Data Fiduciary Obligations: Operationalizing Accountability for Personal Data

A data fiduciary determines the purposes and means of processing personal data. The data fiduciary bears primary responsibility for DPDP compliance, including providing notice, obtaining consent, respecting data principal rights, ensuring security, and notifying breaches. A data processor processes personal data on behalf of a data fiduciary, under the data fiduciary's instructions. Data processors have specific obligations under DPDP, including processing only on instructions from the data fiduciary, implementing appropriate security measures, and supporting the data fiduciary's compliance with data principal rights. The distinction matters because the obligations are different, and the same organization can be a data fiduciary for some processing activities and a data processor for others.

The DPDP Act gives the central government discretion to designate significant data fiduciaries based on multiple factors. Without final criteria yet specified, organizations most likely to be designated are those with large volumes of personal data, sensitive data categories, processing that creates significant risk to data principals, and processing that has implications for sovereignty, democracy, or public order. This typically includes large banks, insurance companies, telecommunications operators, e-commerce platforms, healthcare networks, social media platforms, and similar organizations. Organizations with substantial personal data footprints should plan for designation rather than assume they will not be affected.

For significant data fiduciaries that must appoint a DPO, the DPO is responsible for advising the organization on DPDP compliance, monitoring compliance with the Act, cooperating with the Data Protection Board, and serving as a point of contact for data principals. The DPO must have appropriate qualifications and must be positioned within the organization to operate independently in this role. The specific qualifications and structural requirements will be specified through rules. Organizations that anticipate DPO requirements should begin thinking about who will fill the role, what qualifications they need, and how the role will be structured to operate effectively within the existing organizational hierarchy.

Data principal rights under DPDP include the right to access information about processing, the right to correction and erasure, the right to nominate a person to exercise rights in the event of death or incapacity, and the right to grievance redressal. Organizations need workflows that can receive rights requests through accessible channels, validate the identity of the requestor, locate the responsive data across all systems where it resides, evaluate the request against any applicable exceptions, and respond within prescribed timelines. The operational challenge is significant for organizations with personal data spread across multiple systems. Building rights request capability is one of the most concrete operational requirements of DPDP compliance.

The DPDP Act requires data fiduciaries to notify the Data Protection Board and affected data principals of personal data breaches in the manner and within the timelines that the Board will specify. The specific requirements are still being developed through rules and regulations. What is clear is that organizations need detection capability to identify breaches, classification capability to determine which incidents trigger notification obligations, decision-making capability to act within compressed timeframes, and the operational discipline to actually execute notification when required. Organizations that build breach response capability now will be ready when the specific timelines and content requirements are finalized.

DPDP operates alongside sectoral regulatory frameworks rather than replacing them. Organizations subject to RBI, SEBI, IRDAI, or TRAI requirements continue to be subject to those requirements while also being subject to DPDP. In some cases, the requirements align and a single compliance approach satisfies both. In other cases, the requirements differ and the organization must satisfy the more stringent requirement or implement separate compliance for each. The Act includes provisions for the central government to exempt certain data fiduciaries from specific requirements based on the nature of their processing or the sectoral framework they operate under. Organizations should not assume that sectoral compliance equals DPDP compliance, but they should leverage existing sectoral compliance work where possible.

The DPDP Act establishes a Data Protection Board with authority to investigate complaints, conduct inquiries, and impose financial penalties. The maximum penalties are substantial: up to 250 crore rupees per instance for serious violations including failure to take reasonable security safeguards that result in personal data breaches. Additional penalties apply to other categories of violations, with the specific amounts depending on the nature of the violation. Beyond financial penalties, organizations face reputational consequences, operational disruption from enforcement actions, and the broader business consequences of being publicly identified as having violated personal data protection requirements. Compliance investment is significantly cheaper than the cost of enforcement.