The Law Has Changed. Has Your Platform?
India’s Digital Personal Data Protection Act, 2023 is no longer just a policy discussion. It is active law, and organizations handling personal data are being held to a new standard. At the center of this law sits one critical concept: the Data Fiduciary.
If your platform collects user data, processes consent, or manages digital identities, you are almost certainly a Data Fiduciary under the DPDP Act. That designation comes with specific, enforceable obligations. Many organizations have not yet fully assessed what this means for their operations, their web infrastructure, or their consent management practices.
This is not a peripheral compliance checkbox. It is a structural shift in how India governs digital data. Understanding your role as a Data Fiduciary and meeting your obligations under the Act requires both legal awareness and the right technical infrastructure. A DPDP Consent Management Platform India-compliant organizations are deploying today is no longer optional. It is foundational.
This guide breaks down everything decision-makers, compliance leads, and technical teams need to understand: what a Data Fiduciary is, what obligations come with the designation, what the Act demands around consent, and how purpose-built consent management systems provide the architecture to meet those demands at scale.
What the DPDP Act Actually Says
The Statute and Its Scope
The Digital Personal Data Protection Act, 2023 received Presidential assent on August 11, 2023. It governs the processing of digital personal data of individuals within India, as well as processing outside India if it involves offering goods or services to Indian citizens.
The Act applies to any entity that collects, stores, processes, or uses personal data in digital form. It also covers data that was originally in non-digital form but was subsequently digitized. In short, if your organization touches personal data in any digital capacity, the Act applies.
The DPDP Act follows a principle-based approach. It does not prescribe every technical mechanism. Instead, it defines roles, establishes rights, mandates consent, and sets out consequences for non-compliance. The implementing rules and sector-specific guidelines are being issued progressively through delegated legislation.
The Core Framework
The Act introduces a layered structure. At the top is the Data Protection Board of India, which has the authority to adjudicate complaints, investigate breaches, and impose penalties. Below that, the framework establishes two primary roles: the Data Fiduciary and the Data Principal.
Understanding these roles precisely is essential before you can assess your obligations.
Defining the Data Fiduciary
The Legal Definition
Under Section 2(i) of the DPDP Act, a Data Fiduciary is defined as “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.”
The critical phrase here is “determines the purpose and means.” This is the legal test. If your organization decides why personal data is being collected and how it will be processed, you are a Data Fiduciary. It does not matter whether you collect the data directly from the user or receive it through a third party. What matters is whether you exercise control over the processing decisions.
This contrasts with a Data Processor, which processes data on behalf of a Data Fiduciary but does not independently determine the purpose or means of processing. A cloud hosting provider, for instance, would typically be a Data Processor. A SaaS company that decides what user data to collect and how to use it for personalization would be a Data Fiduciary.
Significant Data Fiduciaries
The Act introduces an additional category: Significant Data Fiduciaries. The Central Government holds the authority to designate certain Data Fiduciaries as Significant based on factors such as volume of personal data processed, sensitivity of data, risk to electoral democracy, national security, or the potential impact on public order.
Significant Data Fiduciaries face additional obligations, including the appointment of a Data Protection Officer based in India, an independent data audit, and the deployment of algorithmic transparency measures. The designation process and specific eligibility criteria are being notified progressively, but large digital platforms, financial services firms, and health sector entities should anticipate scrutiny.
Who Qualifies in Practice
The scope is broad. E-commerce platforms collecting user purchase behavior are Data Fiduciaries. Banks processing customer information for loan decisions are Data Fiduciaries. SaaS platforms processing employee data on behalf of their corporate clients may be Data Fiduciaries, Data Processors, or both, depending on the specific data flows and contractual arrangements. News websites using analytics tools and advertising cookies are Data Fiduciaries. Healthcare apps collecting diagnostic data are Data Fiduciaries.
If you are uncertain whether your organization qualifies, the answer is almost certainly yes, and a formal data mapping exercise will confirm it quickly.
Core Obligations of a Data Fiduciary
Obligation 1: Lawful Basis for Processing
The DPDP Act requires that personal data be processed only for lawful purposes. The primary lawful basis under the Act is consent. However, the Act also recognizes certain legitimate uses, including processing necessary for the performance of a function of the State, compliance with a judgment or order, response to a medical emergency, or for employment-related purposes.
For most commercial entities, consent remains the primary and most practically relevant lawful basis. This makes the consent infrastructure you deploy central to your compliance architecture.
