DPDP Act - Definitions

The Digital Personal Data Protection Act, 2023 uses terms like data fiduciary, data principal which are not common in global privacy laws. The Indian Act is special in this case, since it tries to establish an Agent-Principal relationship (Fiduciary responsibility) between the data fiduciary and the data principal.

Data Fiduciary

Definition: Any person (or group) who alone or along with others decides the purpose and means of processing personal data.

Real-world example:
An Indian ride-hailing app determines that voice recordings of passengers will be used for customer service training. It sets both why (purpose) and how (means) that personal data is handled. That app is the Data Fiduciary.

Data Processor

Definition: A person or entity that processes personal data on behalf of a Data Fiduciary—without determining purpose or means themselves

Real-world example:
If that ride-hailing app uses a cloud transcription service to convert voice recordings into text per its instructions—but the transcription service doesn’t decide what to do with the data—that transcription service is the Data Processor.

Data Principal

Definition: The individual to whom the personal data relates. For children or persons with disabilities, it also includes their parent or guardian.

Real-world example:
A passenger whose voice is recorded by the ride-hailing app is the Data Principal. If the passenger is a minor, her parent or guardian would also qualify.

Processing

Definition: Any wholly or partly automated operation carried out on digital personal data. This includes actions like collection, recording, organization, storage, adaptation, retrieval, use, combination, disclosure, dissemination, erasure, destruction, etc.

Real-world example:
The app collects and stores voice recordings, sends them for transcription, analyzes them for training purposes, and later deletes older files. All these steps—collection, storage, conversion, use, deletion—are processing.

Data Fiduciary's responsibilities towards data principals

Duty of Care and Loyalty

A Data Fiduciary is entrusted with a Data Principal’s personal data. This creates a duty to act responsibly, transparently, and in the Principal’s interest, just like an agent who must serve the best interests of their principal.

Responsibility Even When Delegated

Under the DPDP Act, the Data Fiduciary remains legally responsible even if a Data Processor mishandles the data. It cannot escape liability by outsourcing. This mirrors how a principal bears responsibility for an agent’s actions when performed on the principal’s instructions.

Control Over Purpose and Means

The fiduciary determines the why and how of data use—it's in control. The Data Processor follows orders. The Principal entrusts data based on these assurances. This structure reflects the agent–principal hierarchy, where the principal exerts authority through the agent.

Fiduciary Duties Embedded

Just like agents owe fiduciary duties—such as honesty, confidentiality, and acting within scope—Data Fiduciaries must safeguard data, notify of breaches, ensure lawful processing, respect consent, and honor correction or erasure requests.

While most of the global privacy laws, including EU-GDPR, address the business responsible for defining the purposes of processing personal data as "Data Controller", why is "Data Fiduciary" used in the Indian law?

The answer is in the section 182 of the Indian Contracts Act, 1872!

As per this section,

• Agent: A person employed to do any act for another, or to represent another in dealings with third persons.

• Principal: The person for whom such act is done, or who is so represented.

For example, a lawyer is an agent and his client is the principal. A doctor is an agent and his patient is his principal.

The relationship is rooted in trust and confidence. The agent must act in good faith, avoid conflicts of interest, follow lawful instructions, and keep accurate records. This is also known as fiduciary duty.

The word fiduciary is used in the DPDP Act, 2023 to imply that the business processing personal data of individuals has a "Fiduciary" relationship with the data principal and that the data fiduciaries must process personal data with transparency, for a lawful purpose and manitain accurate records of personal data

India's approach to data privacy has evolved through a combination of legislative measures, regulatory guidelines, and landmark judgements.

Before the introduction of the DPDP Act in the year 2023, The IT Act, 2000, used to serve as India's primary legislation governing cyber activities.

Section 43A: Mandates that organizations handling sensitive personal data implement reasonable security practices. Failure to do so can result in liability for damages.

Section 72A: Penalizes the disclosure of personal information without consent, emphasizing the importance of data confidentiality.

DPDP Act - A historical perspective

The Information Technology Act, 2000

Right to Information (RTI) Act, 2005

The RTI Act allows citizens to access information from public authorities. However, it also includes provisions to protect personal data:

Section 8(1)(j): Exempts the disclosure of personal information that lacks public interest or could invade individual privacy, balancing transparency with privacy concerns.

