"Same thing, different name." — The myth that's quietly breaking DPDPA implementations.

I was in a compliance review meeting when a colleague said it out loud, confidently: "We're covered — our GDPR Controller framework maps directly to DPDPA's Data Fiduciary. Same thing, different name."

The room nodded. I paused.

Because if you've lived inside both frameworks — not just read the definitions, but actually operationalised them — you know that conflating the two isn't just imprecise. It's a gap waiting to become a compliance failure.

"GDPR trusts the Controller to balance interests. DPDPA structurally limits how much balancing the Fiduciary can do."

This post is my attempt to set the record straight — not with legalese, but with the practitioner lens I've built across 15 years of GRC, InfoSec, and Privacy work.

First, let's give the myth its due

Yes — on the surface, both terms describe the same functional role. The entity that decides why personal data is collected and how it is processed. Both sit at the top of the processing chain. Both carry accountability under their respective laws.

That functional overlap is real. But the law isn't just about function.

The word is the argument

"Controller" is a legal label. Neutral. Operational. It tells you who is accountable — nothing more, nothing less.

"Fiduciary" is a trust label. It's borrowed from fiduciary law — the same standard that governs the relationship between a doctor and patient, a lawyer and client, a trustee and beneficiary. You don't just process data. You hold it in trust. You owe the Data Principal something that goes beyond legal compliance.

India didn't just rename a concept. It embedded a duty of loyalty into the statute's vocabulary itself.

Where the frameworks actually diverge

This is not a minor operational difference. It reshapes how you design consent flows, draft privacy notices, and justify processing to regulators.

Then there's something GDPR has no equivalent for: duties on the individual. Section 15 of DPDPA assigns obligations to the Data Principal — don't impersonate, don't suppress material information, don't file frivolous complaints. The law creates a mutual accountability model. The Fiduciary owes trust; the Principal owes honesty.

And on cross-border transfers, the logic is reversed entirely. GDPR says: prove it's safe before you transfer. DPDPA says: transfer freely, unless we restrict it. Same goal. Opposite architecture.

Not all Fiduciaries are equal — enter the Significant Data Fiduciary

Section 10 of DPDPA introduces a concept that has no direct GDPR equivalent — the Significant Data Fiduciary (SDF). This is not a self-declaration. It is a government-notified designation, triggered when the Central Government determines that an entity's data processing activities pose elevated risk to individuals or national interests.

The criteria include: volume and sensitivity of data processed, risk to Data Principals' rights, impact on national sovereignty and electoral democracy, and security of the state.

1. Appoint a DPO - India based, reporting to the Board of Directors — not just the legal team.
2. Appoint an independent Data Auditor- Annual audit of compliance with the Act and Rules.
3. Conduct mandatory DPIAs- Periodic, documented — not discretionary.
4. Algorithmic accountability- Periodic assessment of AI models and algorithms used to process personal data.
5. Additional prescribed measures- As directed by the Data Protection Board of India.

Think of SDF obligations as GDPR's high-risk processing requirements — mandatory DPO, mandatory DPIA, heightened accountability — bundled into a single regulatory designation, triggered externally, not self-assessed.

So what does this mean for you?

If you're a privacy professional, DPO, or GRC lead currently running a GDPR-to-DPDPA gap assessment, this distinction isn't academic. It has direct operational consequence:

Your consent mechanism needs to be rebuilt — not rephrased. Your legitimate interests assessments won't translate. Your cross-border transfer inventory needs a logic flip. And if you're in scope for SDF designation, your governance structure needs to change before the Rules are enforced, not after.

The frameworks share DNA. But they are not the same organism.

"The moment you call yourself a Fiduciary, Indian law expects something different from you. Not just compliance. Loyalty."

The good news: organisations that internalise this distinction early will build more resilient, trust-centred data programmes. That's not just regulatory compliance — that's competitive advantage in an era where data trust is currency.

Want the full GDPR vs. DPDPA comparative breakdown? Read the Hogan Lovells analysis — one of the most thorough practitioner resources available.

Devika Subbaiah is a Privacy & AI Governance Practitioner. She writes about Privacy Operations, AI Governance, and building privacy programmes that actually work.