The Digital Personal Data Protection Act 2023 (Act) places the primary obligation on ‘data fiduciaries’ to protect digital personal data of individuals and implement consent artifacts, including for any outsourcing arrangements for processing. Entities who merely process such data at the behest of another entity, called ‘data processors’ have been excluded from the statutory compliance obligations under the Act. The Act defines ‘data fiduciary’ as any entity determining the means and purpose of processing personal data. Entities handling data are required to undertake this classification exercise as the first step, i.e., whether they are merely data processors or can be classified as data fiduciaries.