Obligation 2: Notice to the Data Principal
Before collecting personal data, a Data Fiduciary must provide a clear and accessible notice to the Data Principal. This notice must include the personal data being collected, the purpose for which it will be processed, and information about the manner in which the Data Principal can exercise their rights.
The Act specifically requires that notices be presented in a manner that enables the Data Principal to give informed and specific consent. Generic, vague, or buried notices that fail to communicate clearly are non-compliant.
This is where many organizations currently fall short. Cookie banners that say “We use cookies to improve your experience” without specifics, privacy policies written in dense legal language that no ordinary user can navigate, and pre-ticked consent boxes all fail the DPDP standard.
Obligation 3: Obtaining and Managing Valid Consent
Consent under the DPDP Act must be free, specific, informed, unconditional, and unambiguous. The Act requires that consent be signified by a clear affirmative action. Silence, pre-checked boxes, inactivity, or bundled consent that ties access to a service on consent to unrelated data processing all fail the legal standard.
Furthermore, consent must be purpose-specific. Consent for email communication cannot be reused for behavioral profiling. Each distinct processing purpose requires its own consent signal.
The Act also mandates that withdrawing consent must be as easy as giving it. This creates a direct technical requirement: your platform must have mechanisms that record consent, link consent to specific purposes, and allow revocation with the same ease as collection.
Obligation 4: Data Minimization
A Data Fiduciary is permitted to collect only the personal data necessary for the specified purpose. Collecting additional data “just in case” or for unspecified future uses is non-compliant. This principle of data minimization requires both a purposeful approach to data architecture and a consent management system that enforces purpose boundaries at the collection layer.
Obligation 5: Purpose Limitation
Personal data collected for one stated purpose cannot be processed for a different purpose without fresh consent. This has significant operational implications. If you collected email addresses for transactional notifications and later want to use them for a marketing campaign, you need a new and separate consent from the Data Principal.
Organizations that have historically maintained large unified databases of user information and applied them broadly across marketing, analytics, and product development will need to restructure their consent workflows to meet this requirement.
Obligation 6: Storage Limitation
The DPDP Act requires that personal data be retained only for as long as necessary to fulfill the purpose for which it was collected. Once the purpose is fulfilled and there is no other legal obligation to retain the data, it must be erased. This retention obligation flows directly into your consent records as well. If a user withdraws consent and there is no other lawful basis for retention, the data must be deleted.
Obligation 7: Accuracy
Data Fiduciaries are required to take reasonable steps to ensure that personal data is accurate, complete, and consistent. This obligation is reinforced by the Data Principal’s right to correction and erasure.
Obligation 8: Security Safeguards
The Act mandates that Data Fiduciaries implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, and destruction. The specific standards will be elaborated in the implementing rules, but the obligation is clear: data security is not optional, and breaches carry direct liability.
Obligation 9: Grievance Redressal
Data Fiduciaries must establish a mechanism for Data Principals to register grievances. This mechanism must be accessible, functional, and capable of acknowledging and resolving complaints within a defined period.
Obligation 10: Breach Notification
In the event of a personal data breach, the Act requires notification to the Data Protection Board and to the affected Data Principals. The notification must be in the prescribed format and within the prescribed timeline. This creates an operational requirement for breach detection, documentation, and rapid communication workflows.
Rights of the Data Principal and Your Corresponding Obligations
The Right to Information
A Data Principal can request information about what personal data a Data Fiduciary holds about them. You must be able to respond accurately and completely. This requires that your data systems maintain a clear record of what data was collected, from whom, and for what purpose.
The Right to Correction and Erasure
Data Principals have the right to correct inaccurate data and to request erasure. Your systems must be capable of acting on these requests. If you use third-party processors, you are responsible for ensuring that the correction or erasure flows through to those processors as well.
The Right to Withdraw Consent
As noted above, withdrawal must be as easy as giving consent. Technically, this means your consent management platform must support revocation workflows, propagate withdrawal signals to all downstream systems, and maintain logs showing that the revocation was honored.
The Right to Nominate
Under the DPDP Act, a Data Principal can nominate another individual to exercise their rights on their behalf in the event of death or incapacity. This is a distinct provision in Indian privacy law and requires your consent and identity infrastructure to accommodate proxy rights in those circumstances.
The Right to Grievance Redressal
Beyond formal rights, Data Principals can file complaints with the Data Protection Board if they believe a Data Fiduciary has not honored their obligations. The Board can investigate, issue orders, and impose penalties.
The Consent Management Imperative
Why Consent Is the Operational Core of DPDP Compliance
Every obligation described above touches consent in some way. The notice obligation shapes how consent is sought. The purpose limitation obligation determines how many distinct consent signals you need. The withdrawal obligation creates a technical requirement for a revocable consent architecture. The audit obligation requires that consent records be maintained and retrievable.
