A practical, non-alarmist look at your obligations as a Data Fiduciary under India’s data-protection law.
India’s Digital Personal Data Protection framework makes most startups a “Data Fiduciary” — the entity that decides how personal data is processed. Here is a practical starting checklist.
Start with consent and notice
Tell users what you collect and why, in clear language, and capture consent you can demonstrate. Build a simple record of processing activities.
Position it as a compliance practice
Treat DPDP as an ongoing compliance practice — data mapping, retention limits, and a breach-response plan — rather than a one-off checkbox.