPDP. Not the vendor you outsourced storage to. You.

This catches more companies than people expect. The 12-person SaaS startup with a 30,000-row email list is a data fiduciary. The 200-person staffing firm with a candidate database is a data fiduciary. The 800-person manufacturing company with a vendor-onboarding form that collects Aadhaar and PAN is a data fiduciary. There is no minimum company size, minimum revenue, or minimum data volume that exempts you. The Act is written on intent, not scale.

Rakesh on our scoping call kept circling back to the same question. “But if we are just helping kids learn, are we really a fiduciary?” The answer became obvious once we listed the decisions his company made every day. Who can sign up. Which fields are mandatory. How long records are retained. Which third parties get a copy. Whether a parent can request deletion. Every one of those is a “purpose and means” decision. Forty thousand of those decisions stack up to “you are absolutely a data fiduciary under DPDP.”

It [classifies your company under the right DPDP role from day one] so you can [stop the legal team and the IT team from arguing about who owns the privacy programme] which means [the next regulator notice lands on a defined desk with a documented owner, not on three different inboxes that each think someone else has it].

The 9 obligations every data fiduciary must meet

Sections 4 to 11 of the DPDP Act lay out what a data fiduciary actually has to do. We translate them below into operating-day language a COO can act on. None of these is optional. All nine apply the moment you start collecting personal data, not the moment a notice arrives.

1. Lawful basis and notice. Collect personal data only for a lawful purpose and only after giving the data principal a clear notice, in English or any of the 22 scheduled Indian languages, explaining what you collect, why, and how. Buried “by signing up you agree” footers do not count. Notice must be itemised.

1. Consent and consent withdrawal. Where consent is the lawful basis, the consent must be free, specific, informed, unconditional, unambiguous, and through clear affirmative action. The data principal can withdraw consent at any time and you must honour the withdrawal “as easily as it was given.” If your signup is one click, your withdrawal must be one click. Most consent flows in India today fail this test.

1. Purpose limitation and data minimisation. Use the data only for the stated purpose. Do not collect more fields than you need. The vendor-onboarding form that asks for Aadhaar when PAN was sufficient is a purpose-limitation breach waiting to happen.

1. Accuracy. Make reasonable effort to keep the data accurate, complete, and up to date. For an edtech this means a working “update my profile” flow, not a customer-care queue.

1. Reasonable security safeguards. Implement technical and organisational measures. The Act does not enumerate the controls; the upcoming DPDP Rules will. In practice “reasonable” today means encryption at rest and in transit, role-based access controls, an audit trail, and a documented breach-response runbook. Nothing exotic, all auditable.

1. Personal data breach reporting. Notify the Data Protection Board of India and each affected data principal of a personal data breach within the timeline that the DPDP Rules will specify (the consultation draft suggests 72 hours from awareness, mirroring GDPR). Have the runbook ready.

1. Erasure on completion of purpose or consent withdrawal. Once the purpose is complete or consent is withdrawn, erase the personal data, unless retention is required by another law. This is the obligation Indian companies most consistently fail. Old CRM records, ex-employee files, candidate databases from 4 years ago are routine ticking time bombs.

1. Data Protection Officer or contact point. A Data Fiduciary must publish a point of contact for data principal grievances. A Significant Data Fiduciary (see next section) must appoint a Data Protection Officer based in India. Even non-SDF companies should publish a privacy@yourcompany.in or grievance officer email today.

1. Children’s data. Verifiable parental consent before processing children’s data. No tracking, behavioural monitoring, or targeted advertising aimed at children. Edtech, healthcare paediatric, and any consumer product whose users could include under-18s, this clause is binding regardless of your revenue.

These are the nine. The full operational depth of each lives inside our Secure Data Guard practice page, which carries the DPIA template library, the breach-response runbook, and the 9-obligation maturity scorecard our team uses on every scoping call.

Significant data fiduciary: are you crossing the threshold

A Significant Data Fiduciary (SDF) is a data fiduciary under DPDP that the Central Government has notified as significant based on volume and sensitivity of personal data processed, risk of harm, impact on sovereignty and integrity of India, risk to electoral democracy, and impact on public order. The criteria are deliberately broad. The Government will notify SDFs through future rules and gazette entries.

What we tell clients today, pending the final SDF notification: if you process any of the following, assume you will eventually be classified SDF and plan accordingly.

• Children’s personal data at scale, edtech and paediatric healthcare being the obvious cases
• Financial or credit data of more than approx 50,000 data principals
• Health records, especially sensitive personal data under Indian medical regulation
• Biometric data of any volume
• Location data of more than approx 100,000 data principals in real time
• Personal data of public officials, journalists, or persons subject to political or electoral context

The three additional obligations that kick in when you become an SDF are: appoint a DPO based in India (Section 10(2)(a)); appoint an independent data auditor to evaluate compliance (Section 10(2)(b)); conduct periodic Data Protection Impact Assessments (DPIAs) and periodic audits (Section 10(2)(c)). These are not paperwork. Each adds approx Rs.4 to 12 lakh a year of operating cost if you build it in-house.