Consent is not a one-time event. It is a living relationship between your organization and each Data Principal, governed by specific terms that can be modified, extended, or revoked at any time. Managing that relationship at scale, across multiple digital channels, product surfaces, and data processing systems, is not possible through manual processes or ad hoc implementations.
This is precisely why organizations are deploying purpose-built Consent Management Platforms for DPDP compliance. A sophisticated consent management system creates the infrastructure to collect, record, manage, and audit consent in a manner that is both user-facing and legally defensible.
What a DPDP Consent Management Platform Must Do
A DPDP Consent Management Platform India-ready organizations need must go well beyond traditional cookie banners. The requirements are substantially more demanding.
First, the platform must support granular consent management. Data Principals must be able to give or withhold consent on a purpose-by-purpose basis. A bundled “accept all” design that does not allow granular choice does not meet the DPDP standard.
Second, the platform must maintain consent evidence. Every consent event, including who gave consent, for what purpose, on what date, through what mechanism, and with what version of the privacy notice, must be logged. These consent logs serve as your legal record in the event of an investigation or dispute.
Third, the platform must support consent withdrawal with immediate downstream propagation. When a user withdraws consent, that signal must reach every system that is processing data on the basis of that consent. A centralized consent management platform creates a single source of truth that downstream systems query before processing data.
Fourth, the platform must support re-consent workflows. When the purposes for which data is processed change, or when the privacy notice is updated materially, the platform must be able to identify affected Data Principals and present fresh consent requests.
Fifth, the platform must provide an accessible consent dashboard that allows Data Principals to view and manage their consent preferences at any time. This directly fulfills the right to withdraw consent and the obligation to make withdrawal as easy as giving it.
Sixth, for organizations operating across multiple jurisdictions, a multi-jurisdiction consent management platform that can accommodate DPDP requirements alongside GDPR, CCPA, PDPA, and other regional frameworks creates the operational coherence that global organizations need.
SecureCMS: Purpose-Built Consent Management for DPDP Compliance
What SecureCMS Delivers
SecureCMS is a secure consent management system designed to address the specific compliance, operational, and security requirements that the DPDP Act imposes on Data Fiduciaries. It is built as an enterprise consent management system with the depth and flexibility that organizations operating at scale need to meet their obligations.
The platform functions as a centralized consent management platform, creating a unified consent layer across your digital properties. Rather than managing consent signals through fragmented, channel-specific implementations, SecureCMS provides a unified consent management system that governs all data collection and processing activities through a single, auditable architecture.
Granular Consent Orchestration
SecureCMS implements a granular consent management platform model that maps consent to specific processing purposes. When a user interacts with your platform, SecureCMS presents purpose-specific consent requests aligned with the notice you are legally required to provide. Consent is collected at the purpose level, stored against the user’s identifier, and made available to downstream processing systems in real time.
This real-time consent orchestration platform capability ensures that your data processing systems never act on outdated or withdrawn consent. The platform maintains a live consent state that reflects every consent event, withdrawal, and update, and surfaces that state through an API-based consent management layer that integrates with your existing technology stack.
Audit-Ready Consent Logs
SecureCMS maintains comprehensive consent logs that record every consent event with full contextual detail. Each log entry captures the Data Principal’s identifier, the specific purpose consented to, the privacy notice version in effect at the time of consent, the timestamp, the channel through which consent was given, and the technical mechanism used.
These consent logs form the evidentiary record you need to demonstrate compliance with the DPDP Act. In the event of a Data Protection Board investigation or a Data Principal complaint, an audit-ready consent management platform like SecureCMS allows you to produce accurate, timestamped records of every consent interaction.
The consent evidence maintained by the platform is structured to satisfy both regulatory and legal evidentiary standards, giving your compliance and legal teams the documentation they need without manual effort.
Consent Dashboard for Data Principals
SecureCMS provides a consent dashboard that Data Principals can access to view, modify, and withdraw their consent preferences at any time. The dashboard presents consent in clear, accessible language organized by purpose category, allowing users to make informed decisions about each type of data processing.
The dashboard is designed to fulfill the DPDP Act’s requirement that withdrawal be as easy as giving consent. A user who wants to withdraw consent for marketing communications can do so in the same number of steps that it took to give that consent. SecureCMS propagates withdrawal signals immediately to all connected systems, ensuring that processing ceases in accordance with the user’s instruction.
