The clearest, easiest explainer you will read.
When it comes to DPDP, most of the confusion doesn’t start with the rules – it starts with the words. Ask 5 HR professionals what a Data Fiduciary means and you’ll get 5 different answers.
HR teams, founders and even compliance officers often get stuck at basic terms like “Data Fiduciary”, “Data Principal” or “Purpose Limitation”.
If the definitions are misunderstood, the entire law gets misapplied.
So this article breaks down every key DPDP definition in the simplest possible language, with examples from hiring, HR, onboarding and background verification (BGV).
1. Data Principal
Who is this?
The human being whose data is being taken.
In HR context: Candidate, employee, intern, ex-employee.
Example:
Shreya is applying for a job → She is the Data Principal.
Why it matters:
Everything in DPDP revolves around protecting this person.
2. Data Fiduciary
Who is this?
The company/organisation that decides why and how personal data will be used.
Example:
Your company decides: “We will collect PAN card for background verification.” → Your company is the Data Fiduciary.
Tip:
This entity is most responsible for DPDP compliance.
3. Data Processor
Who is this?
A vendor who processes data on behalf of the Data Fiduciary.
Example:
Any BGV Company processing employee documents or a payroll company processing salaries
→ These are Data Processors.
Important:
The fiduciary holds the responsibility even if the processor makes a mistake.
4. Consent
Meaning:
Clear, specific permission given by the person whose data you are collecting.
Under DPDP, consent must be:
✔ specific
✔ informed
✔ unbundled
✔ revokable
✔ in clear, simple language
Example:
“By uploading your documents, you agree that they will be used only for background verification for the ‘Data Analyst’ role.”
(Valid consent)
“Upload your documents to continue with hiring. Your data may be used for hiring purposes or other activities.”
(Not valid — vague + bundled)
5. Purpose Limitation
What it means:
Use data only for the purpose for which you collected it.
Example:
Collected Aadhaar for background verification → You cannot use it later for KYC, identity cards or anything else.
Most common violation:
“Since we have the data, let’s use it for…” → ❌ Illegal.
6. Data Minimisation
Meaning:
Collect only what is required, nothing extra.
This is where most HR teams fail. Old forms collect unnecessary information such as: Father’s name, Full address, Multiple IDs, Physical signatures, Blood group
DPDP says → Cut the clutter.
Example:
For education verification, asking for aadhaar or passport is NOT justified.
A degree certificate is enough.
Simple rule:
If you can justify it to the government → collect it.
If not → don’t.
7. Data Retention
Meaning:
Only keep data for as long as it is needed – then delete it.
DPDP requires clear:
✔ retention timelines
✔ deletion policies
✔ auto-deletion workflows
Example:
Candidate documents collected during hiring cannot be stored forever. If the candidate was not hired, documents should be deleted within the defined period (usually 30-90 days).
8. Data Breach
Meaning:
Any accidental or intentional access, leak or misuse of someone’s personal data.
In HR, breaches commonly happen when:
- Documents are shared on WhatsApp
- Resumes are forwarded externally
- Spreadsheets with personal data are left open
- Email IDs leak during mass communication
Examples of Data Breach:
– Employee documents leaked via email
– Spreadsheet shared publicly
– HR laptop stolen
– Vendor portal hacked
Under DPDP:
You must notify the Government + affected individuals quickly.
9. Significant Data Fiduciary (SDF)
Meaning:
A company that handles large-scale or sensitive data and therefore must follow additional obligations.
Criteria include volume, sensitivity, risk or impact.
Many HR teams don’t realise – even mid-size companies may fall under SDF if they process large numbers of candidates.
If marked as SDF → more rules:
✔ Appoint a Data Protection Officer
✔ Annual audit
✔ Extra reporting
✔ Risk assessments
10. Third-Party/Vendor
Meaning:
Any third-party/ vendor handling personal data must be DPDP compliant.
This includes:
- BGV agencies
- Recruitment tools
- ATS
- HRMS
- Payroll services
- Cloud storage systems
DPDP requires:
✔ DPDP-compliant contract
✔ Auditability
✔ Breach reporting
✔ Clear purpose
✔ Processing boundaries
Most ignored part of DPDP:
Vendor non-compliance = Your company’s penalty.
Summary Table
| Term | Meaning | HR Example |
| Data Principal | Person whose data is collected | Candidate/Employee |
| Data Fiduciary | Company deciding usage | Employer |
| Data Processor | Vendor processing data | BGV vendor |
| Consent | Clear permission | Authorization form |
| Purpose Limitation | Use only for stated purpose | Verify ID only |
| Data Minimisation | Collect minimum | No unnecessary data |
| Retention | Delete after purpose | Delete docs post-BGV |
| Breach | Any leak/misuse | Email leak |
| SDF | High-risk entity | Large enterprises |
| Vendors | Third-party handlers | HRMS / payroll |
Why These Definitions Matter
Because 90% of DPDP mistakes happen when people misinterpret:
- who is responsible
- which data is allowed
- how long data can be kept
- what counts as consent
- what vendors must follow
The purpose of DPDP is simple:
✔ Keep only the data you truly need.
✔ Use it only for one purpose.
✔ Tell people exactly how you’ll use it.
✔ Delete it responsibly.
