Are You a Data Fiduciary?
Under the Digital Personal Data Protection Act, 2023, any entity that determines the purpose and means of processing personal data is a Data Fiduciary. In practice, this covers almost every business with a digital presence in India — from startups with a mobile app to large enterprises with customer databases.
If you collect names, phone numbers, emails, purchase histories, health data, or any other information that can identify a person, you are a data fiduciary. Your obligations are significant.
The Core Compliance Checklist for Data Fiduciaries
✅ Consent Management
You must obtain free, specific, informed, unconditional, and unambiguous consent before processing personal data. This means:
- Pre-ticked checkboxes are not valid consent
- Bundling consent with terms and conditions is not valid
- Users must be able to withdraw consent as easily as they gave it
- Consent must be requested in clear, plain language
✅ Privacy Notice
Before or at the time of collecting data, you must provide a notice explaining: what data is being collected, why, who it will be shared with, and how the individual can exercise their rights. Generic privacy policies buried in footers will not suffice.
✅ Data Localisation Considerations
The DPDP Act empowers the government to restrict the transfer of personal data to certain countries. Cross-border data transfers must be monitored and compliant with any restrictions notified by the central government.
✅ Children's Data Protections
Processing personal data of children (below 18 years) requires verifiable parental consent. Additionally, data fiduciaries must not process data of children in a manner that is likely to cause harm, and behavioural tracking or targeted advertising directed at children is prohibited.
✅ Data Processor Agreements
If you engage third-party processors (cloud providers, analytics platforms, marketing tools), you must have binding agreements in place that ensure the processor complies with your DPDP obligations.
✅ Grievance Redressal
You must designate a person or team to handle data principal grievances. Complaints must be acknowledged and resolved within specified timeframes.
✅ Security Measures
Reasonable technical and organisational security measures must protect personal data. This includes access controls, encryption where appropriate, and documented incident response procedures.
Significant Data Fiduciary: Are You One?
The government may designate certain data fiduciaries as "Significant Data Fiduciaries" based on volume of data processed, sensitivity of data, and potential impact on national security or public order. If designated as an SDF, you face additional obligations:
- Appointment of a Data Protection Officer (DPO) based in India
- Appointment of an independent data auditor
- Periodic Data Protection Impact Assessments (DPIAs)
- Additional accountability and reporting requirements
Penalties for Data Fiduciary Violations
The Data Protection Board has the power to impose penalties of up to ₹250 crore for failure to implement security safeguards. Repeated violations or violations affecting large numbers of data principals will attract higher penalties and possible operational restrictions.
Get Your Compliance Framework in Place
Clawrity's DPDP Act advisory team works with businesses across sectors to build practical compliance programmes. We focus on what your business actually needs to do — not theoretical frameworks. Contact us to discuss your DPDP compliance requirements.
