Data Fiduciary

The key difference lies in decision-making power. A Data Fiduciary (or Controller) determines the 'purpose and means' of processing—deciding why data is collected and how it is used. A Data Processor acts on behalf of the Fiduciary, processing data strictly according to the Fiduciary's instructions without owning the data or deciding its usage.

A Data Fiduciary is responsible for the entire lifecycle of data protection. Obligations typically include obtaining valid consent or establishing a lawful basis for processing, implementing technical and organizational security measures to prevent breaches, responding to data subject rights requests (like correction or deletion), and ensuring data accuracy and minimization.

Yes, an individual can be a Data Fiduciary if they determine the purposes and means of processing personal data for professional, commercial, or public activity. However, individuals processing personal data purely for personal or domestic purposes (like maintaining a personal address book) are usually exempt from these obligations.

Generally, yes. Under the DPDP framework, the Data Fiduciary remains primarily accountable for personal data even when processing is outsourced to a third-party Data Processor. In practice, this means the Fiduciary should perform due diligence before onboarding vendors, use contracts (such as data processing agreements) to require appropriate security safeguards and incident reporting, and continuously monitor the vendor's performance. While the Fiduciary may pursue contractual remedies (including indemnities) if a processor's failures cause harm, regulatory accountability typically still rests with the Fiduciary. Tools like WatchDog Security's Vendor Risk Management module can help centralize processor onboarding, store DPAs and security evidence, and track reassessment cadence over time.