Every organization that has employees is a Data Fiduciary

Posted on December 16, 2025 by Vijayashankar Na

As we look at the Data industry, there are organizations which clearly identify themselves as collectors and  processors of personal data for different purposes. They all will be Data Fiduciaries and some of them would be Significant Data Fiduciaries.

There will be another category of organizations  mostly in the SME sector who want  to be only “Data Processors” and would operate only under the instructions of a data fiduciary and want to be outside the burden of DPDPA Compliance.

However, if these organizations are having employees, then they automatically become Data Fiduciaries in respect of Employees’ data which may also include the data of past employees, rejected applicants, applicants in the process of being  onboarded as well as terminated or retired employees, who are non-employees as of date. Whether processing of their  personal data may be considered as “Legitimate Use” is debatable.

While FDPPI wants to apply DGPSI-Data Processor as a framework for evaluating the compliance of DPDPA for assuring the Data Fiduciary, the data fiduciary may have to simultaneously be DDPDPA Compliant itself since it does have the Data Fiduciary status for the employees. For this purpose FDPPI wants to introduce a simplified DGPSI-Lite framework as DGPSI-HR.

Thus  the family of DGPSI now expands to following categories.

  1. DGPSI Full: 50 implementation specifications
  2. DGPSI Lite: 36 implementation specifications
  3. DGPSI AI : 9 implementation specifications for deployers and 13 implementation specifications for developers.
  4.  DGPSI-Data Processor: with 38 implementation specifications
  5.  DGPSI-HR: 31 implementation specifications
  6. DGPSI-GDPR: 50 implementation specifications.

Last three frameworks are now under development and  refinement.

A day may come when  DGPSI as a family may expand to different Jurisdictional laws. It will not grow to 30000 frameworks like ISO family but may grow to around 10-15 in due course.

FDPPI is likely to focus more on these standards and related certification systems in the coming years while a sister organization may take up some additional responsibilities.

Watch out  for the developments.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Privacy. Bookmark the permalink.