Data Fiduciary Obligations under Digital Personal Data Protection Rules, 2025

1.0 Introduction: Understanding Your Role as a Data Fiduciary

The Digital Personal Data Protection (DPDP) Rules, 2025, represent a critical regulatory framework for all organizations processing personal data within India. This brief is designed to provide legal and IT professionals with a clear, actionable guide to the core obligations imposed on them as ‘Data Fiduciaries’. A Data Fiduciary is the entity that, alone or in conjunction with others, determines the purpose and means of processing personal data. As such, the Data Fiduciary is the primary party responsible for ensuring compliance with these rules. This document will deconstruct your key responsibilities, starting with the foundational element of compliance: the requirement for clear notice and informed consent.

2.0 The Foundation of Trust: Notice and Consent Requirements

The notice provided to individuals (Data Principals) is more than a legal formality; under Rule 3, it is the primary mechanism for establishing transparency and building trust. A compliant notice ensures that consent is both specific and informed, forming the bedrock of lawful data processing.

The DPDP Rules mandate several specific components for a compliant notice. For compliance teams, this means a thorough review and potential redrafting of all public-facing privacy policies and consent requests. The key requirements are:

• Independence and Clarity: The notice must be presented and be understandable independently of any other information an organization provides. It cannot be buried within lengthy terms of service or other documents.
• Clear and Plain Language: The notice must provide a fair account of your data processing activities in a way that is easy for the Data Principal to understand. This includes, at a minimum, an itemized description of the personal data you collect and a specific description of the purpose for which it is being processed.
• Actionable Links and Information: The notice must provide direct communication links (such as for your website or app) and a description of the means by which a Data Principal can withdraw consent, exercise their legal rights, and file a complaint with the Data Protection Board. Crucially, Rule 3(c)(i) mandates symmetrical consent/withdrawal mechanisms, stating that the ease of withdrawing consent must be “comparable to that with which such consent was given.” This is a direct instruction for UI/UX and product teams to avoid “dark patterns” that make withdrawal difficult.

Once valid consent is obtained based on a compliant notice, the responsibility shifts to actively protecting the data, which introduces the topic of mandatory security safeguards.

3.0 Mandated Security: Implementing Reasonable Safeguards

A Data Fiduciary has a non-negotiable duty to protect all personal data in its possession or under its control. Rule 6 of the DPDP Rules outlines the minimum technical and organizational measures required to prevent a personal data breach. This obligation extends to any processing undertaken on your behalf by a Data Processor. For IT and security teams, these rules provide a clear checklist for auditing and implementing security controls.

The “reasonable security safeguards” specified under Rule 6(1) include:

1. Data Security Measures: Organization must implement appropriate measures to secure personal data, such as encryption, obfuscation, masking, or the use of virtual tokens.

2. Access Control: Measures must be in place to control access to the computer resources used for processing personal data.

3. Visibility and Monitoring: Organization must maintain a complete audit trail of data access. This requires appropriate logs, monitoring, and review not just to enable the detection of unauthorized access, but also to facilitate its investigation and remediation. Logs must be detailed, tamper-evident, and readily analysable to be compliant.

4. Business Continuity: Organization must have reasonable measures, such as data backups, to ensure the continued processing of data in the event its confidentiality, integrity, or availability is compromised.

5. Log and Data Retention: For investigation and remediation purposes, logs and personal data must be retained for a minimum period of one year, unless a longer period is required by another applicable law.

6. Data Processor Contracts: Any contract with a Data Processor must include appropriate provisions obligating them to also implement reasonable security safeguards.

7. Technical and Organisational Measures: Organization must have overarching technical and organizational measures to ensure the effective implementation and observance of all security safeguards.

The effectiveness of these safeguards is critical, but when they fail, the rules mandate a clear and structured protocol for responding, which is detailed in the breach notification requirements.

4.0 Responding to Incidents: Personal Data Breach Notification Protocols

A swift and transparent response to a personal data breach is a cornerstone of the DPDP Rules. Rule 7 imposes a dual notification obligation on the Data Fiduciary: one notification must go to the affected Data Principals, and another must go to the regulatory Board.

4.1 Intimation to Affected Data Principals

Upon becoming aware of a personal data breach, the Data Fiduciary must inform each affected Data Principal “without delay.” This communication must be delivered in a concise, clear, and plain manner through their user account or another registered mode of communication. The intimation must include:

• A description of the breach, including its nature, extent, and the timing of its occurrence.
• The likely consequences of the breach for the Data Principal.
• Measures taken or being taken by the Fiduciary to mitigate the risk.
• Safety measures the Data Principal can take to protect their interests.
• The business contact information of a person who can respond to the Data Principal’s queries on behalf of the Fiduciary.

4.2 Intimation to the Board

The reporting process to the Board is a two-stage procedure designed to provide both immediate and detailed information about the incident.

First, the Data Fiduciary must notify the Board without delay, providing a description of the breach that includes its nature, extent, timing, location, and likely impact.

Second, within 72 hours of becoming aware of the breach, the Fiduciary must provide the Board with the following detailed information:

1. Updated and more detailed information regarding the breach description.

2. The broad facts related to the events, circumstances, and reasons that led to the breach.

3. The mitigation measures that have been implemented or are proposed.

4. Any findings regarding the person who caused the breach.

5. Remedial measures taken to prevent a recurrence of such a breach.

6. A report confirming that intimations have been given to the affected Data Principals.

Beyond managing data breaches, Fiduciaries must also manage the entire data lifecycle, from collection to its eventual, mandated erasure.

5.0 The Data Lifecycle: Retention and Erasure Policies

Data Fiduciaries cannot retain personal data indefinitely. Rule 8 establishes a framework for determining when personal data must be erased because its specified purpose is no longer served. The core principle is that a Data Fiduciary must erase personal data when the Data Principal has not interacted with them for a specified period, unless retention is required by another law.

