Data Fiduciary Obligations Under DPDPA

The Data Fiduciary bears primary responsibility for lawful, fair, and transparent processing. This encompasses consent management, security safeguards, breach notification, record-keeping, and vendor oversight. This article provides a comprehensive examination of fiduciary obligations and compliance pathways.

Section 2(i) defines Data Fiduciary as any person determining purpose and means of processing. This includes corporations, partnerships, government bodies, and individuals. Joint controllers determining purposes together bear joint fiduciary obligations. The determination test focuses on decision-making authority over why and how data is processed.

Processing requires either consent under Section 6 or legitimate uses under Section 7. Legitimate uses include employment relationships, emergencies threatening life, and government subsidies. The fiduciary must document the lawful basis for each processing activity and maintain records demonstrating compliance.

Section 8(4) mandates reasonable security safeguards protecting data against unauthorised access, use, or disclosure. Safeguards must be proportionate to sensitivity and volume of data processed. Technical measures include encryption, access controls, and monitoring. Organisational measures include policies, training, and incident response procedures.

Section 8(2) requires contractual engagement with Data Processors containing prescribed safeguards. The fiduciary remains accountable for processor actions. Contracts must specify: processing scope, security measures, sub-processor restrictions, audit rights, breach notification obligations, and data return or destruction upon termination.