India’s DPDP Act, 2023: How Data Principals and Data Fiduciaries Are Redefining Data Protection, Digital Trust, and Leadership in India’s Digital Economy
In Succession, power rarely sits where the titles suggest it does. The real tension of the show isn’t who is CEO—but who is answerable when things go wrong. Every decision carries weight. Every misstep has consequences. And trust, once broken, is almost impossible to recover.
India’s Digital Personal Data Protection Act, 2023 (DPDP Act), creates a similar reckoning in the digital world. Quietly, and without spectacle, it redraws the lines of power between individuals and organisations. Not through technology. Not through innovation. But through accountability.
Because when individuals become Data Principals, and organisations become Data Fiduciaries, the balance of power changes—almost overnight.
The Shift Most Organisations Missed
For years, the digital economy ran on an unspoken assumption:
- Organisations collected data.
- Organisations decided how to use it.
- Individuals accepted the terms—often without real choice.
The DPDP Act disrupts that model. The shift is simple, but profound:
Data is no longer something organisations merely collect.
It is something organisations are legally accountable for—to someone.
And in India’s legal framework, that “someone” now has a clear identity.
The Data Principal — the individual who holds enforceable rights over their personal data.
Once that power is established, the other role becomes inevitable.
Every organisation that determines how and why this data is processed becomes a Data Fiduciary — answerable for every decision made in relation to it.
Together, they redefine the centre of gravity of India’s digital economy.
How Data Principals Shift Power in India’s Digital Economy
Rights Under Sections 11–14 of the DPDP Act
Under Sections 11 to 14 of the DPDP Act, Data Principals are no longer passive users. They are rights-holders. They have:
- The right to know how and why their data is processed (Section 11)
- The right to correction and erasure when data is inaccurate or no longer needed (Section 12)
- The right to grievance redressal (Section 13)
- The right to nominate someone to exercise these rights if they are unable to do so (Section 14).
This is not a user who clicks “Accept All” and disappears. This is a stakeholder who can question, withdraw, escalate, and demand accountability.
The Data Fiduciary
Core Duties Under Section 8
If Data Principals hold power, Data Fiduciaries carry responsibility. Section 8 of the DPDP Act makes this unambiguous. A Data Fiduciary must:
- Ensure accuracy of personal data
- Implement reasonable security safeguards
- Delete data once the purpose is fulfilled
- Notify authorities and affected individuals in case of a breach
- Maintain an effective grievance redressal mechanism
- Publish a clear point of contact for Data Principals
- Remain fully responsible for processors, even when processing is outsourced.
Accountability cannot be delegated away.
When You Become a Significant Data Fiduciary
When an organisation is designated as a Significant Data Fiduciary (SDF) under Section 10, the expectations escalate sharply:
- Mandatory Data Protection Impact Assessments (DPIAs)
- Independent data audits
- Appointment of an India-based Data Protection Officer
- Enhanced risk controls and governance measures
This is fiduciary responsibility in its truest sense—not symbolic, but operational.
The DPDP Rules, 2025: Where Intent Meets Execution
If the DPDP Act defines responsibility, the DPDP Rules, 2025 define discipline. They don’t rewrite the law. They sharpen it.
- Rule 3 mandates that privacy notices be clear, standalone, and written in plain language—no buried disclosures, no legal fog.
- Rules 10 and 11 set strict standards for how consent is obtained, verified, and managed. Consent must be free, specific, informed, unconditional, and unambiguous, demonstrated through clear affirmative action.
- Rule 14 requires Data Fiduciaries to publish a transparent process for rights requests and grievance handling, including identifiers and timelines.
- Section 9 read with Rule 12 makes it clear that children’s data is protected by default—not by exception.
These rules are not suggestions. They are operating instructions.
The Law Isn’t About Data. It’s About Trust.
Ask any CEO what makes an organisation endure:
- Customers return because they trust.
- Employees stay because they trust.
- Partners commit because they trust.
Technology doesn’t create that trust. Behaviour does. Read closely, and the DPDP Act reveals itself not as a technology law, but as a trust architecture. It demands that organisations stop assuming trust—and start earning it.
Under the DPDP Act:
- Data must be protected against leaks, misuse, and unauthorised access [Section 8(5)]
- Breaches must be disclosed promptly to both the regulator and affected individuals [Section 8(6)]
- Data retention must be purpose-specific and time-bound
- Consent and data retention cannot be treated as perpetual by default. If a service remains inactive and the original purpose is no longer being served, the Data Fiduciary must stop processing and erase such data [Section 8(7)].
The message is clear: trust is not perpetual. It must be continuously justified.
Key Takeaways
For CEOs, General Counsel, and CISOs, the DPDP Act clarifies what leadership now demands:
- Know your data. Organisations must have a precise, living view of what personal data they collect and where it resides.
- Purpose must be provable. Every data point should trace back to a lawful, specific, and documented purpose.
- Retention must be defensible. Data held “because we always have” is no longer acceptable.
- Erasure must be operational, not aspirational. Rights requests should trigger execution, not internal scrambling.
- Policy must guide behaviour. A clear, DPDP-aligned data protection and privacy policy should exist—not as a document on paper, but as an operating standard teams understand and follow.
- Training is non-negotiable. Every employee who touches personal data must know what is allowed, what is risky, and what to do when something goes wrong.
- Processor risk remains your risk. Third-party due diligence, contracting, and ongoing oversight must match the standards the organisation itself is held to.
- Breach response must move at incident speed. Detection, escalation, and notification should work in hours, not days.
- Transparency is non-negotiable. Leaders must be ready to explain decisions clearly to a Data Principal.
- Significant Data Fiduciaries face a higher bar. Governance, systems, and controls must withstand sustained scrutiny.
Avoiding these realities does not reduce risk. It compounds it.
Wrapping Up
The real risk is not penalties, audits, or regulatory orders. It is the slow erosion of trust. Because the moment a Data Principal feels unseen, unheard, or unprotected, the loss is not just data—it is belief. And belief, once lost, is rarely recoverable.
At its core, the DPDP Act reduces to a simple equation:
- Data Principals hold rights.
- Data Fiduciaries hold responsibility.
The space between the two is where trust either flourishes—or fractures. Organisations that embrace this shift build:
- Systems that respect individuals
- Processes that withstand scrutiny
- Cultures that value transparency
- Teams that understand accountability
In a world where every organisation is becoming a data organisation, trust is the real competitive advantage. The DPDP Act—with all its sections, rules, and obligations—is not a burden. It is an instruction manual for earning that advantage.
