25 Jun 2026 · 8 min read
The DPDP Act 2023 defines a Data Fiduciary in Section 2(i) as 'any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data'. That sentence does a lot of work. If you run an Indian-facing website that decides what data to collect, why to collect it, and how to use it, you are a Data Fiduciary — regardless of company size, sector or whether you ever heard of the Act before. The label is the gateway to a specific set of obligations under the law, and the cost of getting it wrong is sitting inside the Schedule's penalty bands.
**Three tests that decide it.** (1) Do you decide the purpose of processing? If yes, you are a Fiduciary, not a Processor. A Processor processes on someone else's behalf and to someone else's instructions; a Fiduciary calls the shots. (2) Do you collect personal data from Indians directly, or process it after collection? Either path triggers Fiduciary status. (3) Does your processing fall inside an exemption? The Act exempts processing for personal/domestic use and processing of data the Data Principal has made publicly available. Almost no commercial website qualifies for either exemption. If you pass tests 1 and 2 and fail test 3, you are a Data Fiduciary.
**Fiduciary vs Processor — the distinction that matters.** Your hosting provider, your analytics vendor, your CRM, your email-sending platform — these are Data Processors when they process personal data on your behalf, under your instructions. Your obligations under the DPDP Act do not transfer to them; they have their own obligations under Section 8 to process only as directed and to maintain security. But you remain accountable as the Fiduciary: if your CRM leaks data, the Data Protection Board can hold you responsible for the choice of vendor and the absence of a Data Processing Addendum. The lesson is procurement hygiene — a signed DPA on file for every Processor you use is the cheapest insurance against an attributable Section 8 finding.
**The seven core obligations.** Every Data Fiduciary owes Data Principals seven duties under the Act. (1) Section 5 — a clear, itemised consent notice in plain language listing what personal data is collected, the purposes, the rights mechanism and the Grievance Officer contact. (2) Section 4 / Section 7 — process only for the consented purpose, or one of the narrow legitimate uses the Act lists. (3) Section 8(5) — reasonable security safeguards appropriate to the risk; failure here carries the highest penalty band, ₹250 crore. (4) Section 8(6) — breach notification to the Board within the 72-hour window the Rules set, plus a parallel notice to affected Data Principals. (5) Sections 8(7)–(8) — erase personal data when the purpose is met or consent is withdrawn, unless retention is required by law. (6) Section 8(10) — publish a Grievance Officer and resolve grievances within 30 days. (7) Section 8(3) — keep data accurate and complete when it's used to make decisions about a person.
**Are you a Significant Data Fiduciary?** Section 10 lets the Central Government designate any Fiduciary, or class of Fiduciaries, as 'Significant'. The factors are open-ended — volume and sensitivity of data, risk to electoral democracy, risk to sovereignty, public order. There is no fixed user-count threshold. In practice, large consumer platforms (10M+ Indian users), anyone touching children's or health data at scale, and intermediaries whose data flows could influence elections are at the front of the queue. SDF designation layers four extra duties: India-resident DPO, periodic Independent Data Auditor audit, mandatory DPIA on material new processing, and any additional measures the Government may prescribe.
**The extraterritorial reach.** The DPDP Act applies to processing inside India regardless of where the Fiduciary is located, and it applies extraterritorially to any Fiduciary outside India that processes Indian-user data in connection with offering goods or services to people in India. A US-based SaaS company with no Indian office is a Data Fiduciary if it has Indian-user signups. A UK-based ecommerce store that ships to India is a Data Fiduciary. The 'we don't have an Indian entity' defence does not exist under the Act — the obligations attach to processing, not to corporate presence.
**What to do today if you've just realised you're a Fiduciary.** (1) Inventory what you collect — every form, every tracker, every backend log that touches personal data. The [free audit](/free-audit) does this for you. (2) Ship a DPDP-compliant consent banner via the [banner builder](/tools/banner-builder) or a comparable CMP. (3) Replace your existing privacy policy with a Section 5 itemised notice via the [privacy notice generator](/tools/privacy-notice). (4) Name a Grievance Officer with a brand-domain email and a 30-day SLA, publish in the footer and notice. (5) Write a one-page breach playbook with the [72-hour template](/tools/breach-notification). (6) Email every Processor on your inventory asking for their DPA. None of these takes more than a day on its own — the bottleneck is sequencing, not effort.
**Common Fiduciary mistakes that fail scans.** Treating yourself as a Processor when you are actually a Fiduciary (the most common confusion — if you decide why and how, you are a Fiduciary, full stop). Outsourcing accountability to your CMP or CRM vendor (the Act doesn't let you delegate the obligations, only the operational work). Hiding the Grievance Officer behind a generic support@ inbox (the Rules require a named individual). Treating breach notification as optional (it isn't — the 72-hour clock is the Rules' clearest enforcement signal). The [DPDP Act guide](/dpdp-act) walks through each obligation in plain English with section references.
**The cost of being wrong.** A Data Fiduciary who hasn't realised they are one is in default of seven distinct obligations the moment they collect their first user data. The Schedule's bands stack: a Section 8 security failure plus a Section 6 withdrawal failure is two penalties, not one. Section 33(2) gives the Board a six-factor scaling formula, so a first-time Fiduciary with prompt remediation and full cooperation will not draw the headline number — but a Fiduciary who continues to process without a notice, without a Grievance Officer, and without security safeguards after the 13 May 2027 deadline will not get the discount. The cheapest move is to acknowledge the status, then close the gaps with the free tools above. The [interactive checklist](/checklist) sequences the work and tracks progress.
Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.