The comprehensive set of legal duties imposed on every Data Fiduciary by DPDPA Sections 5 through 10.
Data Fiduciary obligations under DPDPA include: providing notice before collection (§5), obtaining valid consent with purpose specification (§6), processing only for stated purposes (§7), implementing security safeguards and breach notification (§8), special protections for children's data (§9), and additional obligations for Significant Data Fiduciaries including DPO appointment and DPIA (§10). These obligations apply regardless of the Fiduciary's size, revenue, or industry.
These obligations apply to every organisation collecting personal data in India — no small business exemption exists. Understanding the full scope of duties helps prioritise compliance investment and avoid the most heavily penalised violations.
A 5-person Chennai startup collecting customer data through its mobile app must: issue DPDPA-compliant notices in 22 languages, maintain consent records, implement security safeguards, report breaches within 72 hours, and respond to rights requests within 30 days — the same obligations as a Fortune 500 company.
There is no "startup exemption" or "small business threshold" in DPDPA. A 2-person company processing personal data has the same legal obligations as Reliance or TCS.
DPDPA Shield automates Compliance Dashboard. See how →