Layer 2 · Legal · GRC — classification
DPDP SDF vs Fiduciary vs Processor
Who is what under DPDP — definitions, obligations and BFSI examples for every role.
| Role | Definition | Key Obligations | BFSI Examples |
|---|---|---|---|
| Data Fiduciary | Entity that determines the purpose and means of processing personal data (§2(i)) — equivalent to GDPR's 'controller' | All eight core obligations: consent, notice, security safeguards, breach notification, data principal rights, grievance officer | Banks, NBFCs, insurers, brokers, fintech apps |
| Significant Data Fiduciary (SDF) | Fiduciary designated by Central Government based on volume/sensitivity of data, risk to electoral democracy, security of state (§10) | Everything a fiduciary must do PLUS: appoint a Data Protection Officer (India-based, board reporting), independent data audits, periodic DPIA, algorithm audits | Likely: major banks, large insurers, payment giants, credit bureaus — await MeitY notification |
| Data Processor | Entity that processes personal data on behalf of a fiduciary under a valid contract (§2(k)) | Process only per fiduciary instructions; contract mandatory; fiduciary remains liable for processor's compliance | Cloud providers, KYC vendors, claim processors, analytics vendors |
| Consent Manager | Registered intermediary enabling Data Principals to give, manage, review and withdraw consents across fiduciaries (Rules 2025) | Registration with DPB (~Nov 2026); interoperable platform; fiduciary-blind consent records | Account-aggregator-style consent platforms for BFSI |
| Data Principal | The individual to whom the personal data relates; for children, includes parents/guardians | Duties: no impersonation, no false complaints, furnish authentic information (penalty up to ₹10,000) | Customers, employees, claimants, nominees |