Consent Policy Management
SecureCMS includes a consent policy management layer that tracks the versions of your privacy notice and consent policies. When a policy is updated, the platform identifies which Data Principals gave consent under the previous version and triggers re-consent workflows where the changes are material enough to require fresh consent under the DPDP Act.
This consent policy versioning capability ensures that your consent records always reflect the current state of your data processing activities and that your organization does not inadvertently rely on stale consent for new or changed processing purposes.
Cookie and Preference Consent Management
For organizations with web platforms, SecureCMS functions as a cookie consent platform that manages cookie-based consent in alignment with DPDP requirements. Cookie categories are mapped to processing purposes, and users can set their preferences at a granular level. The platform enforces those preferences at the technical layer, preventing non-essential scripts from firing until the corresponding consent is given.
As a cookie and preference consent management platform, SecureCMS handles the distinction between strictly necessary cookies, functional cookies, analytics cookies, and advertising cookies, ensuring that each category is gated behind appropriate consent signals.
Developer-Friendly Integration
SecureCMS is built as a developer-friendly consent management platform with a comprehensive API-based consent management interface. Development teams can integrate SecureCMS into existing applications, CMS platforms, mobile applications, and backend systems without rebuilding consent workflows from scratch.
The embedded consent management platform model allows SecureCMS to operate as an invisible infrastructure layer within your existing product, presenting users with a seamless experience while managing the complexity of consent capture, storage, and propagation behind the scenes.
The API layer exposes consent states, records consent events, handles withdrawal signals, and delivers real-time query responses that allow any data processing system to check consent status before acting on user data.
Multi-Jurisdiction and Enterprise-Scale Capabilities
For organizations operating across India and other markets, SecureCMS functions as a multi-jurisdiction consent management platform that can accommodate the specific requirements of multiple data protection regimes simultaneously. Rules specific to DPDP, GDPR, CCPA, or other frameworks can be configured within the platform, ensuring that users in each jurisdiction receive the appropriate consent experience and that your organization’s obligations under each framework are met.
As an enterprise consent management system, SecureCMS is designed to handle the volume, complexity, and security requirements of large-scale digital operations. The platform supports complex consent workflows, multi-brand deployments, and high-volume data environments without compromising on accuracy or performance.
Common Compliance Gaps in Current Implementations
The Pre-Ticked Box Problem
Many organizations continue to use pre-ticked consent boxes that assume consent unless the user actively opts out. This approach was already questionable under previous privacy frameworks and is clearly non-compliant under the DPDP Act, which requires consent to be signified by a clear affirmative action. Deploying a DPDP consent platform that enforces affirmative consent mechanics is the correct technical response.
Bundled Consent
Bundling multiple processing purposes into a single consent request that must be accepted entirely as a condition of accessing a service fails the DPDP Act’s requirements on multiple fronts. Consent must be specific, and it must be free. A consent solution that disaggregates purposes and presents them individually addresses both requirements.
Inadequate Consent Records
Organizations that collect consent but do not maintain structured, timestamped records of consent events are exposed. When a Data Principal disputes whether they gave consent, or when a regulator investigates, you need consent evidence that is accurate, complete, and immediately retrievable. A consent management platform that does not maintain these records cannot be characterized as compliant, regardless of how well-designed the user-facing consent experience may be.
Siloed Withdrawal Processing
In organizations where consent is managed through multiple systems, withdrawal signals often fail to propagate effectively. A user may withdraw consent through a preference center, but if that signal does not reach the email marketing system, the analytics platform, and the advertising stack, the organization continues to process data unlawfully. A centralized consent management platform eliminates this problem by creating a single authoritative consent state that all systems reference.
No Re-Consent for Policy Changes
Organizations that update their privacy policies without assessing whether the changes require fresh consent from existing Data Principals are taking on material compliance risk. A consent management system that tracks policy versions and manages re-consent workflows addresses this gap systematically.
Practical Steps for Becoming DPDP Compliant
Step 1: Conduct a Data Mapping Exercise
Before you can assess compliance, you need a clear picture of what personal data you collect, from whom, for what purposes, and where it flows within and outside your organization. A data mapping exercise produces this inventory and forms the basis for your consent architecture.
Step 2: Assess Your Current Consent Infrastructure
Evaluate your existing consent mechanisms against the DPDP Act’s requirements. Are your consent requests specific, informed, and purpose-linked? Do you maintain consent records? Can users withdraw consent easily? Do withdrawal signals propagate to all downstream systems? Identifying the gaps honestly is the necessary starting point.
