The Emergence of the “Super Data Fiduciary” A DGPSI Governance Concept for Complex Enterprise Ecosystems under DPDPA By Naavi

In February 2025, Naavi.org first discussed the concept of a “Super Data Fiduciary” in the context of the hospitality industry such as property sharing. In February 2026, we also discussed the concept in the context of Education Industry”.  In this article we have taken the example of the Hospital industry and discussed how this concept is relevant.

One of the notable strengths of the Digital Personal Data Protection Act, 2023 (DPDPA) is its principle-based drafting. Instead of prescribing rigid organizational structures, the Act defines broad responsibilities and leaves organizations the flexibility to implement governance mechanisms appropriate to their business models.

This flexibility is particularly valuable because the architecture of modern enterprises has evolved far beyond the traditional “one company–one business–one customer relationship” model.

Today, organizations increasingly operate as enterprise ecosystems. A single trusted brand may represent dozens—or even hundreds—of legally independent entities connected through ownership, management agreements, franchise arrangements, joint ventures, shared digital platforms, centralized AI systems, and common governance structures.

To the customer, the enterprise appears to be one organization. To the Companies Act, it is many. This divergence creates one of the most significant governance challenges in implementing DPDPA.

The Data Governance and Protection Standard of India (DGPSI) addresses this challenge by introducing a governance concept known as the Super Data Fiduciary.

It is important to clarify at the outset that the Super Data Fiduciary is not a new statutory category created by DPDPA. Nor should it be confused with the Significant Data Fiduciary (SDF) notified by the Central Government under Section 10 of the Act.

Rather, it is a governance designation created within the DGPSI family of sector-specific compliance frameworks to establish enterprise-level accountability wherever multiple autonomous Data Fiduciaries operate under a common identity.

The Classical DPDPA Model

DPDPA recognizes two principal operational actors:

    • Data Fiduciary
    • Data Processor

A Data Fiduciary determines the purpose and means of processing personal data.

This model functions effectively where a single legal entity independently manages its processing activities. However, contemporary business organizations rarely fit this model. The digital economy increasingly consists of networks of legally distinct entities that collectively deliver a seamless customer experience.

The legal model remains fragmented. The customer experience is unified.

Trust is Reposed in the Brand, Not the Corporate Structure

Consider a nationally recognized healthcare brand such as Apollo Hospitals.

Apollo serves as an excellent illustration—not because it is unique, but because it reflects a governance model that is becoming common across industries.

Today, the Apollo ecosystem includes entities operating under a variety of legal arrangements:

    • wholly owned hospitals,
    • managed hospitals,
    • joint venture hospitals,
    • franchise hospitals,
    • diagnostic centres,
    • pharmacies,
    • home healthcare services,
    • telemedicine platforms,
    • centralized appointment systems,
    • digital health applications.

Many of these may be separate legal entities.

Yet no patient walks into a hospital asking,

“Which incorporated company owns this facility?”

The patient simply says,

“I am going to Apollo.”

The trust relationship exists with the brand. The privacy expectation also exists with the brand. The Data Principal neither knows nor reasonably expects to know the legal complexity behind the enterprise.

The Governance Challenge

Consider a common situation.

A patient undergoes treatment at one Apollo hospital. Several months later, the patient visits another Apollo hospital in a different city. The doctor accesses earlier medical records.

From the patient’s perspective, this continuity of care is expected. However, several governance questions immediately arise.

    • Which hospital is the Data Fiduciary?
    • Which entity obtained the original consent?
    • Which entity authorized inter-hospital data sharing?
    • Who must respond to a request for correction?
    • Who determines retention periods?
    • Who becomes accountable if data is disclosed improperly?

The answers are no longer confined to one organization.

Distributed Processing Means Distributed Responsibility

Modern healthcare is supported by interconnected digital infrastructure.

# Appointments may be booked centrally. Electronic Medical Records may be maintained on enterprise cloud platforms.

# Diagnostic laboratories may be located elsewhere.

# AI systems may analyse radiology images.

# Telemedicine consultations may be delivered from another city.

# Billing may be centralized.

# Patient relationship management may be managed by another company.

# Each participating entity processes personal data.

# Some determine purposes. Some determine means. Some merely process on behalf of others. Others establish governance policies affecting every participant.

The traditional distinction between Data Fiduciary and Data Processor is therefore insufficient to explain enterprise accountability.

