Data Fiduciary Obligations Under the DPDP Act 2023

If You Decide What Data to Collect, the Act Applies to You

Under the DPDP Act 2023, a Data Fiduciary is any entity that determines the purpose and means of processing personal data. This includes companies, partnerships, sole proprietors, trusts, and any other body that decides what personal data to collect and why.

The classification is functional, not formal. There is no registration process to become a Data Fiduciary. If your business collects customer names, email addresses, phone numbers, payment details, or any other personal data, you are a Data Fiduciary by operation of law.

The Act imposes seven categories of obligation on every Data Fiduciary. Non-compliance carries penalties up to ₹250 crore.

The Seven Obligations

1. Lawful Purpose and Consent

Every instance of data processing must have a lawful basis. In most commercial contexts, that basis is consent from the Data Principal. The consent must be free, specific, informed, unconditional, and captured through a clear affirmative action.

The Act also recognises “certain legitimate uses” where consent is not required. These include:

• Processing for a purpose that the Data Principal has voluntarily provided data for
• Processing by the State or its instrumentalities for delivery of benefits or services
• Processing required by law or court order
• Processing for medical emergencies
• Processing for employment purposes

Businesses that rely on legitimate use exemptions must document their legal basis for each processing activity.

2. Purpose Limitation

Data collected for one purpose cannot be repurposed without obtaining fresh consent. If you collect an email address to send order confirmations, you cannot add it to a marketing list without separate, explicit permission from the Data Principal.

This obligation requires businesses to maintain a clear mapping between each data element and the purpose for which it was collected.

3. Data Minimisation

Collect only the data that is necessary for the stated purpose. The Act prohibits collecting data “just in case” or because it might be useful in the future.

In practice, this means reviewing every form field, every API data request, and every third-party data enrichment service against the stated purpose. If a field is not necessary, it should not be collected.

4. Accuracy and Completeness

Personal data must remain accurate and up to date for as long as it is being processed. Stale records create liability under the Act.

This obligation works in conjunction with the Data Principal’s right to correction. When a Data Principal requests a correction, the Data Fiduciary must update the data and propagate the correction to all systems and third parties that hold the original data.

5. Storage Limitation

Personal data must be deleted once the purpose for which it was collected has been fulfilled. The Act does not permit indefinite retention without justification.

Businesses must implement retention policies that define:

• How long each category of data will be retained
• What triggers deletion (purpose fulfilment, consent withdrawal, regulatory period expiry)
• How deletion is verified across all storage systems

If a Data Principal withdraws consent and no other lawful basis for retention exists, the data must be erased. If a customer account is closed and all contractual obligations fulfilled, the associated personal data must be deleted.

6. Security Safeguards

Data Fiduciaries must implement “reasonable security safeguards” to prevent personal data breaches. The Act does not prescribe specific technologies, but it expects documented, demonstrable controls.

Reasonable safeguards include:

• Encryption of personal data at rest and in transit
• Access controls limiting data access to authorised personnel
• Regular security assessments and vulnerability testing
• Incident detection and breach response procedures
• Employee training on data handling practices

The standard is “reasonable.” A startup with 50 customers is not expected to match the security infrastructure of a large bank. But it is expected to demonstrate proportionate controls.

7. Breach Notification

In the event of a personal data breach, the Data Fiduciary must notify both the Data Protection Board of India and the affected Data Principals. The notification must be prompt and must include prescribed information about the nature and extent of the breach.

Suppressed or delayed breach reporting carries independent penalties.

Significant Data Fiduciary: Additional Obligations

The Central Government may designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on:

• Volume and sensitivity of personal data processed
• Risk to the rights of Data Principals
• Potential impact on the sovereignty and integrity of India
• Risk to electoral democracy
• Security of the State

SDFs face three additional obligations beyond the standard seven:

1. Data Protection Officer (DPO): Appoint a DPO who is based in India and serves as the primary point of contact for the Data Protection Board.
2. Data Protection Impact Assessment (DPIA): Conduct periodic assessments of data processing activities to identify and mitigate risks to Data Principals.
3. Independent Audit: Undergo regular audits of data processing practices by an independent auditor approved by the Board.

The SDF designation thresholds have not yet been fully notified. Businesses processing data of more than a few million individuals should prepare for potential designation.

Data Processor Obligations

If your business uses third-party service providers to process personal data (cloud hosting, analytics platforms, CRM systems, payment processors), those providers are Data Processors under the Act.

The Data Fiduciary remains responsible for the actions of its Data Processors. This means:

• Contractual safeguards must be in place governing how the Data Processor handles personal data
• Processing must be limited to the purposes specified by the Data Fiduciary
• The Data Processor must delete data when instructed by the Data Fiduciary or when the processing purpose is fulfilled

A breach at your Data Processor is your breach. The Act does not allow delegation of accountability.

Cross-Border Data Transfers

The DPDP Act permits transfer of personal data outside India, except to countries specifically restricted by the Central Government through notification. As of the Act’s passage, no countries have been restricted, but the government retains the authority to block transfers to specific jurisdictions.

Businesses that transfer data internationally must monitor government notifications and be prepared to modify their data flows if restrictions are imposed.

The Compliance Timeline

The enforcement date is set for November 2026. After that date, the Data Protection Board will begin accepting complaints and initiating investigations. Businesses that have not achieved compliance by then face enforcement action from day one.

The DPDP compliance checklist provides a structured approach to meeting all seven obligations. To identify your specific gaps, take the free DPDP Gap Assessment.