Rakesh’s edtech is the textbook SDF candidate because of the children’s-data exposure. We told him on the call to plan for SDF designation by Q4 of this financial year, even though no official notification exists yet. Better to be over-prepared than to retrofit a DPO programme inside 30 days of a gazette entry.

The penalty math: what a missed obligation actually costs

The DPDP Act’s Schedule lists penalty caps per category of breach. The headline number, Rs.250 crore for the most serious breaches (failure to implement reasonable security safeguards, leading to a personal data breach), grabs the news. The smaller numbers grab the operating budget.

• Failure to take reasonable security safeguards: up to Rs.250 crore
• Failure to notify a personal data breach to the Board and affected principals: up to Rs.200 crore
• Failure to fulfil obligations to children: up to Rs.200 crore
• Failure of an SDF to comply with additional obligations: up to Rs.150 crore
• Failure to honour data principal rights or other general non-compliance: up to Rs.50 crore

The Data Protection Board is empowered to impose these per breach, not per company per year. A mid-size firm that misses on three obligations in one incident is staring at a stacked penalty exposure. We broke down what these numbers mean in operating terms for a 200 to 500 person company in our penalty math for mid-size companies post, which is the closest thing to a worked-example PDF the Indian market has right now.

Most companies treat DPDP like an IT compliance checkbox. It is not. It is a board-level fiduciary duty that travels with the data wherever it goes. The auditor knows it. The Data Protection Board will know it. The Indian press will know it the day the first SDF penalty lands. The board is usually the last to find out. The lazy assumption that “DPDP is the IT team’s problem” has cost companies their CISO and their COO inside the same quarter in three of our client engagements.

A 5-step data fiduciary readiness checklist

This is the operating model we run with every new client in the first 90 days. The order matters. Skipping step 1 to start step 3 (which most companies do) is the single most common reason a DPDP programme stalls inside six months.

Step 1, Week 0 to 2: Personal data inventory. Map every column in every system that contains personal data. Yes, every column. CRM, HRIS, payroll, ticketing, ATS, ERP, email-marketing, support-chat, call-recording, the shared Google Drive folder the founder still uses. Tag each column by purpose, lawful basis, retention period, and onward recipients. Output is a master register in a spreadsheet. Approx 60 to 90 hours of senior-IT and process-owner time across the org. This is the artefact every other step builds on.

Step 2, Week 2 to 4: Role classification. For each data category in the register, mark whether you are the data fiduciary under DPDP or a data processor. Map who is your fiduciary or processor on each row. This is where you discover the four sub-processors your CRM vendor has been using without your written authorisation. Fix the contracts now, before the notice arrives.

Step 3, Week 4 to 6: Notice and consent rework. Rewrite your privacy notice in plain language. Itemise the data, the purpose, the recipients, the retention period. Rework your consent flows so withdrawal is as easy as signup. Most companies need to rebuild their signup UI; this is a product engineering project, not a legal one.

Step 4, Week 6 to 10: Reasonable security safeguards. Encryption at rest and in transit, role-based access control with a quarterly access review, audit log retention for at least 6 months (we recommend 12), breach-response runbook with named owner and 72-hour clock, vendor DPIA template for new processor contracts. None of this is technically hard. The hard part is sustaining it for 18 months. This is the obligation that survives or kills you on the first audit.

Step 5, Week 10 to 12: DPO scoping and grievance flow. If you are SDF-likely, appoint a DPO. If you are not, publish a grievance officer email and SLA, log every grievance, respond inside the SLA. We cover the cost trade-off between in-house DPO and outsourced DPO retainer in the next section.

Priya, our Compliance Lead, pushed back on this sequence in our Monday review last week. Her counter was that BFSI clients should run steps 1 and 4 in parallel, not sequentially, because RBI cyber-security inspection windows do not wait for a 90-day DPDP plan. She is right for BFSI. For edtech, healthcare, and most SaaS, the sequential order above produces a cleaner audit trail.

How to scope a DPO appointment without overpaying

An in-house full-time DPO at the right experience level (CIPM or CDPSE certified, 5 to 8 years of privacy work, Indian regulator exposure) lands at approx Rs.18 to 30 lakh per year all-in. That is the cost of an outsourced engineering manager or a senior product lead. For most 100 to 500 person Indian companies, that is not the right first move. The right first move is an outsourced DPO retainer at approx Rs.3.5 to 7 lakh per year, scaled to your data principal count and breach risk. You get the same legal coverage at a third of the cost, plus the breach-response runbook is already written.

By the way, did you know the DPDP Rules consultation draft suggests the DPO can be a body corporate, not a named individual. That changes the procurement decision materially. If you scope a DPO contract today as an “outsourced privacy practice” rather than a “person we are about to hire,” you can defer the headcount and the recruitment cycle by two years, sometimes three. Most legal teams have not yet caught up to this language in the draft Rules. Worth raising the question on your next vendor call, jugaad-style.