The Missing Layer

Large enterprise ecosystems almost always contain an organization that performs functions extending beyond any individual operating company.

This organization may:

    • own or license the brand,
    • prescribe enterprise privacy policies,
    • establish cybersecurity architecture,
    • operate centralized digital platforms,
    • define AI governance,
    • standardize consent mechanisms,
    • govern cross-entity data sharing,
    • prescribe compliance standards,
    • conduct enterprise audits,
    • manage reputation risk.

Although it may not directly provide healthcare, retail services, education, hospitality, or banking, it exercises substantial influence over how personal data is governed throughout the ecosystem.

DGPSI identifies this governance layer as the Super Data Fiduciary.

What is a Super Data Fiduciary?

Within DGPSI, a Super Data Fiduciary is an enterprise-level governance entity that exercises strategic oversight, standardization, and accountability across multiple autonomous Data Fiduciaries operating under a common brand, platform, or governance structure.

The Super Data Fiduciary does not replace individual Data Fiduciaries.

Nor does it dilute their statutory responsibilities.

Instead, it provides enterprise governance wherever multiple organizations collectively create a unified customer experience.

The model introduces layered accountability rather than centralized liability.

A Layered Accountability Framework

Under the DGPSI model, accountability exists at two distinct levels.

Individual Data Fiduciaries

Each hospital, college, retail outlet, hotel, or financial institution remains responsible for:

      • complying with DPDPA,
      • obtaining consent where necessary,
      • protecting personal data,
      • responding to Data Principal requests,
      • implementing local security measures,
      • reporting personal data breaches,
      • maintaining statutory records.

Super Data Fiduciary

The enterprise governance layer becomes responsible for:

      • enterprise privacy governance,
      • common data governance architecture,
      • AI governance,
      • cybersecurity standards,
      • centralized digital infrastructure,
      • inter-entity data sharing protocols,
      • common consent architecture,
      • enterprise audit,
      • policy standardization,
      • governance assurance,
      • brand-level trust management.

The two responsibilities complement each other. One is operational. The other is strategic.

DGPSI-Hospital: Bridging the Governance Gap

One of the principal objectives of DGPSI-Hospital is to translate the broad principles of DPDPA into governance practices appropriate for healthcare institutions.

Healthcare differs fundamentally from many other sectors because data is inseparable from patient safety. Clinical information supports diagnosis, treatment, emergency intervention, medication management, continuity of care, and increasingly, AI-assisted healthcare delivery.

In healthcare, therefore, Data is Life.

DGPSI-Hospital recognizes that while individual hospitals remain statutory Data Fiduciaries, enterprise-wide governance frequently resides with the organization controlling the healthcare ecosystem.

Accordingly, DGPSI-Hospital designates that enterprise governance entity as the Super Data Fiduciary.

The Super Data Fiduciary establishes:

    • enterprise privacy policies,
    • EMR governance,
    • interoperability standards,
    • AI governance frameworks,
    • cybersecurity architecture,
    • centralized appointment systems,
    • patient portals,
    • telemedicine governance,
    • enterprise incident response,
    • consent management standards,
    • audit programmes,
    • vendor governance,
    • enterprise risk management.

Every participating hospital continues to remain independently responsible for complying with DPDPA. The Super Data Fiduciary simply provides coordinated governance across the enterprise.

This approach does not require any amendment to DPDPA. It merely implements good governance within the flexibility already available under the Act.

Beyond Healthcare

Although healthcare provides perhaps the clearest illustration, the governance challenge exists across numerous sectors.

Hospitality

International hotel brands frequently combine owned hotels, managed properties, franchise hotels, centralized reservation platforms, loyalty programmes, and common customer databases.

Retail

Large retail chains operate through company-owned stores, franchise outlets, warehouses, logistics companies, e-commerce platforms, and centralized CRM systems.

Education

University systems often include autonomous colleges, online learning platforms, research centres, examination authorities, alumni organizations, and international campuses functioning under one institutional identity.

Financial Services

Banking groups commonly consist of banks, NBFCs, insurance companies, payment service providers, mutual funds, wealth management entities, and technology subsidiaries sharing customer onboarding, KYC infrastructure, fraud monitoring, and analytics.

Aviation

Airline groups operate code-share arrangements, loyalty programmes, reservation systems, airport services, cargo operations, and alliance partnerships while presenting a unified customer experience.

