Whitepaper: DPDP Deep Dive: A Role-by-Role Guide

The Digital Personal Data Protection Act, 2023 (DPDP Act) represents a paradigm shift

in India’s data protection landscape, introducing clear roles for “Data Fiduciaries -

controllers” and “Data Processors - service providers handling data on a fiduciary’s

behalf”

‍

Unlike regulations such as the EU GDPR which specifically talks about the

processor under Article 28. The DPDP Act places most legal obligations and liabilities

directly on Data Fiduciaries, It imposes no stand-alone duties on processors except

the obligation to obey the fiduciary’s documented instructions; any deviation triggers

fiduciary-level liability. While Data Processors have no direct statutory duties under the

Act. This has significant implications for how businesses structure contracts and

manage risk.

‍

Data Processors, though not directly regulated by the Data Protection Board of India,

operate under “quasi-regulation,” bound by rigorous Data Processing Agreements

(DPAs) rather than statute. Fiduciaries must contractually enforce security controls,

breach-response timelines, data-retention schedules, and support for data-subject

rights, mirroring global standards and laws such as GDPR, ISO 27001, SOC 2, and NIST.

‍