+44 (0) 121 582 0192 [email protected]


In the digital age, where data breaches are as common as they are damaging, the enactment of India’s Digital Personal Data Protection Act (DPDPA) in 2023 marks a significant step forward in protecting personal information. This legislation introduces a comprehensive framework for data privacy, outlining the roles and responsibilities of three key actors in the data ecosystem: Data Fiduciaries, Data Processors, and Data Principals. Understanding these roles and the importance of implementing a robust data principle rights process.


Data Fiduciaries and Processors: The Custodians of Data

At the heart of the DPDPA 2023 are the concepts of Data Fiduciaries and Data Processors. Data Fiduciaries are entities that determine the purpose and means of processing personal data. They hold a position of trust, ensuring that data is processed transparently, lawfully, and only for the purposes for which it was collected. Data Processors, on the other hand, are entities that process data on behalf of Data Fiduciaries. Though they do not make decisions about data processing practices, their role in handling personal information securely and according to the Data Fiduciaries’ instructions is vital.

Both Data Fiduciaries and Data Processors are tasked with upholding the principles of data protection as outlined by the DPDPA. This includes ensuring data accuracy, limiting data collection to what is necessary, and protecting data against unauthorised access. The law mandates these entities to implement measures that safeguard the privacy of the individual’s data they handle, underlining the significance of compliance and accountability in the digital ecosystem.


Data Principals: The Rights Holders

Data Principals are the individuals whose personal data is being processed. The DPDPA 2023 empowers these individuals with several rights, reflecting a global shift towards giving people more control over their personal information. These rights include the ability to access, correct, update, and erase their data. Additionally, Data Principals have the right to be informed about the sharing of their data with other entities and to seek redressal for grievances related to data processing.


Implementing a Data Subject Rights Process

For Data Fiduciaries and Data Processors, establishing a process to handle requests from Data Principals is not just about legal compliance; it’s about building trust and transparency with the individuals whose data they manage. This involves setting up an internal team dedicated to data privacy, capable of processing requests from data principals efficiently and within the prescribed timeframes.

Training is another critical component. Teams must be well-versed in the nuances of the DPDPA 2023, understanding not only the technical aspects of data processing but also the Legal implications of the rights granted to data principals. This knowledge is essential for handling requests accurately and in a manner that complies with the law.

Regular reviews of the data subject rights process are necessary to ensure that it remains effective and compliant with evolving legal standards and technological advancements. These reviews can identify potential areas for improvement, ensuring that the process remains robust against the backdrop of a rapidly changing digital landscape.


The introduction of the DPDPA 2023 in India represents a landmark development in the protection of personal data. By defining the roles of Data Fiduciaries, Data Processors, and Data Principals, the law provides a clear framework for the ethical processing of personal information. For organisations, the implementation of a dedicated process to manage the rights of Data Principals is not just a legal requirement but a cornerstone of ethical business practices. It underscores their commitment to protecting individual privacy and fosters a culture of trust and accountability in the digital age.

Are you looking for asdvisory on how to prepare and implement a compliant DPDPA framework?  Look no further than Formiti DPDPA Service a guaranteed fixed price service priced according to your company size and perocessing complexity