Bellwether has developed a world-class Enterprise Risk Management framework by combining functional, information security and legal expertise. Our DPDP Act consulting clients range from start-ups to large enterprises.

DPDP Act - Challenges

While most of the businesses have an understanding of what the act is all about, translating this understanding into operational readiness can be challenging. A few common issues include:

• lack of clarity on data flow mapping

• difficulty in consent management implementation,

• uncertainty about cross-border data transfers, and

• fragmented data security controls

Added to this complexity, technology stacks often evolve faster than governance policies making the technical controls related to data security an additional challenge.

Why Bellwether for

DPDP Act Readiness

Readiness Assessment & Gap Analysis

Bellwether performs a detailed review of your current data handling practices across business units, geographies and vendors. Using our DPDP Control Framework, we identify gaps and categorize them as of high, medium or low risk. The assessment covers consent practices, notice mechanisms, grievance redressal protocols, data retention policies, and data transfer procedures.

Policy and Governance Framework

Based on the gaps identified, Bellwether assists in drafting or revising policies such as Privacy Policy, Consent Notice, Data Retention Policy, and Grievance Redressal Procedures. Bellwether also helps in establishing governance mechanisms including Data Protection Officer (DPO), related roles and reporting structures.

Technology Integration

Bellwether works closely with IT teams to ensure systems are equipped to enforce technical and organizational measures. This includes implementing role-based access controls (RBAC), encryption of data, secure audit trails, and purpose limitation enforcement. We guide in cookie consent management and enable automation of Data Principal Rights workflows.

Vendor Due Diligence and Contracts Review

We assess your third-party vendors (also known as data processors) to ensure they have the same level of protection that is mandated by the law. We also review and redraft data processing clauses in commercial agreements to reflect accountability and lawful processing principles under the Act.

Training & Awareness

Leadership-focused and employee-focused training modules are delivered to ensure privacy by design principles are embedded across teams. We also conduct high-level overview sessions to help executive teams understand the core principles of the DPDP Act.

Breach Management

We help you in designing Data breach response protocols, with focus on the fulfilling the data breach notification requirement to the Data Protection Board and Data Principals. Our security response plan and procedures help organizations fulfil this obligation and reduce penalties even in case of a personal data breach.

Significant Data Fiduciary Support

For significant data fiduciaries, who are subject to additional requirements by the DPDP Act, Bellwether can help with documentation for Data Protection Board inspections, including but not limited to:

• Records of Processing Activities (ROPA),

• Consent logs

• Grievance logs

• DPIA (Data Protection Impact Assessments)

• Internal audit & reporting

Our Data Privacy regulatory consultants can drive your Enterprise Risk Management

Looking for DPDP Act Compliance Consultant?

Bellwether has developed a world-class Enterprise Risk Management framework by combining functional, infosec and, legal expertise. Our DPDP Act consulting clients range from start-ups to large enterprises.

Get in touch today to talk to a DPDP Act Compliance Consultant and explore the ways to manage your enterprise risk and uncover value.

DPDP Act penalties

Failure to take reasonable security safeguards

If there's a data breach due to poor security controls

Failure to inform the Data Protection Board and user about data breach

If you suffer a data leak and fail to notify the affected data principals or the Board

Processing children's data without required safeguards parental consent

If you collect data from children but fail to follow the Act

Failure to address Data Principal (user) rights

If a data principal asks to access/delete/correct their data and you don’t respond

Non-compliance of Significant Data Fiduciaries

If high-risk processors don’t appoint a DPO or perform audits as required

Understand your Privacy risk.

Evaluate your data security processes.

Stay compliant.

Avoid penalties !!!

DPDP Act Compliance - Lead Consultant

The author heads the practice of Cybersecurity and Data Privacy Compliance at Bellwether. At Bellwether, he has been advocating the core principles of EU-GDPR like data minimization, purpose limitation, explicit consent and privacy by design and default. Apart from delivering end-to-end consulting engagements in the DPDP Act, 2023, EU-GDPR, HIPAA, PCI-DSS, FDA 21 CFR part 11, NIST CSF, he leads data privacy and infosec consulting practice at Bellwether with a team of experienced consultants in the field of global data privacy regulations.

LinkedIn: https://in.linkedin.com/in/balu0103