Data Fiduciary
If your product uses AI to process customer data, you're a data fiduciary — here's what that means and what you must do
Key Takeaways
- 1A data fiduciary is any entity that determines the purpose and means of processing personal data — if you decide to use AI on customer data, that's you
- 2Data fiduciaries bear full responsibility for compliance, even when using third-party AI providers
- 3Key obligations: lawful purpose, consent, data minimization, storage limitation, accuracy, and accountability
- 4Significant Data Fiduciaries face additional requirements including audits, DPO appointment, and impact assessments
What Is a Data Fiduciary?
Under the DPDP Act 2023, a data fiduciary is any person or entity that alone or in conjunction with others determines the purpose and means of processing personal data. In plain terms: if you decide to use AI to process your customers' data, you are the data fiduciary.
This is a critical distinction because the data fiduciary bears primary responsibility for compliance. You cannot outsource this responsibility to your AI provider. If OpenAI or Anthropic processes your customers' Aadhaar numbers because you sent them in a prompt, you — not the AI provider — are liable under the DPDP Act.
Every SaaS company, startup, and enterprise using AI to process Indian personal data is a data fiduciary. The obligations apply regardless of company size, revenue, or where the company is incorporated.
Data Fiduciary vs. Data Processor
Understanding the distinction between fiduciary and processor is essential for AI compliance:
Data Fiduciary (You)
- Determines WHY data is processed (purpose)
- Determines HOW data is processed (means)
- Bears primary compliance responsibility
- Must obtain consent from data principals
- Must implement security safeguards
- Liable for penalties up to ₹250 crore
Data Processor (AI Provider)
- Processes data on behalf of the fiduciary
- Follows fiduciary's instructions
- Limited compliance obligations
- Does not obtain consent directly
- Must maintain confidentiality
- Contractual liability to fiduciary
Obligations for AI Companies
The DPDP Act imposes six core obligations on data fiduciaries. Each has direct implications for AI systems:
Significant Data Fiduciaries
The DPDP Act creates a special category — Significant Data Fiduciaries (SDFs) — for entities processing large volumes of personal data or sensitive data. SDFs face additional obligations:
Mandatory Data Protection Officer (DPO) appointment, periodic Data Protection Impact Assessments (DPIAs), independent compliance audits, and enhanced transparency requirements.
If your AI platform processes data for millions of Indian users, you may be designated as an SDF. The government will notify specific criteria, but high-volume AI platforms should prepare for SDF obligations proactively.
Practical Compliance Steps
Actionable steps for AI companies to meet data fiduciary obligations:
- ✗Map all data flows — document where personal data enters your AI pipeline and where it goes
- ✗Implement PII detection and masking at the gateway level before data reaches model providers
- ✗Update privacy notices to explicitly mention AI processing, model providers, and data handling
- ✗Implement purpose limitation — each AI feature should have a declared, specific purpose
- ✗Set up consent management that tracks AI-specific consent per user and per purpose
- ✗Establish data retention policies with automatic deletion when purpose is fulfilled
- ✗Deploy audit logging that creates tamper-evident compliance evidence
- ✗Create breach notification procedures with pre-drafted templates for 72-hour response
- ✗Document security safeguards for regulatory inspection
How CrewCheck Helps Data Fiduciaries
CrewCheck's governance platform addresses the data fiduciary's core challenge: proving that AI systems consistently protect personal data across all interactions.
The LLM gateway enforces data minimization automatically — PII is detected and masked before reaching any model provider. Audit trails provide the accountability evidence that regulators require. Policy packs enforce purpose limitation per AI agent.
For Significant Data Fiduciaries, CrewCheck provides exportable compliance reports, integration with DPO workflows, and evidence packages suitable for independent audits.
Frequently Asked Questions
Am I a data fiduciary if I use a third-party AI API?
Yes. If you decide to send customer data to an AI API for processing, you are the data fiduciary. The AI provider is a data processor acting on your instructions. You bear primary compliance responsibility.
What's the penalty for non-compliance?
Up to ₹250 crore per violation for failing to implement reasonable security safeguards. Additional penalties apply for consent violations, breach notification failures, and children's data violations.
Does this apply to startups and small companies?
Yes. The DPDP Act applies to all entities processing Indian personal data regardless of size. However, the government may exempt certain categories of startups from some obligations through future notifications.
Continue Reading
Deepen your understanding with related concepts
Related Actions
See Data Fiduciary in action
Try CrewCheck's live governance demo — paste any text containing Indian PII and watch real-time detection, masking, and audit logging. No sign-up required.