DPDP Roles, explained simply

India's Digital Personal Data Protection Act. Who is who.
‹ General awareness

General awareness

Who is actually a Data Fiduciary?

29 June 2026 · about 5 minutes

One of the first questions businesses ask is: "We are a small company. Surely we are not a Data Fiduciary?"

In many cases, that is the wrong question.

The DPDP Act 2023 does not ask, how big is your company? It asks a different question:

Who decided why this personal data is being processed, and how it will be processed?

That is the test. It is functional, and it has nothing to do with size.

A Data Fiduciary is the person who, alone or together with others, determines the purpose and means of processing personal data. If you decide why and how customer or employee data is processed, you are acting as a Data Fiduciary. A two person startup and a listed company can both fall into the same category.

A Data Processor processes personal data on behalf of a Data Fiduciary under its instructions. A payroll service provider or a cloud hosting provider often falls into this role.

The two roles are not mutually exclusive. A company may be a Data Fiduciary for its own customer data while simultaneously acting as a Data Processor when processing personal data on behalf of a client. The role attaches to the specific processing activity, not to the organisation as a whole.

Why does this matter?

Most of the obligations under the DPDP Act are imposed on the Data Fiduciary. Where processing is carried out through a Data Processor, the Data Fiduciary remains responsible for complying with the Act, while the relationship between the parties is governed by their contractual arrangements.

Simply labelling yourself as "just a processor" or "too small to be covered" does not change your legal role or your obligations.

The DPDP Rules 2025 provide much of the operational detail for implementing the obligations created by the Act.

So before drafting a single privacy policy or compliance document, classify every processing activity. Ask the same question each time:

Am I deciding the purpose and means of processing, or am I acting only on someone else's instructions?

The answer determines which role you are performing and which obligations are likely to apply.

Where do you think organisations most often get this classification wrong? Is it because they focus on who stores the data rather than who determines the purpose and means of processing, or have you seen other recurring patterns?

#DPDP #DPDPAct2023 #DPDPRules2025 #DataProtection #PrivacyLaw #IndiaLegal #Compliance

General information about the DPDP Act 2023 and the DPDP Rules 2025. This is not legal advice.

Be DPDP ready before the deadline

We are preparing more than a dozen ready to use templates, including the Privacy Notice, Consent Notice, Data Retention and Erasure Policy, Security Safeguards Policy, Breach Response Procedure, Children's Data Policy, and the Data Processing Agreement. Drop your email and we will notify you when the assessment and templates go live.