Updated At Mar 18, 2026

India DPDPA 2023 Leadership Guide 18 min read
Data Processors vs Data Fiduciaries: Operational Responsibilities Explained
A business-style piece for business buyers that explains data processors vs data fiduciaries— operational responsibilities explained and turns policy requirements into an operating plan for leadership teams.

Key takeaways

  • Under the DPDPA, the data fiduciary decides the “why and how” of processing; the data processor executes processing on documented instructions only.
  • For global programmes, treat data fiduciaries as broadly equivalent to GDPR controllers and processors as roughly aligned to GDPR processors, but adapt for India-specific nuances.
  • Legal accountability, penalties, and most obligations sit with data fiduciaries; processors are bound mainly through contracts, security duties, and oversight expectations.
  • A practical DPDPA operating model needs clear ownership (board, CXOs, DPO, CISO, product, procurement), a RACI matrix, and uplifted data processing agreements.
  • Many Indian organisations are both fiduciary and processor in different lines of business; mapping roles across group entities and vendors is a critical first 90-day task.
  • Use DPDP Rules 2025 timelines as the outer boundary but work backward from board-level risk appetite to phase discovery, contract remediation, and control implementation.

Why fiduciary versus processor roles are a board-level issue in India

The Digital Personal Data Protection Act, 2023 (DPDPA) converts personal data handling from a purely IT or legal topic into a core governance issue. The law introduces substantial monetary penalties for a range of contraventions, especially around security safeguards and handling of children’s data and breaches.[1]
For Indian organisations, the single biggest design choice is how you split responsibilities between “data fiduciaries” and “data processors” across your own group entities, shared services, and external vendors. That split drives who is on the hook when something goes wrong, who must respond to data principal requests, and where you need board visibility versus vendor assurance.
  • Risk: Misclassifying a critical vendor as “just a processor” can leave you carrying liability without the contractual levers to manage it.
  • Growth: Data-driven products, AI models, and cross-border services depend on clear fiduciary–processor roles to satisfy enterprise customers and regulators.
  • Cost: A well-designed operating model avoids over-engineering (treating everyone as a fiduciary) and under-engineering (assuming outsourcing shifts accountability).
The DPDPA defines a data fiduciary as the person who alone or jointly determines the purpose and means of processing of personal data. A data processor is any person who processes personal data on behalf of a data fiduciary.[1]
The Act covers digital personal data – personal data in digital form, and personal data in non-digital form that is digitised. This makes DPDPA relevant not only for native-digital businesses but also for traditional enterprises with paper-based processes that are being scanned or entered into systems. For global organisations, the closest equivalents are:[1]
High-level mapping between DPDPA and GDPR roles (for global programmes).[5]
DPDPA concept Approximate GDPR equivalent Who decides purpose & means?
Data fiduciary Data controller (broadly analogous) Yes – determines why and how personal data is processed.
Data processor Processor (broadly analogous) No – processes only on documented instructions of the fiduciary.

