The Digital Personal Data Protection Act, 2023 (DPDP Act) introduces a new compliance framework for Indian businesses handling personal data. At the center of this framework is the concept of a \u201cdata fiduciary.\u201d<\/p>\n\n\n\n
For fintechs, NBFCs, and digital platforms, this is critical. These businesses regularly collect and process customer data during KYC<\/a>, onboarding, and service delivery. Therefore, understanding what it means to be a data fiduciary is no longer optional\u2014it is essential.<\/p>\n\n\n\n This guide explains:<\/p>\n\n\n\n Under the DPDP Act, a data fiduciary is any entity that determines:<\/p>\n\n\n\n In simple terms, if your company controls the purpose and means of data processing, it is a data fiduciary.<\/p>\n\n\n\n For most fintechs, this is straightforward. For example, collecting Aadhaar<\/a>, PAN, bank statements, or selfies for KYC clearly places the company in the role of a data fiduciary. Similarly, using this data for identity verification or credit assessment<\/a> reinforces this classification.<\/p>\n\n\n\n First, personal data must be processed only for a lawful purpose.<\/p>\n\n\n\n For fintechs, the common lawful bases include:<\/p>\n\n\n\n As a result, every data activity must clearly link to a valid legal basis.<\/p>\n\n\n\n When relying on consent, it must meet strict conditions. Consent must be:<\/p>\n\n\n\n In addition, consent notices must<\/a> use simple language. Users should clearly understand what they are agreeing to.<\/p>\n\n\n\n Personal data must only be used for the purpose it was collected for.<\/p>\n\n\n\n For example:<\/p>\n\n\n\n Therefore, any secondary use requires fresh and explicit consent.<\/p>\n\n\n\n Fintechs should only collect data that is necessary.<\/p>\n\n\n\n Collecting extra data \u201cjust in case\u201d violates the Act. Instead, companies should map:<\/p>\n\n\n\n This ensures compliance and reduces risk.<\/p>\n\n\n\n Data fiduciaries must protect personal data from:<\/p>\n\n\n\n Although the Act does not define exact standards, expectations are high for fintechs. This is because they handle sensitive financial and biometric data.<\/p>\n\n\n\n The DPDP Act gives users several rights. These include:<\/p>\n\n\n\n Therefore, fintechs must build systems to handle these requests efficiently.<\/p>\n\n\n\n Data cannot be stored forever.<\/p>\n\n\n\n It must be deleted once it is no longer needed. However, there is an important exception. Legal requirements\u2014such as PMLA\u2014may require data retention for a fixed period.<\/p>\n\n\n\n For example, KYC and transaction data must be retained for five years under PMLA.<\/p>\n\n\n\n The Act introduces a special category called Significant Data Fiduciary <\/a>(SDF).<\/strong><\/p>\n\n\n\n This applies to companies that:<\/p>\n\n\n\n\n
\n\n\n\nWhat Is a Data Fiduciary Under the DPDP Act?<\/h2>\n\n\n\n
\n
\n\n\n\nKey Obligations of Data Fiduciaries<\/h2>\n\n\n\n
Lawful Basis for Processing<\/h3>\n\n\n\n
\n
\n\n\n\nConsent Requirements<\/h2>\n\n\n\n
\n
\n\n\n\nPurpose Limitation<\/h2>\n\n\n\n
\n
\n\n\n\nData Minimisation<\/h2>\n\n\n\n
\n
\n\n\n\nSecurity Measures<\/h2>\n\n\n\n
\n
\n\n\n\nData Principal Rights<\/h2>\n\n\n\n
\n
\n\n\n\nData Retention Limits<\/h2>\n\n\n\n
\n\n\n\nSignificant Data Fiduciary (SDF)<\/h2>\n\n\n\n