INDIA’S DPDPA guidance and resources

A Data Fiduciary is an entity (organization/company) that decides why personal data is collected and how it will be used. Under the DPDP Act, 2023, the Data Fiduciary is mainly responsible for collecting data lawfully, being clear with people about how their data is used, protecting the data, and making sure individuals can exercise their data protection rights.

Under India’s Digital Personal Data Protection (DPDP) Act, 2023, a Data Fiduciary is an organization that determines why and how personal data is processed.

As a Data Fiduciary, company/organization takes full responsibility for ensuring personal data is handled lawfully, transparently, and securely.

Purpose Limitation

• Personal data is collected only for specific, lawful, and clearly defined purposes.
• Data Minimization
• Only data that is necessary for providing our services is collected.
• Transparency

Users are informed about:

• What data is collected
• Why and how it is used
• Retention period
• How rights can be exercised
• Valid Consent
• Personal data is processed only with free, informed, and explicit consent where required.

Easy Consent Withdrawal

Users can withdraw consent at any time through simple and accessible mechanisms.

Data Processor: Where the organization processes personal data on behalf of another Data Fiduciary under contractual instructions
Role determination is conducted on an activity-by-activity basis and documented to ensure clear accountability and regulatory traceability. (Section 2(k))

A Data Processor is a third party that processes personal data only on the instructions of a Data Fiduciary and does not decide the purpose or means of processing.

• Common Examples include
• Cloud & hosting providers
• SaaS tools (CRM, payroll, email, and analytics)
• IT & customer support vendors
• Data storage and backup providers

A processor may store, organize, analyze, transfer, secure, retrieve, or delete data strictly as instructed by the Data Fiduciary. They cannot reuse, repurpose, or independently decide on data use.

DPDPA Self-Assessment tool

Use this tool to determine your organization’s role under the DPDP Act and understand the compliance responsibilities that apply to your processing activities

• Personal data is any data that can identify an individual, directly or indirectly.
• This includes names, contact details, IDs, financial data, health information, online identifiers, location data, photographs, and user behavior data.
• If a person can be identified now or in the future, the data is personal data.

Personal data represents:

• An individual’s identity
• Their privacy
• Their financial and personal safety
• Uncontrolled use or misuse can lead to:
• Identity theft
• Financial fraud
• Surveillance and profiling
• Discrimination and reputational harm

The DPDP Act exists to protect individuals and build trust, while allowing legitimate digital use of data.

1. Lawful Collection
   • Data must be collected for specific and legitimate purposes.
   • Consent must be free, informed, and explicit, unless legally exempt.
2. Minimal & Fair Use
   • Only data necessary for the purpose may be collected and no excessive or unrelated data.
3. Transparency
   • Individuals must be informed about:
   • What data is collected
   • Why it is collected
   • How it is used and shared
   • How long it is retained
   • How to exercise their rights
4. Secure Processing
   • Organizations must implement access controls, encryption, monitoring, secure storage, and vendor security checks.
5. Controlled Sharing
   • Data may be shared only with authorized processors, and processors must act strictly under written instructions.
6. Storage Limitation
   • Data must be deleted once the purpose is fulfilled. There should not be indefinite retention. Data must be retained only for the period specified in the legal agreement between the client and the organization.

A data breach under DPDP is not just an IT issue, it is a legal failure. Which can cause immediate impact on business continuity and can harm to individuals which can lead to loss of customer trust and potential reputational damage to the organization. Moreover this data leakage can harm operational disruption and can lead to legal consequences and to mitigate this a mandatory breach response and cooperation is prerequisite and not adhering to this can cause penalties up to ₹250 crore to the organization.

Note: Liability remains with the Data Fiduciary, even if the breach occurs at a third-party processor.
A breach of personal data can damage the organization's brand and market trust over time, as well as hurt its credibility with the public, cause customers to leave, and make partners and investors less confident in the company.

Purpose Limitation

Personal data is processed strictly for specified, explicit, and lawful purposes and is not retained or reused beyond those purposes unless legally required.

Data Lifecycle

• Collection through digital channels and authorized interfaces
• Validation and lawful use based on consent or legitimate use
• Secure storage with role-based and need-to-know access
• Controlled sharing with authorized internal and external parties
• Retention aligned to purpose and statutory requirements
• Secure deletion or irreversible anonymization

1. Inadequate Security Controls Exist

Data leakage usually starts with control weaknesses, not attacks. Common gaps include weak or reused passwords, lack of multi-factor authentication, excessive user privileges, unpatched systems, insecure APIs, poor logging, misconfigured cloud storage, or insufficient vendor oversight.

In many cases, security controls exist but are not consistently enforced or monitored.

2. Exposure or Access Path Is Created

An access path emerges due to phishing, credential theft, malware, insider misuse, configuration errors, lost devices, insecure file sharing, or vendor-side weaknesses.

Importantly, no malicious intent is required human error and automation failures are common triggers.

3.Unauthorized or Excessive Access Occurs

An unauthorized individualor an authorized user exceeding their legitimate access gains the ability to view, query, or interact with personal or sensitive data.

This may happen silently without triggering alerts if monitoring controls are weak.

4. Data Is Exposed, Extracted, or Transmitted

The data may be copied, downloaded, emailed, synced to personal devices, accessed via APIs, or exposed publicly through open links or cloud buckets.

In some cases, data is exfiltrated gradually to avoid detection rather than in a single event.

5. Leakage Is Detected

Detection may occur through security alerts, anomaly monitoring, audit findings, vendor notifications, customer complaints, regulatory inquiries, or media reports.

Many incidents remain undetected for weeks or months due to limited logging or alert fatigue.

6. Incident Response and Containment Actions

Once detected, immediate steps are taken to contain the incident revoking access, isolating affected systems, disabling exposed links, resetting credentials, applying patches, and stopping further data flow.

Evidence is preserved for investigation and compliance requirements.

7. Investigation, Notification, and Remediation

The root cause is analyzed, affected individuals and regulators are notified where legally required, vendors are assessed, and corrective measures are implemented.

This includes strengthening controls, updating policies, retraining staff, and improving monitoring to prevent recurrence.

A Significant Data Fiduciary (SDF) under India’s DPDP Act, 2023 is an organization designated by the Government based on the scale, sensitivity, and risk of its personal data processing.

This classification applies to entities whose data practices can significantly impact individuals, public order, or national interest.

For instance, Digital platforms and Large online Services, FinTech Companies, Healthcare and HealthTech providers, EdTech and Child-Focused Platforms, Government-Linked and Public Service platform and AI, Analytics Companies.

The SDF framework follows a risk-based approach. Organizations that process large volumes of personal data or use advanced technologies are subject to higher accountability.

Once designated, an SDF must meet additional obligations, including appointing a Data Protection Officer in India, conducting Data Protection Impact Assessments (DPIAs), undergoing independent audits, and implementing enhanced security and governance controls.

SDF compliance is operational, not just policy-driven. It requires strong oversight of data processing, vendors, consent mechanisms, and security practices. The objective is to ensure that organizations with greater data power handle personal data responsibly, protect user rights, and maintain trust.