A Data Fiduciary under India's Digital Personal Data Protection Act 2023 is any entity — company, startup, partnership, or individual — that determines the purpose and means of processing personal data. If your business collects names, phone numbers, email addresses, financial details, location data, or any information that identifies a living person, you are a Data Fiduciary. That classification immediately triggers six categories of enforceable obligation: consent management, data security, breach notification, fulfilment of data principal rights, retention and purpose limitation, and oversight of third-party processors. The Data Protection Board of India (DPBI) has investigation and adjudication powers, and penalties for non-compliance can reach significant amounts.
This checklist breaks down every obligation in detail, maps them to actionable controls, and flags the additional duties that apply to Significant Data Fiduciaries.
What Is a Data Fiduciary Under the DPDP Act?
The Digital Personal Data Protection Act 2023, which received Presidential assent on 11 August 2023, creates a tiered framework of data accountability. A Data Fiduciary decides why and how personal data is processed and bears the primary compliance burden. A Data Processor handles data on the Fiduciary's behalf under contract with fewer direct obligations. The Data Principal is the individual whose data is at stake. A Consent Manager — once rules are finalised — will enable Principals to manage and withdraw consent across platforms at scale.
The Act's reach is broad by design. An Indian startup processing EU visitor data, or a foreign company processing data of Indian residents, both fall within scope. Geography of processing is not the deciding factor — the nationality of the Data Principal is.
The DPDP Compliance Journey
DPDP compliance is not a one-time exercise. It is a repeating cycle of assessment, implementation, and review. Skipping early steps compounds risk at every later stage.
graph TD
A[Assessment and Data Inventory]:::normal --> B[Draft Itemised Privacy Notice]:::normal
B --> C[Obtain Purpose-Specific Consent]:::normal
C --> D[Apply Data Minimisation]:::normal
D --> E[Implement Security Safeguards]:::normal
E --> F{Breach Detected}:::danger
F -- Yes --> G[Notify DPBI and Data Principals]:::danger
F -- No --> H[Fulfil Data Principal Rights]:::success
G --> H
H --> I[Periodic Compliance Review]:::success
I --> A
classDef normal fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
classDef danger fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
classDef success fill:#1e3d2f,stroke:#10B981,color:#e2e8f0DPDP Obligations by Category
The six obligation categories are not equal in implementation effort or regulatory exposure. Consent management and data security together account for roughly half the total compliance workload because they require both process design and technical implementation.
pie title DPDP Obligations by Category
"Consent Management" : 28
"Data Security" : 22
"Data Principal Rights" : 18
"Breach Notification" : 12
"Retention and Purpose" : 12
"Third-Party Oversight" : 8Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanObligation 1 — Consent Management
The DPDP Act sets a high bar for valid consent. It must be free, specific, informed, unconditional, and unambiguous — indicated by a clear affirmative act. Pre-ticked checkboxes, omnibus consent buried in terms of service, and implied consent by continued use of a product are explicitly insufficient.
Practical requirements your team must address:
- Itemised notice before collection: State precisely what data you collect, why, who it will be shared with, and how the Principal can withdraw consent.
- Plain language: The notice must be comprehensible to the intended recipient. The Act gives individuals the right to receive the notice in any scheduled language of India.
- Withdrawal as easy as giving: You cannot make opt-out harder than opt-in. A buried email-to-withdraw flow does not meet the standard.
- Legitimate uses: The Act permits processing without consent in limited cases — state-sanctioned purposes, medical emergencies, employment obligations — but the burden of establishing each exception sits with the Fiduciary.
Obligation 2 — Data Security
Section 8(5) of the DPDP Act requires every Data Fiduciary to implement reasonable security safeguards to prevent personal data breaches. The Act deliberately avoids prescribing a single technical standard; sector-specific requirements will emerge through rules. However, the security expectation is substantive — "reasonable" will be judged against what a prudent organisation in your sector would do.
Controls that align with the Act's intent include: encryption of personal data at rest and in transit; role-based access controls and least-privilege policies; multi-factor authentication on all systems storing personal data; regular vulnerability assessments and penetration testing to surface exploitable weaknesses before attackers do; patch management with defined response SLAs; and security reviews before onboarding any Data Processor.
