India DPDPA: What Data Fiduciary Status Actually Demands

Compliance

The Digital Personal Data Protection Act introduces the Data Fiduciary, a controller equivalent with India-specific obligations. The Significant Data Fiduciary tier raises the bar further. Here is the engineering checklist.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 19, 2024 · 7 min read

India's Digital Personal Data Protection Act passed in August 2023 after seven years of drafts. The implementing rules consultation ran through late 2024, and the first phased enforcement began in 2025 once the Data Protection Board was constituted. We have walked five Indian SaaS companies and three multinationals with Indian operations through DPDPA readiness. The framework looks GDPR-shaped but introduces concepts that do not translate cleanly.

Data Fiduciary is not just controller renamed

The DPDPA uses Data Fiduciary where GDPR uses controller and Data Processor where GDPR uses processor. The terminology shift is not cosmetic. The Act ties specific obligations to fiduciary status that go beyond GDPR's controller obligations.

A Data Fiduciary must give notice in clear and plain language, obtain consent that is free, specific, informed, and unconditional, ensure data accuracy, implement reasonable security safeguards, notify breaches to the Data Protection Board and affected principals, erase personal data when the purpose is no longer served, and respond to grievances. Some of these have GDPR analogues; some do not. The grievance redressal officer is a DPDPA-specific role distinct from a DPO.

The Significant Data Fiduciary tier

Section 10 introduces a tier called Significant Data Fiduciary. The Central Government designates SDFs based on volume and sensitivity of data, risk to electoral democracy, security of the State, and other factors. SDFs face additional obligations: appointing a Data Protection Officer based in India, conducting periodic Data Protection Impact Assessments, and undergoing periodic audits.

The first SDF designations in 2025 covered large social media platforms, payment systems, and a handful of healthcare and education platforms. We saw one mid-sized health-tech client get designated based on the sensitivity of their data even though their volume was modest. If you handle children's data, financial data, or health data at scale, plan for SDF status.

Children's data and the verifiable consent problem

Section 9 sets the age of digital consent at 18 and requires verifiable parental consent for processing of children's data. This is stricter than GDPR (which allows member states to set 13 to 16) and stricter than COPPA. The implementing rules clarified that verifiable means using identity tokens issued by the State or other reliable mechanisms.

For an edtech client we work with, this changed their architecture significantly. Their original signup flow assumed a 13-year-old could self-consent. Under DPDPA they had to build a parental verification flow that integrated with DigiLocker and a fallback for international parents. The work took five months. They also had to retrofit consent for existing users under 18, which involved a 90-day campaign and a 12 percent attrition cost.

Engineering checklist

1. Map every processing activity where you act as Data Fiduciary versus Data Processor; the obligations are different
2. Build consent capture that is granular per purpose and includes withdrawal as easily as consent was given
3. Stand up a grievance redressal mechanism with a published officer, response SLA, and audit trail
4. Implement breach notification workflows that file with the DPB and notify principals; the implementing rules specify the format
5. Build erasure capabilities tied to purpose completion, not just data subject request; the Act requires proactive erasure
6. If you might be designated SDF, appoint an India-based DPO and stand up a DPIA programme before the designation lands

Cross-border transfers

DPDPA's transfer regime is more permissive than the original Personal Data Protection Bill drafts feared. Transfers are allowed except to countries on a notified blacklist. As of mid-2025 no countries had been blacklisted. This is the opposite of GDPR's allow-list model and significantly easier for SaaS companies.

However, sector-specific rules can override. RBI mandates payment data localisation. SEBI has its own data residency expectations for capital markets. The DPDPA does not preempt these. If you operate in a regulated sector, the sectoral rule wins.

Penalty structure

DPDPA penalties are tiered, with the maximum at INR 250 crore (roughly 30 million USD) for failure to take reasonable security safeguards leading to a personal data breach. Failure of a Data Fiduciary in connection with the rights of children carries up to INR 200 crore. The Data Protection Board sets the actual amount based on factors including the nature, gravity, and duration of the breach.

These are not the largest fines in global privacy law, but they are large enough to matter for a mid-market Indian SaaS. The companies treating DPDPA as a serious compliance program rather than a checkbox are also the ones winning enterprise deals where Indian buyers asked for DPDPA-aware vendors. Compliance has become a sales asset faster than I expected.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.