For certain classes of large-scale Data Fiduciaries, the Third Schedule provides specific retention periods:

• E-commerce entity ≥ 2 crore registered users in India 3 years from the last user interaction OR the commencement of these Rules, whichever is later.
• Online gaming intermediary ≥ 50 lakh registered users in India 3 years from the last user interaction OR the commencement of these Rules, whichever is later.
• Social media intermediary ≥ 2 crore registered users in India 3 years from the last user interaction OR the commencement of these Rules, whichever is later.

Under Rule 8(2), the Data Fiduciary must inform the Data Principal at least 48 hours before this period ends that their personal data will be erased unless the Data Principal logs into their user account, initiates contact for the performance of the specified purpose, or exercises their rights in relation to the data.

Crucially, Rule 8(3) establishes a universal minimum retention period. Regardless of other erasure timelines, a Data Fiduciary must retain all personal data and associated logs for a minimum of one year from the date of processing. This is a baseline requirement for every Data Fiduciary to enable investigation and remediation. While the Seventh Schedule lists purposes for which the Central Government may request information, the one-year retention obligation under Rule 8(3) is a universal mandate and is not limited to those government purposes.

While these rules apply generally, specific and heightened diligence is required when processing data from vulnerable populations like children and persons with disabilities.

6.0 Processing Data of Children and Persons with Disabilities

The DPDP Rules impose a heightened duty of care when processing the personal data of children and persons with disabilities. Rules 10 and 11 mandate a “verifiable consent” standard, requiring Data Fiduciaries to take additional steps to ensure consent is lawfully obtained from a parent or legal guardian.

6.1 Verifiable Consent for a Child’s Data

Before processing any personal data of a child—defined as an individual who has not completed the age of eighteen years—a Data Fiduciary must obtain verifiable consent from a parent. According to Rule 10, this involves exercising due diligence to check that the person giving consent is an identifiable adult. This verification can be done by referencing either:

• Reliable identity and age details of the individual already held by the Fiduciary.
• Identity and age details voluntarily provided by the individual, including through an authorized entity or a virtual token from a Digital Locker Service Provider.

6.2 Verifiable Consent for a Person with a Disability

Similarly, when obtaining consent from the lawful guardian of a person with a disability, a Data Fiduciary must observe due diligence. Rule 11 requires the Fiduciary to verify that the guardian has been formally appointed by a court of law, a designated authority, or a local level committee under the applicable guardianship law.

Beyond these specific consent rules for vulnerable groups, Fiduciaries also have broad obligations to empower all users to exercise their data rights.

7.0 Facilitating Data Principal Rights

A core tenet of the DPDP Rules is empowering individuals to have control over their personal data. Rule 14 places specific obligations on Data Fiduciaries to create clear and accessible mechanisms for Data Principals to exercise their rights. To comply, a Data Fiduciary must take the following actions:

• Publish Access Mechanisms: Prominently publish on your website and/or app the means by which a Data Principal can make a request to exercise their rights under the Act.
• Establish Grievance Redressal: Implement and publish the details of a grievance redressal system. You must respond to grievances within a reasonable period not to exceed ninety days.
• Publish Contact Information: As per Rule 9, you must prominently publish on your website or app the business contact information of your Data Protection Officer (if applicable) or another designated person who can answer questions from Data Principals about the processing of their personal data.

While all Data Fiduciaries must adhere to these rules, a special category known as Significant Data Fiduciaries faces even stricter obligations.

8.0 Enhanced Obligations for Significant Data Fiduciaries (SDFs)

The rules identify a class of ‘Significant Data Fiduciaries’ who, due to the volume and sensitivity of their data processing activities, are subject to a higher degree of regulatory scrutiny and additional compliance burdens under Rule 13. Organizations that qualify as SDFs must implement the following additional measures:

1. Periodic Assessments: Undertake a comprehensive Data Protection Impact Assessment (DPIA) and an audit once every twelve months.

2. Board Reporting: Furnish a report to the Board containing the significant observations from the DPIA and audit.

3. Algorithmic Due Diligence: Observe due diligence to verify that technical measures, including any algorithmic software used, are not likely to pose a risk to the rights of Data Principals.

4. Data Transfer Restrictions: Adhere to any restrictions specified by the Central Government on the transfer of certain personal data outside the territory of India.

9.0 Conclusion: A Checklist for Compliance

Compliance with the DPDP Rules, 2025, requires a proactive and comprehensive approach. The key pillars of this new framework are transparent notice and consent, robust security safeguards, diligent breach reporting, principled data retention, special care for vulnerable individuals, and the active facilitation of user rights. To begin your compliance journey, your legal and IT teams should prioritize the following actions:

• Review and Revise all privacy notices and consent-gathering mechanisms to align with the stringent clarity and content requirements of Rule 3, including the mandate for symmetrical withdrawal of consent.
• Audit and Implement the technical and organizational security safeguards mandated in Rule 6, including encryption, access controls, and a complete audit trail via logging.
• Develop and Document a formal incident response plan that is fully compliant with the dual notification requirements for both Data Principals and the Board under Rule 7.
• Establish and Enforce clear data retention and erasure schedules based on the timelines in Rule 8 and the Third Schedule, ensuring adherence to the universal one-year minimum retention period for all data and logs.
• Implement Verifiable Consent mechanisms for processing the data of children and persons with disabilities, as required by Rules 10 and 11.
• Create Accessible Channels on the website and app for Data Principals to exercise their rights, file grievances, and contact a designated data protection representative.
• Assess if you qualify as a Significant Data Fiduciary and, if so, prepare to meet the additional obligations for periodic assessments, audits, and reporting mandated by Rule 13.