Definition
A Data Fiduciary is any person or organisation that decides why and how personal data is processed — defined under Section 2(i) of the DPDPA, 2023. In simple terms: if your business collects customer, employee, or patient data and decides what to do with it, you're a Data Fiduciary. This covers NBFCs collecting KYC documents, hospitals storing patient records, schools holding student data, and even small firms running HR files. The label matters because the law's core obligations — valid consent, privacy notices, security safeguards, breach reporting, and data erasure (Section 8) — fall on the Data Fiduciary, not the vendor processing data on its behalf.
How this matters in practice
Most Indian SMBs are Data Fiduciaries without realising it — and the DPDP Rules, 2025 have started the compliance clock. Privigo maps exactly which fiduciary obligations apply to your business, starting with a free gap analysis. Our "DPDPA Ready in 7 Days" programme covers consent notices, grievance redressal, and breach-response processes — delivered fully remotely, anywhere in India.
Frequently asked questions
Is my small business a Data Fiduciary under DPDPA?
Almost certainly yes, if you collect any personal data digitally — customer phone numbers, employee records, patient files, or student information — and decide how it's used. Size doesn't exempt you. The government may notify limited exemptions for startups under Section 17(3), but you shouldn't assume you qualify without checking.
What's the difference between a Data Fiduciary and a Data Processor?
The Data Fiduciary decides the purpose and means of processing; a Data Processor (Section 2(k)) handles data only on the fiduciary's instructions — like your CRM vendor or payroll provider. Crucially, legal liability under DPDPA sits with the fiduciary, so you remain accountable even when work is outsourced.
What happens if a Data Fiduciary doesn't comply?
The Data Protection Board of India can impose penalties up to ₹250 crore per instance for failures like inadequate security safeguards (Schedule to the Act). With the DPDP Rules, 2025 notified and obligations rolling out in phases, businesses should begin gap assessment and consent-management fixes now rather than waiting for enforcement.
Map your fiduciary obligations in one session
Book a 30-minute call to see where your organisation is the Data Fiduciary and what evidence you need before 2027.
Book a demo
Free Gap Analysis
Disclaimer: Privigo is not a law firm. This page provides operational compliance guidance only. For institution-specific obligations, work with qualified Indian legal counsel.