Top 10 operational impacts of India’s DPDPA – Data audits for significant fiduciaries

This article is part of a series that explores components of the DPDPA.

With the operationalization of India's Digital Personal Data Protection Act, 2023 and the phased implementation of the Digital Personal Data Protection Rules, 2025, the concept of consent managers, data fiduciaries and significant data fiduciaries have been introduced among other roles.

Section 2(i) of the DPDPA defines a data fiduciary as any individual who, independently or in collaboration with others, determines the purpose and means of processing personal data. In essence, a data fiduciary is responsible for determining how personal data is collected, stored and processed.

Further, Section 2(z) defines a significant data fiduciary as a data fiduciary, or a class of data fiduciaries, that may be designated by the central government based on an assessment of certain factors, including the volume and sensitivity of personal data processed, risk to the rights of data principals, potential impact on the sovereignty and integrity of the country, the risk to electoral democracy, security of the state, and public order.

Section 2(g) defines a consent manager as an entity registered with the Data Protection Board of India that serves as a single point of contact for data principals. This allows them to conveniently give, manage, review and withdraw their consent through an accessible and interoperable platform.