Applying the roles to real-world Indian business models

The easiest way to internalise fiduciary versus processor responsibilities is to test them against your own sector and data flows. The table below uses typical Indian models; your exact position will depend on contracts and factual control.
Illustrative fiduciary/processor roles across common Indian business models (simplified).
Sector / model Typical role(s) under DPDPA Practical notes for leadership teams
Banks & large NBFCs (retail lending, deposits, cards) Primarily data fiduciaries vis-à-vis customers; may act as processors to other institutions in co-branded or white-label arrangements. Core banking, KYC, and risk models are typically under your control; outsourcing to IT/BPO or cloud providers does not shift fiduciary accountability.
Insurers (life, health, general) and TPAs Insurers are usually fiduciaries; TPAs often act as processors, but may be fiduciaries for their own analytics, fraud monitoring, or marketing uses. Claims handling chains can involve multiple fiduciaries and processors; map each data flow (policyholder, family members, health data) explicitly.
IT services & BPO providers (captive and third-party) Frequently processors to global or Indian enterprise clients; may be fiduciaries for HR, internal systems, and proprietary products or platforms they operate directly with end users. When you only process client data under strict instructions, you are a processor; when you decide what data to collect from your own platform’s users, you are a fiduciary for that activity.
SaaS platforms (CRM, HRMS, analytics, martech, fintech SaaS) Often processors to business customers using the platform; may be co-fiduciaries where they directly determine purposes (e.g., use of telemetry, product analytics, AI models trained on customer data). Product teams should perform a use-case-by-use-case assessment: customer CRM data likely processed as a processor; platform’s own behavioural analytics more likely as fiduciary and must be addressed in notices and contracts.
Marketplaces & aggregators (e-commerce, travel, food delivery, gig platforms, financial marketplaces) Typically data fiduciaries vis-à-vis end customers and partners; may also act as processors to merchants or lenders for specific services (e.g., onboarding, KYC). Because platforms design the ecosystem, algorithms, and most engagement rules, regulators are likely to see them as fiduciaries for a wide range of processing operations, including profiling and recommendations.
Logistics, delivery, and mobility providers Usually fiduciaries for their own apps and drivers/partners; may be processors for enterprise shippers or marketplaces that dictate data use policies. Telematics, route optimisation, and tracking can generate rich behavioural data; clarify whether this is used only to deliver contracted services (processor role) or for independent purposes (fiduciary role).
HR & payroll service providers (including employer-of-record models) Commonly processors to employer-clients, but fiduciaries for their own workforce and for any value-added analytics or benchmarking they run on aggregated HR data. Because employee data is sensitive from a labour-relations perspective, organisations should explicitly classify which HR processes they retain as fiduciaries and which are safely outsourced under strict processor terms.
For each major business line, leadership teams should ask:
  • Who designed this data use and who can change it – us, a partner, or both?
  • Do we decide which data is collected, for how long, and for which new use cases, or do we act purely on customer or client instructions?
  • If a data principal complains or exercises a right, who is realistically expected to respond – us or our vendor?
Diagram mapping common Indian business models to fiduciary, processor, and mixed-role positions.

End-to-end obligations that remain with data fiduciaries

Under the DPDPA, accountability largely stays with the data fiduciary, even when processing is outsourced. The Act sets out a series of duties around lawful processing, data principal rights, security safeguards, and oversight of processors.[1]
  • Lawful basis, notice, and consent: Ensure there is a valid legal ground (typically consent or legitimate use as permitted), provide clear and itemised notice, and record/manage consents or withdrawals.
  • Purpose limitation and data minimisation: Collect and process only what is necessary for clearly specified purposes, and avoid incompatible secondary uses without fresh consent or another lawful basis.
  • Children’s data: Implement higher standards for processing children’s personal data, including verifiable parental consent and additional safeguards as prescribed.[1]
  • Security safeguards: Implement reasonable technical and organisational measures to prevent personal data breaches, including measures you require of your processors through contracts.[1]
  • Breach notification and response: Detect, investigate, and notify prescribed authorities and affected individuals of qualifying personal data breaches in the manner and timelines that may be specified by rules.[1]
  • Data principal rights: Enable access, correction, erasure, grievance redressal, and choice mechanisms, with appropriate authentication and logging across your own systems and processor ecosystem.[1]
  • Retention and deletion: Define retention policies aligned to legal and business needs, and ensure timely deletion or anonymisation in your systems and at processors once purposes are met.
  • Vendor oversight: Select processors capable of meeting DPDPA requirements, bind them via contract, and monitor their performance – including sub-processors – on an ongoing basis.[6]
To turn these legal duties into an operating plan, data fiduciaries can work through the following sequence:
  1. Inventory processing activities where you are the data fiduciary
    Start with customer, employee, and critical partner data. For each processing activity, confirm that your organisation decides the purposes and key means of processing.
  2. Map obligations to controls and owners
    For every activity, map which DPDPA obligations apply (notice, consent, rights, security, breach response) and assign accountable owners in legal, product, security, and operations teams.
  3. Identify processors and sub-processors supporting each activity
    List all service providers, group entities, and cloud platforms that handle the relevant personal data. Note where they further outsource to sub-processors or hyperscale cloud providers.
  4. Uplift contracts and technical measures
    Update data processing agreements, SLAs, and security requirements so that processors can help you discharge your fiduciary duties – including support for rights requests, deletion, and breach handling.
  5. Set up monitoring, reporting, and testing
    Define KPIs and reporting for privacy incidents, rights request handling, consent metrics, and vendor performance, and align them with board or risk committee dashboards.

