Data Fiduciary: Definition and Responsibilities

More articles

CA Mayur Joshi
CA Mayur Joshi
CA Mayur Joshi is a Forensic Accounting evangelist in India. He is the co-founder of Indiaforensic and is author of 7 books on forensic accounting, fraud investigations and money laundering.

The world today is driven by data. Every time you shop online, use a social media app, or even order groceries, your data is collected and processed by various entities. But who’s responsible for protecting this data, and what happens if it’s misused? That’s where the concept of a “data fiduciary” comes into play. In this article, we’ll break down what a data fiduciary is, explore the difference between a data fiduciary and a significant data fiduciary, and look at the impact of India’s Digital Personal Data Protection Act on various entities, especially tech companies and startups.

What is a Data Fiduciary?

Simply put, a data fiduciary is an entity or organization that handles your personal data. Think of them as custodians of your information, responsible for collecting, storing, processing, or sharing it. This data can include your name, address, phone number, and much more. Data fiduciaries play a vital role in ensuring your data is protected and used responsibly.

The Difference Between Data Fiduciary and Significant Data Fiduciary

Now, let’s distinguish between a data fiduciary and a significant data fiduciary. A data fiduciary is any entity that determines how your data is used. They decide the purpose and method of data processing. However, not all data fiduciaries are created equal. Some are deemed “significant” by the government based on several factors, including:

  1. Volume and Sensitivity: If an entity deals with a large amount of highly sensitive personal data, it’s more likely to be labeled as a significant data fiduciary.
  2. Risks to Data Principal: The potential harm or risks to individuals whose data is being handled can influence this classification.
  3. Security and Sovereignty: Matters related to national security and sovereignty are also considered when designating significant data fiduciaries.

For example, financial services providers may fall into this category, but it’s unclear whether e-commerce apps will receive the same designation.

Impact on Tech Companies and Startups

The Data Protection Bill in India has far-reaching implications, especially for tech companies and startups. Here are some key points to consider:

1. Compliance Burden

Startups operating in regulated sectors like fintech and crypto may face additional compliance burdens. They might need to appoint a data protection officer and an independent data auditor to ensure compliance with the law.

“Data fiduciaries can use the third party service providers for data processing but the responsibility of compliance lies with the fiduciaries.”

2. Customer Empowerment

One of the most significant aspects of the Act is that it empowers customers. If a data breach affects you, the responsible entity must inform you. This is a crucial step towards transparency and ensuring that individuals are aware of potential data breaches.

3. Hefty Penalties

Non-compliance with the law can result in substantial fines. Any breach could lead to a fine of up to Rs 250 crore. Failure to inform customers about a data breach can attract a penalty of up to Rs 200 crore. These penalties could be particularly challenging for early-stage startups.

4. Cross-Border Data Flow

The Act simplifies cross-border data flow, benefiting startups with borderless operations, such as crypto companies and fintechs engaged in cross-border trade. This change fosters a balance between data localization and the free flow of data.


In conclusion, data fiduciaries are guardians of your personal information, responsible for its protection and lawful use. The distinction between data fiduciaries and significant data fiduciaries helps the government identify entities dealing with sensitive data. India’s Data Protection Bill is poised to impact tech companies and startups significantly, with potential compliance burdens and hefty penalties. However, it also brings more power to customers by ensuring they are informed about data breaches. Moreover, the simplified cross-border data flow provisions could benefit startups seeking to expand globally.

As India navigates the digital age, the role of data fiduciaries and the protection of personal data remain at the forefront, shaping the future of data privacy and security in the country.

- Featured Certification-spot_img