HyperTrust - Consent Management Platform
homearrowBlogarrowDPDP Act, 2023arrowdata fiduciary...

Who is a Data Fiduciary Under the DPDP Act? 

Preeti K
February 10, 2025
Who is a Data Fiduciary Under the DPDP Act? 

The Digital Personal Data Protection (DPDP) Act is the new rulebook to protect individual privacy and establish responsible data processing. The new rules can only be applied with the help of characters who function on the DPDP Act guidelines. One of the main characters in this rulebook is the Data Fiduciary.

A data fiduciary under the DPDP Act decides how and why data is collected, used, and protected. Therefore, understanding the role of a data fiduciary is crucial because it helps you know your rights and how your information is being treated.

In this blog, we’ll explore the definition and duties of a data fiduciary in detail and touch upon the penalties for non-compliance with the DPDP Act norms.

Defining a Data Fiduciary

Under the Digital Personal Data Protection (DPDP) Act, a data fiduciary is an entity or individual who determines the purpose and means of processing personal data. This role is similar to the concept of a “data controller” under other data protection frameworks like the GDPR.

Key Characteristics of a Data Fiduciary:

  1. Decision-Making Authority: The data fiduciary decides why and how personal data is processed.
  2. Accountability: They are responsible for ensuring compliance with the DPDP Act, including safeguarding the data and respecting the rights of data principals (individuals whose data is being processed).
  3. Types of Data Fiduciaries:
    • Private Entities: Companies, organizations, or individuals processing personal data.
    • Government Entities: Public authorities or agencies that process personal data.
    • Significant Data Fiduciaries: Certain fiduciaries may be classified as “significant” based on factors like the volume of data processed, sensitivity of data, or potential risks to individuals. These entities have additional obligations under the Act.

Obligations of a Data Fiduciary

We have described the key obligations of a data fiduciary in this section:

Maintaining security safeguards

Data fiduciaries must implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or damage. This means setting up robust security protocols like a bank securing its vault. These safeguards are necessary to keep personal information confidential and accessible by authorized personnel only. if a data fiduciary, fails to maintain these safeguards, it can lead to heavy penalties of up to Rs. 250 crores.

Ensuring Data Accuracy, Completeness, and Consistency

High data accuracy, complete information, and consistency are necessary to maintain trust in the digital ecosystem. One of those processes is regularly reviewing and updating the data they hold. Without accurate data, businesses and individuals cannot make accurate decisions. For example, a company runs a marketing campaign based on completely inaccurate data leading to poor results. For individuals, they could be denied services for erroneous data in their profile.

Notifying the Data Protection Board of India (DPB) in Case of Data Breaches

In the event of a data breach, data fiduciaries must promptly notify the affected individuals and the Data Protection Board of India (DPB). The notification should include details about the breach’s nature, its potential impact on individuals, and measures undertaken to mitigate harm. This transparency is crucial to maintain trust and ensure individuals can take necessary precautions if their data has been compromised

Erasure Upon Consent Withdrawal or Purpose Fulfillment

If an individual withdraws their consent for data processing or the purpose of the collected data has been fulfilled, data fiduciaries are obligated to erase their personal data. This is necessary to reinforce the idea that individuals have complete control over their data at all times. If you no longer want a subscription service; no authority can stop you from getting your information removed from the company’s database.

Appointing a Data Protection Officer (DPO) and Establishing Grievance Redress Mechanisms

A Data Protection Officer (DPO) oversees compliance with the DPDP Act and is a point of contact for any queries or complaints about personal data processing. A DPO’s duty also includes establishing grievance redress mechanisms, so individuals can raise concerns about how their data is being handled. A mechanism builds public trust as it paves a clear path for individuals to seek resolution without hindrances.

Obtaining Verifiable Parental Consent for Processing Children’s Data

For children under 18 years old, data fiduciaries must obtain verifiable parental consent before processing their children’s personal data. This is needed for extra protection of minors’ privacy rights.