What compliant data processors must do in practice

While the DPDPA places primary legal accountability on data fiduciaries, processors – including IT/BPO firms, SaaS providers, and shared service centres – are under increasing scrutiny from both regulators and enterprise customers. Their obligations flow mainly from contracts and the Act’s expectations around security and lawful processing.[2]
  • Process only on documented instructions: Implement procedures to accept, record, and execute customer instructions, including limitations on combining or repurposing data for your own analytics or AI models unless clearly authorised.
  • Embed security by design: Maintain technical and organisational measures aligned to industry standards and contractual commitments, including access controls, encryption where appropriate, logging, and incident management.[6]
  • Support data principal rights: Develop APIs, admin consoles, or operational playbooks to support your clients in meeting access, correction, deletion, and portability requests within agreed timelines.
  • Manage sub-processors: Maintain an inventory of sub-processors, perform due diligence, and give fiduciary customers transparency and (where agreed) approval rights for any changes.[2]
  • Incident and breach cooperation: Detect and investigate security incidents, notify affected fiduciary clients promptly in line with contract SLAs, and help them meet their statutory notification duties.
  • Cross-border transfers and localisation: Only transfer personal data outside India or to new locations where contracts permit it and agreed safeguards are in place, taking into account any evolving rules on international data flows.[3]

Designing a DPDPA operating model and RACI for your organisation

Most Indian organisations already operate some form of privacy or information security programme, especially if they are regulated by RBI, SEBI, IRDAI, or handle EU data. The gap under DPDPA is often clarity of role and accountability: who, in practice, acts as the fiduciary for which data sets, and who runs processor obligations across group entities and vendors.
Illustrative RACI snippet for key DPDPA responsibilities (to be adapted for your context).
Activity / decision Board / risk committee DPO / privacy head CISO / security Product / BU head Procurement / vendor risk
Define and approve overall DPDPA risk appetite and role strategy (fiduciary vs processor split). A C C R C
Approve privacy policy, notices, and approach to data principal rights handling across all fiduciary activities. C A/R C R I
Select, contract, and monitor data processors and sub-processors used in fiduciary activities. I C C C/R A/R
Manage security controls and incident response across fiduciary and processor environments. I C A/R R C
A pragmatic sequence for designing your DPDPA operating model:
  1. Define your role taxonomy and decision principles
    Adopt clear definitions of when the organisation will treat itself as a data fiduciary, a processor, or both, and how this interacts with existing GDPR or sectoral classifications.[5]
  2. Create a central data inventory and role register
    Catalogue major systems, data sets, and processing activities, and record for each whether you are acting as fiduciary, processor, or joint fiduciary – and which legal entity inside your group is in that role.
  3. Align governance bodies and reporting lines to roles
    Clarify which committees and executives oversee fiduciary responsibilities (often a privacy or risk steering committee) versus processor responsibilities (often delivery and operations leadership).
  4. Standardise DPA templates and playbooks
    Develop standard data processing agreement templates for when you act as fiduciary (buy-side) and when you act as processor (sell-side), with playbooks for which clauses are negotiable and which are not.
  5. Embed responsibilities into project and vendor lifecycles
    Update product development, change management, procurement, and vendor onboarding processes to require a fiduciary/processor role classification and privacy review at the design stage.
High-level operating model for allocating DPDPA responsibilities across leadership roles.

