After the notification of DPDPA rules on November 13, 2025, there is a new awareness flowing through the industry on the need to be compliant with DPDPA 2023. The potential fine of upto and beyond Rs 250 crores is motivating the companies to recognize and take steps in mitigating the financial risks.
One school of thought is that penalties under DPDPA 2023 apply only to “Data Fiduciaries” and not “Data Processors”. Hence those who classify themselves as “Data Processors” think that they need not be compliant with DPDPA 2023.
This is however a huge fallacy.
One reason to call this a fallacy is because every organization which is not a single man organization and has “Employees” is a Data Fiduciary to the extent of processing of the “Employee Information”. Employment also includes “Recruitment” where personal data of non employees are processed and sub contractors are hired for background verification. There is also disclosure of employee information under legitimate use basis to statutory authorities as well as handling of personal information of ex-employees after their termination and information of the family of the employees for various welfare measures including insurance.
As a result of this requirement, there is no organization (other than single man entities) which escapes the need to comply with DPDPA 2023 or face the penalty risks. Indian DPB may not be as irrational as the GDPR authorities who impose fines even on individuals who process personal data for their personal safety issue (Refer the Tesla Car owner case here). However, it is a fact that every entity with employees is exposed to the DPDPA Risk and has to take steps in documenting a Risk Assessment and a “Compliance by Design” program.
Some of the small entities which come under the category of SMEs may handle sensitive assignments such as servicing a defence establishment or establishments of national importance and the information of their employees can even be considered as “Sensitive” to a certain extent.
In view of this viewpoint, FDPPI belongs to that school of thought that every organization in India which is processing data in some form or the other is potentially a data fiduciary and needs to be compliant with DPDPA 2023.
FDPPI has already introduced frameworks such as “FDPPI-Lite”, “FDPPI-Full” and “FDPPI-AI” to address the requirements of data fiduciaries.
There is however one class of manufacturers for B2B market who deal with employee data and business contact data only. There are also one class of organizations which provide sub contracting services for HR functions (eg background verification or conduct of Pre recruitment medical examination and Pre recruitment aptitude test etc) who often manage “platforms” that are licensed for operation to the recruiter and remain in the background. Most of them consider themselves to be “Data Processors” today.
Further, every organization has different processes associated with personal data in which some divisions of a data fiduciary directly handle data processing contracts for third party data fiduciaries as if they are a different companies. In such cases “Governance of Risk” suggests that division wise (Process wise) risks may be different and strategies to segregate them as “Data Processors” instead of “Data Fiduciaries” or “Joint Data Fiduciaries” needs to be explored. Similarly in case of platform service providers and SaaS providers, there may be some contracts in which an entity could be only a data processor and some in which they are joint data fiduciaries.
Additionally there are entities who process Indian data along with data from EU and they need to be compliant with DPDPA 2023 as an organization while also being GDPR compliant as a Data Processor or a Data Controller or a joint Data Controller. In case they have signed standard contract clauses agreement, they would have taken voluntary responsibilities to be liable under GDPR.
Considering these different types of organizations that are in the market, FDPPI has tried to customize its DGPSI Framework for bringing more focus in compliance as well as simplifying it to some extent based on the activity of the entity.
Accordingly, the DGPSI framework has now become a “Family of Frameworks” with multiple frameworks for multiple types of organizations.
For example, DGPSI Full with DGPSI-AI would be the core framework for data fiduciaries who use AI and needs to cover compliance of related laws such as ITA 2000, DGPSI-Lite would be a simplified DPDPA 2023 only compliance framework.
DGPSI-GDPR is a framework which addresses the requirements of a GDPR processing division where the organization in India processes EU data as a Controller or Joint Controller.
Additionally DGPSI-HR tries to focus on organizations who donot handle B2C business and their data principals are the employees only.
Further DGPSI-Data Processor is a framework which is meant primarily for Data Processors who service Data Fiduciaries in India who need to be compliant with DPDPA 2023 and wants to present themselves as an organization which is aware of its responsibilities, empathizes with the data fiduciary and is empowered and considers itself as voluntarily undertaking a responsibility as if they are “Deemed Data Fiduciaries”.
Entities who comply with this framework voluntarily are in a way “Enlightened”, Empowered” and “Emancipated”. They possess a strategic competitive edge over other processors who may be competing for business with the Data fiduciary.
If the Data Fiduciary factors-in the DPDPA Risk as part of the business risk, he would prefer to work with such enlightened, empowered and emancipated data processors and even would be willing to pay a premium for their services.
FDPPI therefore recommends every organization in India, big or small, whether they consider themselves today as Data Fiduciaries or Data Processors, to explore being compliant with DPDPA under a relevant DGPSI Framework.
By understanding the needs of different entities and introducing appropriate frameworks of compliance under the DPGSI umbrella, FDPPI is proving that DGPSI is a framework which can be called the “Vishwa Guru” of compliance frameworks. When the members of FDPPI expand DGPSI-GDPR to other jurisdictions and develop DGPSI-Singapore, DGPSI-California etc, DGPSI family will be engulfing the global Data Protection Compliance regime.
This may take a decade but is definitely the vision of DGPSI.
Naavi
