Introduction
The Digital Personal Data Protection Act, 2023 (DPDP Act) introduces a new compliance framework for Indian businesses handling personal data. At the center of this framework is the concept of a “data fiduciary.”
For fintechs, NBFCs, and digital platforms, this is critical. These businesses regularly collect and process customer data during KYC, onboarding, and service delivery. Therefore, understanding what it means to be a data fiduciary is no longer optional—it is essential.
This guide explains:
- What a data fiduciary is under the DPDP Act
- Key obligations for financial services companies
- Practical steps fintechs can take to stay compliant
What Is a Data Fiduciary Under the DPDP Act?
Under the DPDP Act, a data fiduciary is any entity that determines:
- What personal data to collect
- Why the data is collected
- How the data is processed
In simple terms, if your company controls the purpose and means of data processing, it is a data fiduciary.
For most fintechs, this is straightforward. For example, collecting Aadhaar, PAN, bank statements, or selfies for KYC clearly places the company in the role of a data fiduciary. Similarly, using this data for identity verification or credit assessment reinforces this classification.
Key Obligations of Data Fiduciaries
Lawful Basis for Processing
First, personal data must be processed only for a lawful purpose.
For fintechs, the common lawful bases include:
- Explicit consent from the user
- Legitimate uses defined under the Act
- Processing necessary to fulfill a contract
As a result, every data activity must clearly link to a valid legal basis.
Consent Requirements
When relying on consent, it must meet strict conditions. Consent must be:
- Free and not forced
- Specific to a clear purpose
- Fully informed
- Unbundled from other terms
- Easily revocable
In addition, consent notices must use simple language. Users should clearly understand what they are agreeing to.
Purpose Limitation
Personal data must only be used for the purpose it was collected for.
For example:
- KYC data cannot be used for marketing
- Credit data cannot be shared with third parties without consent
Therefore, any secondary use requires fresh and explicit consent.
Data Minimisation
Fintechs should only collect data that is necessary.
Collecting extra data “just in case” violates the Act. Instead, companies should map:
- What data is collected
- Why it is needed
- Whether it is truly required
This ensures compliance and reduces risk.
Security Measures
Data fiduciaries must protect personal data from:
- Breaches
- Unauthorized access
- Loss or destruction
Although the Act does not define exact standards, expectations are high for fintechs. This is because they handle sensitive financial and biometric data.
Data Principal Rights
The DPDP Act gives users several rights. These include:
- Access to their data
- Correction of inaccurate data
- Erasure of data (subject to legal requirements)
- Nomination of a representative
Therefore, fintechs must build systems to handle these requests efficiently.
Data Retention Limits
Data cannot be stored forever.
It must be deleted once it is no longer needed. However, there is an important exception. Legal requirements—such as PMLA—may require data retention for a fixed period.
For example, KYC and transaction data must be retained for five years under PMLA.
Significant Data Fiduciary (SDF)
The Act introduces a special category called Significant Data Fiduciary (SDF).
This applies to companies that:
- Process large volumes of sensitive data
- Pose higher risks to users
Although final criteria are pending, fintechs handling large-scale KYC data may fall under this category.
SDFs must meet additional requirements, such as:
- Appointing a Data Protection Officer
- Conducting Data Protection Impact Assessments
Practical Compliance Steps for Fintechs
To comply with the DPDP Act, fintechs should take the following steps:
1. Data Mapping
Document all data flows, including collection, usage, storage, and sharing.
2. Consent Redesign
Replace bundled consent with clear, purpose-specific consent.
3. Privacy Notice Update
Ensure policies are simple, transparent, and easy to understand.
4. User Rights Management
Set up systems to handle access, correction, and deletion requests.
5. Vendor Compliance
Ensure third-party processors follow DPDP requirements.
6. Security Review
Evaluate and strengthen data protection measures.
Where BeFiSc Fits
BeFiSc’s verification APIs are designed with compliance in mind. They support:
- Purpose-limited data processing
- Minimal data retention
- Secure verification workflows
As a result, fintechs can use BeFiSc as a compliant data processor while maintaining their data fiduciary responsibilities.
Key Takeaways
- Fintechs that control data processing are data fiduciaries
- Consent must be clear, specific, and revocable
- Data must only be used for its intended purpose
- Only necessary data should be collected
- Regulatory laws like PMLA override general retention limits
Frequently Asked Questions
A data fiduciary decides how and why data is processed.
A data processor acts on behalf of the fiduciary and follows its instructions.
Penalties under the DPDP Act can be significant:
Up to â‚ą250 crore for major data breaches
Up to â‚ą50 crore for security failures
The Data Protection Board determines penalties based on severity and impact.
No, it does not.
PMLA requirements, such as five-year data retention, take precedence. These are considered lawful obligations under the DPDP Act.