Structuring data processing agreements and allocating risk

A robust data processing agreement (DPA) is where the theory of fiduciary–processor roles becomes operational. For Indian organisations, DPAs must work in tandem with the DPDPA, sectoral requirements, and any global frameworks you already operate under.
Key clauses to address in DPAs between data fiduciaries and processors.
Clause / topic Fiduciary focus Processor focus
Scope of processing and documented instructions Define purposes, categories of data, data subjects, and permitted operations. Reserve the right to update instructions and to stop unlawful processing immediately. Ensure scope is precise and technically feasible; avoid vague language that could make you look like a fiduciary for your customer’s decisions.
Security measures and certifications Specify minimum controls (e.g., encryption, access management, logging, business continuity) and require notification of material security changes and incidents. Align commitments to your actual controls and audit reports; avoid promising “gold-plated” security on paper while running “bronze” in operations.
Sub-processing and international transfers Control where data goes and who can access it. Require notice (and where appropriate, consent) for new sub-processors and for offshoring or cross-border transfers, considering evolving DPDPA rules.[3] Seek pre-approved lists or risk-based approval mechanisms; ensure you can actually manage and contractually bind your own sub-processors to equivalent obligations.
Support for data principal rights and retention/deletion Require timely execution of access, correction, and deletion instructions, and clear processes for end-of-contract data return or deletion in line with your retention policies.[6] Set realistic SLAs based on system capabilities; clarify any limitations (e.g., immutable backups) and how you will handle them in practice.
Audit, reporting, and assurance rights Secure rights to review security and privacy controls via reports, questionnaires, and, for high-risk processing, on-site or third-party audits, balanced against practicality. Offer proportionate assurance mechanisms (e.g., third-party certifications, pooled audits) to avoid operational disruption from multiple overlapping customer audits.
Indemnities, liability caps, and insurance Seek meaningful recourse where processor failures contribute to regulatory penalties or large-scale harm, while recognising you remain primarily accountable under DPDPA.[1] Avoid uncapped liability for all data events; propose differentiated caps and insurance-backed coverage for specific risk categories (e.g., security breaches vs minor SLA breaches).
From a negotiation standpoint, leadership teams should be clear on:
  • Which clauses are regulatory must-haves (e.g., security safeguards, incident cooperation, rights support) versus those that are commercial levers (e.g., liability caps, service credits).
  • How DPDPA-specific requirements interact with existing GDPR or sectoral addenda, and whether you can maintain a global template with India-specific riders instead of entirely separate contracts.[5]
  • Who internally signs off on risk trade-offs – for example, when accepting a lower audit right in exchange for stronger certifications and independent reports.

Implementation roadmap aligned to DPDP Rules 2025 timelines

The DPDP Rules 2025 envisage phased implementation and transition periods. Rather than aiming for a “big bang” compliance date, Indian organisations should treat DPDPA as a multi-year change programme, sequencing workstreams around data discovery, role classification, contract uplift, and control implementation.[3]
A practical, phased roadmap could look like this (to be tuned to your actual regulatory deadlines):
  1. Phase 1: Discovery and role mapping (first 3–6 months)
    Conduct enterprise-wide data mapping, focusing on customer, employee, and high-risk data. For each processing activity, classify whether your organisation is a fiduciary, processor, joint fiduciary, or sub-processor, and identify key vendors and group entities involved.
  2. Phase 2: Policy, notices, and governance uplift (parallel 3–9 months)
    Update privacy policies, consent flows, data principal rights procedures, and incident response plans to reflect your mapped fiduciary/processor roles. Establish or strengthen the privacy office, steering committee, and DPO or equivalent role where needed.[4]
  3. Phase 3: Contract remediation and vendor engagement (6–18 months)
    Prioritise high-risk and high-volume vendors for DPA updates, including cross-border data transfer provisions and processor obligations aligned with DPDPA. For sell-side contracts where you act as processor, prepare standard addenda and negotiation playbooks for enterprise customers.[2]
  4. Phase 4: Technical controls and automation (ongoing)
    Invest in security enhancements, consent and preference management, data discovery and classification tools, and workflows for rights requests and breach response. Automate where feasible to reduce manual overhead for processors and fiduciaries alike.
  5. Phase 5: Training, monitoring, and continuous improvement
    Roll out tailored training for leadership, product, engineering, operations, and vendor-management teams. Establish metrics and dashboards, perform periodic audits, and adjust your operating model in response to regulatory guidance and incidents.