Prohibitions on Tracking, Behavioral Monitoring, and Targeted Advertising Directed at Children

The DPDP Act restricts data fiduciaries from tracking or monitoring children’s online behaviour to prohibit targeted advertising at minors. The objective of this principle is to protect children from exploitation and ensure that their online experiences are safe from manipulative marketing practices.

Significant Data Fiduciaries (SDF)

Significant Data Fiduciaries (SDFs) play a key role under the Digital Personal Data Protection (DPDP) Act because they handle large volumes of sensitive personal data. But what are the criteria for classifying an SDF and their additional responsibilities? We answer those questions in this section.

Criteria for Classification as a Significant Data Fiduciary (SDF)

Organizations must meet the criteria set by the government to be classified as an SDF. These criteria include:

  • Volume of Data Processed: Organizations managing vast amounts of personal data are classified as SDFs. For example, a social media platform with millions of users falls into this category
  • Type of Data: Organizations handling sensitive information such as health records, biometric data, or financial details increase the chances of becoming an SDF.
  • Impact on National Security and Public Interest: Entities in sectors like telecommunications or finance, where data breaches can severely impact public safety or national security, are often classified as SDFs.
  • Risk to Individual Privacy: Organizational practices that can significantly impact individual privacy rights such as extensive behavioural tracking or profiling may also qualify as SDFs.

Additional Obligations Imposed on SDFs

A Significant Data Fiduciary (SDF) has additional obligations compared to a regular data fiduciary due to their critical role and potential risks. Some of the additional responsibilities include:

  • Appointment of a Data Protection Officer (DPO): SDFs must appoint a DPO to oversee compliance with data protection laws and act as a liaison with regulatory authorities.
  • Conducting Data Protection Impact Assessments (DPIA): SDFs conduct DPIAs to evaluate how their data processing activities affect individuals’ privacy rights and to identify any risks involved.
  • Periodic Audits: Conduct regular audits to comply with data protection regulations and check the effectiveness of security measures.
  • Enhanced Transparency Requirements: SDFs must always provide clear information about their data processing activities, including how personal data is collected, used, and shared.

Implications for Organizations Processing Large Volumes of Sensitive Personal Data

Companies processing large volumes of sensitive personal data, like handling over 10 million user records undergo stricter scrutiny from regulatory bodies. That means more frequent audits and higher penalties for non-compliance. Such organizations may need to invest more in hiring dedicated personnel for data protection roles and implementing advanced security measures. The investment could be as high as millions of dollars, depending on the organization’s size and complexity.

Data Fiduciary vs. Data Processor

Data Fiduciaries and Data Processors play distinct roles in the data protection ecosystem. A data fiduciary is an entity that determines the purpose and means of processing personal data. A data processor acts on behalf of the fiduciary. It executes the processing tasks based on directions and does not make independent decisions about the data.

The responsibilities of each role under the DPDP Act are different. The primary responsibility of a data fiduciary is ensuring compliance with the law. This includes obtaining valid consent from individuals, maintaining data accuracy, implementing security measures, and notifying authorities in case of data breaches. They are also accountable for any non-compliance by their processors and are liable to penalties.

The primary responsibility of a data processor is processing personal data according to the instructions of the fiduciary. They must adhere to Data Processing Agreements (DPAs) which mention their obligations and liabilities about data handling.

There are certain scenarios where an entity may function as a data fiduciary and a data processor. For instance, a cloud service provider stores customer data for various businesses. If they only follow instructions from their clients regarding how to handle data, it acts as a processor. However, if it starts to make its own decisions about how to use that data it becomes a fiduciary.

Due to this duality, it’s important to have contractual agreements and compliance measures to outline responsibilities clearly and mitigate risks. Understanding these distinctions is important for organizations to navigate the complexities of personal data protection under the DPDP Act.

Compliance and Penalties

Data fiduciaries must uphold the highest level of compliance with the Digital Personal Data Protection (DPDP) Act to protect personal data and individuals’ rights. To ensure compliance, they must take several proactive steps, develop a deep understanding of the potential penalties for non-compliance, and adopt best practices to build a culture of data protection.