E-commerce

Marketplace ecosystems integrate merchants, logistics providers, payment gateways, customer service centres, advertising platforms, and recommendation engines.

Technology Platforms

Digital platform companies increasingly operate cloud services, messaging platforms, identity systems, AI assistants, payment services, and advertising ecosystems through multiple corporate entities under one trusted brand.

In every one of these sectors, the customer trusts the brand rather than the underlying legal entities.

Sectoral DGPSI Frameworks as Laboratories of Governance

Law evolves more slowly than technology. Waiting for legislative amendments whenever new organizational models emerge would impede innovation and delay effective compliance. Sector-specific compliance frameworks therefore perform an important jurisprudential function.

The DGPSI family—including DGPSI-Hospital, DGPSI-Bank/BFSI, DGPSI-Education, DGPSI-Retail, DGPSI-Hospitality, and future sectoral variants—provides governance mechanisms that address operational realities while remaining faithful to the existing provisions of DPDPA.

The concept of the Super Data Fiduciary is one such governance innovation.

It enables organizations to demonstrate enterprise-wide accountability without altering the statutory responsibilities of individual Data Fiduciaries.

Rather than waiting for Parliament to recognize every emerging organizational model, governance frameworks can evolve first. Over time, judicial interpretation, regulatory guidance, industry practice, and legislative refinement may adopt these concepts where they prove effective.

This is how jurisprudence develops.

Looking Ahead

The future of data governance will not be defined solely by individual organizations.

It will increasingly be shaped by enterprise ecosystems—networks of legally independent entities operating under common brands, shared technologies, integrated AI platforms, and unified governance structures.

DPDPA provides the legal foundation for protecting personal data. Frameworks such as DGPSI build upon that foundation by translating statutory principles into governance models suited to specific sectors and operational realities.

The Super Data Fiduciary is one such model.

It preserves the statutory autonomy and accountability of every Data Fiduciary while recognizing that enterprise-wide governance often resides at a higher organizational level. By introducing layered accountability, DGPSI aligns legal compliance with the expectations of Data Principals, who place their trust not in corporate charts but in the integrity of the enterprise they choose to engage with.

As India’s data protection jurisprudence matures, governance innovations of this nature will play an important role in ensuring that the law remains effective in an increasingly interconnected and AI-driven economy. The Super Data Fiduciary is not a departure from DPDPA; it is an evolution in its practical application—demonstrating how sound governance can anticipate tomorrow’s challenges while remaining firmly rooted in today’s law.

(..Comments are welcome)

Naavi

Listen to the Audio Podcast here.

Video Review

Posted in Privacy | Leave a comment

MeitY issues notice on “User Name” for WhatsApp..

On July 1, Meity issued a notice to WhatsApp to hold back its proposal to introduce a new feature of providing an option to the users to register a user name. In the back end WhatsApp will have the mobile number but it will not be displayed. Similar notices have also been issued o Telegram and Signal according to the Hindu report.

The move will raise a backlash from “Privacy” activists who want the feature to “Hide” and send messages. Naavi.org is in support of this move as it is fully aware of the possible ways by which it can be misused to commit anti national activities besides cyber crimes. Meta itself will be a company which can support anti national activities and cannot be trusted.

At the same time, we have to however point out that Naavi.org has earlier brought to the public notice that changes are required in similar use cases in domain name registration and email registration. Today domain name registrar provide a facility to “Privacy Protect” the registrant’s details. The E-Mail Providers like G Mail provide proxy originating IP address and allow any name to be used for display. There are also proton mail type of service providers who thrive  by providing identity cover in the name of Privacy.

We also have objection to the Current systems of SMS and E Mail also provide a facility for “No Reply” emails which is an open invitation for “Spam”.  The TRAI has tried to introduce restrictions on the marketing messages but does not prevent “No-Reply” ads which is legally an unsustainable way of communication. Many times Banks and other organizations use this for sending a “Notice” with no “reply” option, making this a “Spam”.

Unless a principled stand is taken by the Government on all these aspects, the action against WhatsApp appear to be a selective action.

We therefore request  the Government to simultaneously take action as follows.