Step 3: Revise Your Privacy Notice
Your privacy notice must clearly communicate the personal data being collected, the purpose for processing, the rights of the Data Principal, and the mechanism for exercising those rights. The notice must be accessible and understandable, not a document designed primarily for legal protection.
Step 4: Deploy a DPDP Consent Management Platform
A purpose-built DPDP Consent Management Platform like SecureCMS provides the technical foundation for meeting your consent-related obligations. Deploying the platform replaces ad hoc consent implementations with a structured, auditable, and scalable consent architecture that aligns with the Act’s requirements.
Step 5: Implement Grievance Redressal Mechanisms
Establish a formal grievance redressal process that Data Principals can access to raise concerns about your data handling. Document the process, ensure it is functional, and ensure that timelines for acknowledgment and resolution are met.
Step 6: Establish Breach Detection and Response Procedures
Implement the technical monitoring necessary to detect personal data breaches promptly and establish clear procedures for notifying the Data Protection Board and affected Data Principals within the required timeframe.
Step 7: Train Your Teams
Compliance with the DPDP Act is not solely a technical or legal function. It requires that your product teams, marketing teams, engineering teams, and customer service teams understand the organization’s obligations and how their work relates to those obligations. Regular training creates the organizational awareness that sustains compliance.
Penalties and the Cost of Non-Compliance
The DPDP Act provides the Data Protection Board with the authority to impose significant financial penalties for violations. The penalty structure is tiered based on the nature and severity of the breach.
Failure to implement reasonable security safeguards that results in a personal data breach can attract penalties of up to two hundred and fifty crore rupees. Failure to notify the Board of a breach can attract penalties of up to two hundred crore rupees. Violations of obligations related to children’s data can attract penalties of up to two hundred crore rupees. Other contraventions are subject to penalties of up to fifty crore rupees.
Beyond financial penalties, the reputational damage from a public determination of non-compliance by the Data Protection Board is a material business risk. India’s digital economy is large and competitive. User trust, once damaged, is difficult to rebuild.
The economics of compliance are straightforward: investing in the right consent infrastructure, including an intelligent consent management platform that automates compliance at scale, costs a fraction of the potential penalties and is incomparably less expensive than remediation after a breach or enforcement action.
Conclusion: Compliance Is a Platform Decision
The DPDP Act has introduced a genuine compliance obligation that reaches into the technical infrastructure of every organization that processes personal data in India. The role of the Data Fiduciary is not a theoretical classification. It comes with specific, enforceable duties around consent, notice, accuracy, security, and data principal rights.
Understanding these obligations is the first step. Meeting them requires more than policy documentation. It requires a technical infrastructure that can capture consent with precision, maintain it with accuracy, enforce purpose boundaries in real time, and produce audit-ready evidence when required.
A DPDP Consent Management Platform India-compliant organizations are investing in today is not an add-on. It is the foundation of a compliant data operation. SecureCMS provides that foundation with the depth, flexibility, and security that enterprise-scale data operations demand.
If your organization has not yet assessed its Data Fiduciary obligations under the DPDP Act, now is the time to start. The Act is in force. The penalties are real. And the organizations that invest in the right consent management infrastructure today will be the ones that build user trust, demonstrate regulatory readiness, and operate with confidence in India’s rapidly evolving data protection landscape.
Frequently Asked Questions
1. What is a Data Fiduciary under the DPDP Act?
A Data Fiduciary is any person or organization that determines the purpose and means of processing personal data. If your organization decides why and how personal data is collected and used, you are a Data Fiduciary with legally enforceable obligations under the Act.
2. What is the difference between a Data Fiduciary and a Data Processor?
A Data Processor processes personal data on behalf of a Data Fiduciary and does not independently determine the purpose or means of processing. The Data Fiduciary bears primary compliance responsibility, though the Fiduciary is responsible for ensuring that its Processors also meet the required standards.
3. What does valid consent look like under the DPDP Act?
Valid consent must be free, specific, informed, unconditional, and unambiguous. It must be given through a clear affirmative action. Pre-checked boxes, bundled consent, and opt-out mechanisms do not meet this standard.
4. How long must consent records be retained?
Consent records must be retained for as long as the personal data to which they relate is retained, and potentially longer depending on applicable limitation periods for legal claims or investigations. A consent management platform should maintain records with full audit detail indefinitely or for a configurable retention period.
5. What happens if a Data Principal withdraws consent?
Processing of data that was based solely on the withdrawn consent must cease. If there is no other lawful basis for retaining the data, it must be erased. Withdrawal must be as easy as giving consent, and the withdrawal signal must propagate to all systems that were processing data on the basis of that consent.
