What this topic covers
The DPDP Act 2023 defines three roles that almost every video conflates at least once. A Data Principal is the individual whose personal data is being processed — the user, customer or visitor. A Data Fiduciary is the entity that decides why and how the data is processed — the website owner, the SaaS company, the bank. A Data Processor is a vendor that processes data on behalf of the Data Fiduciary — the analytics provider, the payment gateway, the CRM.
A good explainer drives home the asymmetric responsibility: the Data Fiduciary is liable to the Data Principal and the Board, regardless of which Processor actually mishandled the data. That's why a written Data Processing Addendum (DPA) under Section 8(2) and Rule 6(f) matters so much — it's how the Fiduciary contractually pushes the obligations downstream while remaining accountable upstream.
Where this often goes wrong in practice: Indian SMBs treat their cloud, analytics and CRM vendors as 'just tools' rather than Data Processors with DPDP obligations. A clear video on this topic should leave the viewer able to draw their own data flow diagram and label every box correctly.
Points a complete video on this topic should cover
- Data Principal — the natural person whose data is being processed
- Data Fiduciary — the entity that determines purpose and means of processing
- Data Processor — a vendor processing on behalf of a Fiduciary under a contract
- Consent Manager — a separately registered entity managing consent across Fiduciaries
- Significant Data Fiduciary — designated by Centre under Section 10 for extra duties
- Why the Fiduciary stays liable even when a Processor fails
- The role of a written DPA in pushing obligations down the chain
Relevant sections of the DPDP Act / Rules
- Section 2 (definitions)
- Section 8 (obligations)
- Section 10 (SDF)
- Rule 6 (processor DPAs)