  1. Display any preferred user name in the WhatsApp account provided it is accompanied by the phone number . Example “Naavi<……4943>”
  2. Similarly all Emails must mandatorily provide the mobile number as part of its display.
  3. “No-Reply”  communication should be prohibited in all e-communications
  4. Privacy Protection under Domain Name registration should be stopped since any domain name registration should be considered as “Publication for non personal reasons”

Naavi

Also refer: Theory of Regulated Anonymity

Posted in Privacy | Leave a comment

DPDPA Challenge for Banks

We are now 314 days away from the full implementation of DPDPA 2023. From 13th May 2027, Banks like all other organizations will be facing the prospect of the  inquiries from DPB on customer grievances related to “Data Access”, “Data Deletion”, “Processing without Permission” etc.

FDPPI has been providing assistance to organizations to be compliant with DPDPA by developing specific compliance framework under the umbrella of “DGPSI” or Data Governance and Protection Standard of India, Recently the DGPSI-Hospitals, a framework for hospitals was released and is now under Public discussion.

One of the key issues in the Banking segment  is that personal data is collected and used at hundreds of branches while the data may sit in a central server and the DPO may be stationed in the head office without adequate oversight over the branch activities.

Additionally, use of data processors and AI has also increased and needs to be factored in.  Many of the Banks also have exposure to RTI act and POSH act which also cannot be neglected.

RBI has its own regulations on cross border data transfer, data retention and AI usage.

Many of the Banks have been notified under Section 70 of ITA 2000 introducing separate obligations of information security.

Most Banks have hundreds of processes covering multiple products, services.

Hence compliance in a Banking environment is complicated and requires special attention.

Hopefully DGPSI-Banks try to address as many concerns as possible in the Banking sector so that before 13th May 2027, Banks can make substantial progress in the implementation of DPDPA.

Watch out for more discussions on this website while the framework takes shape.

Naavi

Posted in Privacy | Leave a comment

DGPSI-Hospital framework for Public Discussion

FDPPI has developed a DPDPA Compliance framework for hospitals named “DGPSI-Hospital”.

A public consultation will be held virtually next week to discuss the framework with interested persons in the public.

Watch out for the announcement of the time. and link.

Naavi

Posted in Privacy | Leave a comment

Independent Auditor is the new profession being unveiled by FDPPI: Do not miss to attend

REGISTER HERE: 

(Registration fee: Rs 500/-: May be paid here: )

Posted in Privacy | Leave a comment

Madhya Pradesh Proposes new rules for Electronic Evidence

Madhya Pradesh Government has proposed a new Electronic Evidence Rules to make handling of electronic evidence for presentation to the Court easier. The rule is said to have been developed in consultation with MP High Court. It is pending approval and notification by the State.

According to MP Additional Chief Secretary (Home) Sanjay Shukla, the draft rules have been received by the government and are currently under examination. It is reported that similar initiatives are being pursued in several states following the Centre’s recommendations. If approved, Madhya Pradesh could emerge as the country’s first state to formally implement such a framework.

One of the benefits indicated is that mobile phones need not be submitted by people for presenting evidence. The evidence will be uploaded on an application  and will be treated as “Original Evidence”. Upload facility will be provided through E Seva Centers.

It is not clear if with the inclusion of E Seva Centers in the loop, this rule will dilute the  integrity of the evidence and enable manipulation. It is also debatable if this should have been done with an amendment to BSA Section 63 instead of the notification of a rule.

In our view there was no need for depositing the Mobile even now since Mobile is only a container of evidence and not the electronic evidence. This distinction has not been  appreciated by many and perhaps including MP High Court. What Section 63 requires is a faithful copying by a certifier whose integrity is impeachable. If the certifier makes any false certification, he would be liable for perjury.

Second misconception is that an “Expert” is the “Notified Digital Evidence Examiner”. In our view it is not necessary.

We also have some reservation on the power of the State Government to make an amendment of this type. It could have been better addressed by an amendment of BSA 2023 itself.

Integrity of the APP being developed by NIC and the E Seva Centers would be now part of the E Evidence System. How they will  they hold up to pressures of evidence manipulation is another challenge to be addressed.

Let us see how this develops. (Copy of the draft is not available so far)

Refer the article here: at Bhaskarenglish.in

 

Comments are welcome.

Naavi

Also Refer:

Dainik Bhaskar 

Request for Guidelines (Writ by Sidharth Luthra) ..at Supreme Court

 

Posted in Privacy | Leave a comment