A separate but real concern from CFOs we work with: how to track personal data spreading across employee laptops in tier-2 city offices. If your data fiduciary programme is policy-only and not enforced on the endpoint, your reasonable-security-safeguard obligation is technically unmet. We address that on the Device Lifecycle Management practice page, and any 100-plus device fleet inside a DPDP-regulated company is one of the cheapest controls to deploy first.

For the authoritative legal text and the latest amendments, the PRS India DPDP Act page is the source we cross-check against on every scoping call. PRS tracks the Rules drafts and the gazette notifications faster than most law firms publish summaries.

Ananya’s take

When I started running outsourced DPO engagements in 2024 we were the first to tell clients that “data fiduciary” is not a marketing word in a privacy policy template. It is a working description of who is legally on the hook when a parent emails asking why a child’s test scores were shared with a third-party analytics vendor. Most companies are still figuring this out one painful question at a time. The companies that survive the first DPDP enforcement wave will not be the ones with the longest privacy policy. They will be the ones whose COO can name, on the phone, in 30 seconds, the data fiduciary’s nine obligations and which one is most behind. Boss, that is the test. I have seen it work and I have seen it fail. The companies that fail are the ones that started step 3 before step 1.

One thing I would add to the checklist that did not make it into our standard onboarding deck: every quarter, set a 90-minute slot on the COO’s calendar to review the data inventory drift. Personal data fields creep into systems with every new product feature, every new vendor, every new HR form. If nobody on the leadership team has ownership of that drift, the inventory is stale inside two quarters. Sometimes you definately don’t realise until the audit. That recurring slot, yaar, is the cheapest control you can put in place today.

Free DPDP readiness check for data fiduciaries

Book a 30-minute scoping call with the Sirius Star compliance desk. We will pull your personal data inventory in the call, classify your role under DPDP across each category, surface the two or three obligations you are most behind on, and quote an outsourced DPO retainer if SDF designation looks likely. No invoice unless we sign a retainer. Worst case, you walk away with the role-classification table populated for your company. Best case, you have a 90-day plan your CFO will sign by Friday.

Book your DPDP readiness check or WhatsApp +91 91375 93228 with the message “DPDP” and we will respond inside one business day.

P.S. The 5-step Data Fiduciary Readiness Checklist we use on every scoping call is a one-page PDF. Reply FIDUCIARY on WhatsApp (+91 91375 93228) and we will send it. It includes the personal data inventory template (Excel), the 9-obligation maturity scorecard, and the outsourced-DPO vs in-house-DPO cost comparison we walk every CFO through. Approx Rs.6,000 of compliance-consulting time, free.

Frequently asked questions

Is every Indian company automatically a data fiduciary under DPDP? If your company decides why and how personal data is collected, yes. There is no minimum size, revenue, or data volume that exempts you. The DPDP Act applies on intent, not scale. A 5-person startup with a 1,000-row mailing list is a data fiduciary the same way an 800-person manufacturer with an employee database is.

What is the difference between a data fiduciary and a data controller under GDPR? The functional role is essentially the same. Data Fiduciary under DPDP is the Indian-law analog of Data Controller under GDPR. Both decide the purpose and means of processing personal data, and both carry primary liability. The DPDP Act uses “fiduciary” to signal the trust-based duty India wants to emphasise. Most multinationals operating in India will already have a GDPR-style controller framework and can extend it to meet DPDP fiduciary obligations with marginal additional work.

Do I need a Data Protection Officer if I am not a Significant Data Fiduciary? A formal DPO is required only for Significant Data Fiduciaries. Every other data fiduciary must still publish a point of contact for grievances, typically a privacy officer or grievance officer with a published email address and a defined response SLA. We recommend doing the DPO scoping work even if you are not currently SDF, because the SDF designation can be applied retrospectively once the Government notifies criteria.

What happens if I do nothing? Penalties under DPDP range from Rs.50 crore (for general non-compliance) to Rs.250 crore (for failure to implement reasonable security safeguards leading to a personal data breach). The Data Protection Board can impose these per breach, not per company per year. The first wave of enforcement is expected by May 2027 when the DPDP Rules complete their phased rollout. Companies that have not done the data inventory by then are exposed.

Can my outsourced cloud or payroll vendor be the data fiduciary instead of me? No. The role attaches to whoever decides the purpose and means of processing. Your cloud vendor or payroll vendor is your data processor, not your fiduciary. The contract between you and them must reflect this clearly, with a documented processing agreement that lists the categories of personal data, retention period, sub-processor authorisations, and breach notification timeline. Many existing vendor contracts in India do not have this clause; rewrite them now.

About the author

Ananya Reddy manages Sirius Star’s outsourced DPO engagements for clients who do not yet have a full-time privacy officer. Her background is in IT-GRC for healthcare and edtech, two sectors where children’s data and sensitive personal data rules are the hardest part of DPDP compliance. She co-owns the firm’s DPIA template library and the quarterly DPDP Rules Watch update. She is certified CIPM and CDPSE and holds a Master’s in Information Systems Security. Her writing focuses on the space between legal text and working-day reality. Read more from Ananya.