To ensure compliance with the DPDP Act, data fiduciaries should take the following steps:

  1. Conduct Regular Audits: Organizations must regularly audit their data processing activities to comply with the DPDP Act. This includes reviewing data handling practices, consent management processes, and security measures.
  2. Implement Data Protection Policies: Data protection policies outline how personal data is collected, processed, stored, and shared. Employees must be trained on these policies to ensure everyone understands their roles in maintaining compliance.
  3. Obtain Informed Consent: Data fiduciaries must ensure that they obtain valid and informed consent from individuals before processing their personal data. This involves providing clear information about how the data will be used and ensuring that consent is freely given.
  4. Designate a Data Protection Officer (DPO): A DPO acts as a point of contact for data protection matters and oversees adherence to the DPDP Act.
  5. Stay Updated on Regulatory Changes: Data protection laws are evolving so subscribing to legal updates or participating in industry forums is the best way to stay informed.

Failure to comply with the DPDP Act can result in penalties up to Rs. 250 crores. Organizations may face fines of up to 2% of their total global turnover or ₹5 crore, whichever is higher. More severe violations, such as failing to address data breaches or not obtaining necessary consents, could lead to fines of up to 4% of global turnover or ₹15 crore (around $1.8 million). In addition to penalties, non-compliance also results in reputation loss for companies.

To avoid penalties and enhance compliance efforts, data fiduciaries must adopt these best practices:

  • Data Minimization: Collect only personal data necessary for specific purposes to reduce the risk of holding excessive information.
  • Enhance Data Security: Implement strong security measures like encryption, access controls, and regular security assessments to protect personal data from breaches.
  • Establish Clear Data Retention Policies: Define how long personal data will be retained and ensure it’s deleted when no longer needed.
  • Create Transparent Communication Channels: Maintain open lines of communication with individuals by informing them how their data is used and providing easy access to grievance redress mechanisms.

Key Takeaways

Data fiduciaries are essential to safeguard personal data, ensure compliance with legal obligations, and protect individuals’ privacy rights. Their responsibilities maintain trust in digital interactions and build a culture of accountability in data handling.

Organizations collecting sensitive personal data must take proactive steps to align their data processing activities with the DPDP Act. This alignment reduces risks of non-compliance and enhances the overall security of personal data.

For organizations interested in streamlining their compliance efforts, but don’t know where to start, HyperTrust can help. HyperTrust is a robust solution to simplify consent management, making it easier for organizations to comply with the DPDP Act while ensuring that individuals’ rights are protected.

To learn more about how HyperTrust visit the HyperTrust website.

Frequently Asked Questions

Who is the data fiduciary under the DPDP Act?

A data fiduciary is an entity, which can be an individual, firm or even a state, that determines the purpose and means of processing personal data, either independently or in collaboration with others. It’s similar to the role of the data controller in GDPR.

What is the data fiduciary duty?

The primary duty of a data fiduciary is to handle personal data responsibly and ethically. This includes obtaining valid consent from individuals, ensuring data accuracy and security, notifying authorities in case of data breaches, and respecting individuals’ rights regarding their personal information

What is an example of a data fiduciary?

A social media platform collecting user information to share personalized content and advertisements is an example of a data fiduciary.

What is Section 7 of the DPDP Act?

Section 7 of the DPDP Act highlights obtaining informed consent from individuals before processing their personal data. 

Related topics

Comparison Guides Industries

Written by

Preeti K

Preeti is a business and tech connoisseur with a keen eye and fondness for demystifying complex concepts. Infusing her enthusiasm into marketing, she crafts compelling narratives for HyperTrust's diverse audience.

Recommended blogs

Try first. Subscribe later.

Boost your legal ops efficiency by 80%.

1 Schedule a call
2 Scope out challenges
3 Test with a custom PoC
Book a Demo