Obligation 3 — Breach Notification
A personal data breach must trigger two parallel notification obligations: one to the Data Protection Board of India and one to each affected Data Principal. The DPDP Act does not specify a notification window in its text, but draft rules and sector-specific directions (including the CERT-In Cyber Security Directions 2022) provide the clearest current benchmark for expected urgency.
Your breach notification must include:
- The nature and cause of the breach
- Categories and approximate volume of personal data affected
- Likely consequences for Data Principals
- Measures already taken and planned to contain and mitigate harm
Obligation 4 — Data Principal Rights
The DPDP Act codifies five enforceable rights that every Data Principal can exercise against any Data Fiduciary. These are not aspirational; each right creates a corresponding duty on your organisation to build a response workflow.
| Right | What You Must Do | Notes |
|---|---|---|
| Right to Access | Provide a summary of personal data processed and all entities it was shared with | Must be on request, in prescribed form |
| Right to Correction and Completion | Correct inaccurate data; complete incomplete data | Cannot refuse without documented justification |
| Right to Erasure | Erase personal data when consent is withdrawn or purpose is served | Retention for legal obligation overrides this |
| Right to Grievance Redressal | Acknowledge complaints via a named Grievance Officer; resolve within prescribed timeframes | Officer details must be published on your platform |
| Right to Nominate | Allow Principals to nominate someone to exercise rights on death or incapacity | Must be offered at point of consent |
Obligation 5 — Retention and Purpose Limitation
Purpose Limitation: Personal data may only be used for the specific purpose under which consent was obtained. Using a customer's email — collected during checkout — to send unrelated marketing without fresh consent is a violation, even if the address is already in your CRM.
Storage Limitation and Deemed Erasure: Once the stated purpose is served, or consent is withdrawn, the Data Fiduciary must erase the data. The Act introduces a concept of deemed erasure via Consent Managers in certain scenarios; rules will clarify timelines. The direction is unambiguous: data must not outlive its purpose. Map every collection point to a purpose and a maximum retention period, and automate erasure wherever possible.
Obligation 6 — Third-Party and Data Processor Oversight
When you engage a vendor — a CRM, cloud provider, analytics platform, or payroll processor — to process personal data, you remain accountable as the Data Fiduciary. Minimum contractual requirements: a written agreement specifying nature, purpose, and duration; a prohibition on sub-contracting without written consent; a right to audit the Processor's security controls; and an obligation on the Processor to assist with breach notification and rights fulfilment. Any Processor breach of data you hold becomes your breach for DPBI notification purposes.
Significant Data Fiduciaries — Heightened Obligations
The Central Government may designate specific organisations as Significant Data Fiduciaries (SDFs) based on volume and sensitivity of data processed, risk to Data Principals, potential national-security implications, and scale of child data processing. SDFs face a materially heavier compliance layer:
| Additional SDF Obligation | Requirement |
|---|---|
| Data Protection Officer | Appoint a named DPO resident in India, accountable to the board |
| Independent Data Audit | Annual audit of data processing practices by an independent auditor |
| Data Protection Impact Assessment | Mandatory DPIA before initiating any high-risk processing activity |
| Algorithmic Accountability | Periodic assessment of algorithms used for targeting, profiling, or automated decision-making |
Your DPDP Compliance Action Checklist
| Control Area | Specific Action | Priority |
|---|---|---|
| Data Inventory | Map all personal data collected, stored, processed, and shared | P0 |
| Privacy Notice | Draft itemised, purpose-specific notices for each collection point | P0 |
| Consent Mechanism | Replace blanket consent with per-purpose checkboxes and confirmations | P0 |
| Grievance Officer | Appoint, name, and publish officer contact on your platform | P0 |
| Security Assessment | Conduct VAPT on all systems handling personal data | P0 |
| Breach Response Plan | Document detection, containment, and DPBI notification procedures | P1 |
| Data Processor Contracts | Review all vendor agreements for DPDP-required clauses and audit rights | P1 |
| Erasure Workflow | Automate deletion when purpose is served or consent is withdrawn | P1 |
| Consent Withdrawal UI | Build an accessible opt-out flow for every collected purpose | P1 |
| Retention Schedule | Define and enforce maximum retention periods per data category | P2 |
| SDF Readiness Assessment | Evaluate whether SDF designation criteria could apply to your organisation | P2 |