Key takeaways

  • Use regulatory timelines as outer limits, not starting points; front-load discovery and role mapping.
  • Sequence vendor and contract work by risk and data criticality; not all processors need the same depth of review.
  • Treat technical and contractual workstreams as integrated; many DPA clauses are only meaningful if backed by real controls and data flows.

Common questions about fiduciary and processor responsibilities

FAQs

Yes. Many Indian organisations are fiduciaries for some activities (e.g., processing their own customers’ or employees’ data) and processors for others (e.g., providing IT, BPO, or SaaS services to enterprise clients). The classification is activity-specific, based on who determines the purpose and means of processing, not on your overall business label.

Conceptually, a DPDPA data fiduciary is broadly analogous to a GDPR controller: both decide the purposes and essential means of processing and carry primary accountability. However, the legal tests, terminology, and some obligations differ. Global organisations should avoid assuming that GDPR role assessments automatically apply in India and should validate roles and contracts against the DPDPA specifically.[5]

The DPDPA is structured so that regulators typically look first at the data fiduciary, because it is responsible for choosing and supervising processors and for ensuring appropriate safeguards. However, the commercial contract can allocate financial risk and indemnities back to the processor where its failures were a contributing cause, and processors may face exposure under other applicable laws and regulations.[1]

Group entities performing centralised IT, HR, or analytics functions often act as processors to operating companies, but may themselves be fiduciaries for activities where they set purposes or combine data sets for their own objectives. The safest approach is to analyse each intra-group arrangement on its facts, document whether the shared-service entity is a processor or a co-fiduciary, and put appropriate intra-group DPAs or data-sharing agreements in place.

Fiduciaries must maintain visibility and control across the outsourcing chain, including approval or notification rights for sub-processors and assurance that equivalent obligations flow down the chain. Processors in the middle of the chain need to manage their own vendors carefully, ensuring that their sub-processor contracts allow them to meet the promises they make upstream to fiduciary customers.[2]

Cross-border processing remains possible, but fiduciaries must pay attention to evolving rules and any notified restrictions under the DPDPA, as well as sector-specific guidance. At a minimum, contracts with global cloud and SaaS providers should clearly identify where data is stored and processed, how it is protected, and how data principal rights and breach notifications will be handled across jurisdictions.[3]

Frequent missteps when assigning fiduciary and processor roles

  • Assuming outsourcing shifts legal accountability: Treating processors as if they, not you, are responsible for notices, consent, rights, and regulatory engagement when you are the data fiduciary in law.
  • Using role labels loosely in contracts: Calling a vendor a “processor” while contract terms and factual control show it independently sets purposes, making it a co-fiduciary in substance.
  • Copy-pasting GDPR models without adaptation: Reusing EU-centric controller–processor assessments for India without testing them against DPDPA definitions, local business models, and data flows.[5]
  • Ignoring internal processors: Overlooking shared services, captive centres, or IT teams that process data for multiple group entities without clear intra-group DPAs and role clarity.
  • Over-classifying everyone as a fiduciary: Trying to avoid complexity by declaring all major vendors and group entities as fiduciaries, which dilutes accountability and complicates data principal journeys.
  • Leaving role decisions to late-stage contract negotiation: Waiting until procurement or legal is finalising a contract to debate roles, rather than deciding at product or project design time based on the actual data use.

