If you're reading anything about the DPDP Act 2023, you'll encounter two terms constantly: Data Fiduciary and Data Processor. Understanding which one you are determines your exact legal obligations and liability.
The Definition
Section 2(i) of the DPDP Act defines a Data Fiduciary as:
"Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data."
In plain English: if you decide why you're collecting customer data and how you're going to use it — you are a Data Fiduciary. The primary obligations of the DPDP Act fall on you.
The Test: Are You a Data Fiduciary?
Ask yourself these questions:
- Do I decide to collect customer names, phone numbers, or addresses?
- Do I decide what to do with that data — send promotional messages, pass it to a delivery company, use it for analytics?
- Do I decide how long to keep the data?
If yes to any of these — you are a Data Fiduciary. It doesn't matter whether you're a sole proprietor, a private limited company, a partnership, or an individual running a home business.
What is a Data Processor?
A Data Processor is any person who processes personal data on behalf of a Data Fiduciary. They don't make decisions about the data — they just process it as instructed.
Examples of Data Processors you likely use:
- Razorpay / PayU / Cashfree — process payments on your behalf
- Shiprocket / Delhivery — fulfill orders and handle delivery addresses
- Mailchimp / Klaviyo — send emails using your customer list
- AWS / Google Cloud — store your data
- EasyDP — manages consent and DSRs on your behalf
As a Data Fiduciary, you are legally responsible for your Data Processors. If Razorpay misuses your customer's data, you bear responsibility as the Fiduciary who appointed them. You must have a contract (Data Processing Agreement) with each processor that ensures they meet DPDP obligations.
Significant Data Fiduciaries
The government can designate certain Data Fiduciaries as "Significant Data Fiduciaries" (SDF) based on the volume and sensitivity of data they process. SDFs face additional obligations:
- Appointment of a Data Protection Officer (DPO) — must be based in India
- Periodic Data Protection Impact Assessments
- Algorithm audits
The government will publish a list of SDFs. For now, most SMBs will not be designated as SDFs. Large tech platforms, healthcare networks, and financial institutions are the likely first candidates.
Can You Be Both a Fiduciary and a Processor?
Yes. If you build SaaS products that handle customer data on behalf of your clients, you are a Data Processor for your clients. But you are also a Data Fiduciary for your own customers (employees, users, subscribers). Many B2B software companies operate in both roles simultaneously.
Why the "Fiduciary" Language?
The choice of the word "fiduciary" — a term borrowed from trust law — is deliberate. A fiduciary has a duty to act in the best interests of the person whose data they hold. The DPDP Act frames data collection not as a right of businesses, but as a trust placed by customers. Violating that trust carries legal consequences.