Executive summary and next actions for leadership teams

Key takeaways

  • DPDPA makes the distinction between data fiduciary and processor central to how Indian organisations design governance, contracts, and technology choices.[1]
  • Most obligations and regulatory exposure stay with the fiduciary; processors are critical partners but do not replace fiduciary accountability.[6]
  • In practice, many organisations will occupy multiple roles across different products, geographies, and group entities – requiring nuanced, activity-level classification.
  • A structured operating model, with a clear RACI and standardised DPAs, is essential to turn legal text into day-to-day behaviour across teams and vendors.
As a board member or senior leader, you can use this short checklist to gauge readiness:
  • Have we mapped our major data processing activities and tagged each as fiduciary, processor, joint fiduciary, or sub-processor, with clear owning entities?
  • Do we have a single, approved view of DPDPA roles that aligns with (but does not blindly copy) our GDPR or other global frameworks?[5]
  • Are our DPAs and intra-group agreements updated to reflect these roles, including realistic security, rights-support, and breach-cooperation clauses?[2]
  • Is there a named executive owner and governance forum for fiduciary obligations, and a clear operating model for processor responsibilities in our delivery and operations teams?
  • Do our product, engineering, procurement, and vendor-management processes require role classification at design or onboarding time, not as an afterthought?
Share this guide with your privacy steering committee and use the outline and checklists to map fiduciary vs processor roles, update your data processing agreements, and define a DPDPA operating model for your organisation.

Sources

  1. The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) - Ministry of Law and Justice, Government of India
  2. Top 10 operational impacts of India’s DPDPA – Obligations of data processing entities - International Association of Privacy Professionals (IAPP)
  3. The Digital Personal Data Protection Act, 2023: Comprehensive Framework, Latest Developments, and Compliance Roadmap - The Legal 500 / Maheshwari & Co.
  4. 2025 Update : Deep Dive – Digital Personal Data Protection Act (DPDPA), 2023 - Spice Route Legal
  5. India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison - Latham & Watkins LLP
  6. Data Fiduciary and Data Processor Obligations Under DPDPA, 2023 - AMLEGALS

Related pages

Updated At Mar 18, 2026

Handling Legacy Data Collected Before DPDP

A business-style piece for decision-makers that explains handling legacy data collected before dpdp and …

 Updated At Mar 15, 2026

Purpose Limitation in Practice: How to Stop Teams from Reusing Data

A business-style piece for business buyers that explains purpose limitation in practice— how to stop tea…

 Updated At Mar 14, 2026

Significant Data Fiduciary (SDF) Status: Checklist for Fast-Growing Companies

A business-style piece for decision-makers that explains significant data fiduciary (sdf) status— checkl…

 Updated At Mar 18, 2026

How to Create a Privacy Steering Committee That Actually Works

A business-style piece for decision-makers that explains how to create a privacy steering committee that…

 Updated At Mar 18, 2026

Reference Architecture: From Consent Banner to Consent Ledger

A business-style technical guide for technical evaluators that covers reference architecture— from conse…

 Updated At Mar 18, 2026

Building a Consent-Aware API

A business-style technical guide for technical evaluators that covers building a consent-aware api, impl…

 Updated At Mar 18, 2026

What Evidence Do You Need to Defend Consent before the DPB?

A business-style piece for decision-makers that explains what evidence do you need to defend consent bef…

 Updated At Mar 16, 2026

Log Retention, Deletion, and Audit Trails: Building an Evidence Program

A business-style piece for technical evaluators that explains log retention, deletion, and audit trails—…

 Updated At Mar 18, 2026

The Business Case for Consent Management: ROI, Risk, and Conversion

A business-style piece for decision-makers that explains the business case for consent management— roi, …

 Updated At Mar 18, 2026

How to Run a DPDP Readiness Assessment in 30 Days

A business-style piece for business buyers that explains how to run a dpdp readiness assessment in 30 da…