Not all Data Fiduciaries are treated equally under India's DPDP Act. The law reserves a higher tier of obligations for entities that handle data at scale, whose processing poses elevated risks, or who hold significant national or societal influence. These are Significant Data Fiduciaries (SDFs) — and if you are one, or are on the path to becoming one, the compliance requirements are substantially more demanding.
What Is a Significant Data Fiduciary?
Section 10 of the DPDP Act empowers the Central Government to notify any Data Fiduciary or class of Fiduciaries as a Significant Data Fiduciary, based on an assessment of risk. The classification is not permanent or automatic — it is a Government notification that can be updated as the digital landscape evolves.
SDF classification can arrive as a Government notification without advance notice to the entity. Organisations that wait for formal classification before building SDF-level compliance will face a very short implementation window. Start preparation before the notification arrives.
The Criteria — How Does the Government Decide?
Section 10(2) specifies the factors the Government will consider:
| Factor | What it evaluates |
|---|---|
| Volume of data processed | How many Data Principals data do you hold? |
| Sensitivity of personal data | Are you processing financial, health, biometric, or other sensitive categories? |
| Risk to the rights of Data Principals | Does your processing pose significant risk to individual rights or safety? |
| Potential national security impact | Could your data or its misuse affect India sovereignty or security? |
| Risk to electoral democracy | Could your platform influence elections or democratic processes? |
| Public order implications | Does processing affect law and order? |
| Impact on sovereignty and integrity of India | Does your data handling have geopolitical implications? |
These criteria signal that SDFs are likely to be large social media platforms, major e-commerce and fintech players, healthcare aggregators with national reach, EdTech platforms processing children data at scale, and cloud infrastructure providers or data brokers.
Are You an SDF? A Self-Assessment Framework
While the Government official notification determines SDF status, assess your exposure now:
- Scale: Do you process personal data of more than 1 million Data Principals? Is your user base growing rapidly toward that threshold?
- Sensitivity: Do you handle financial data, health or medical records, biometric data? Are a significant proportion of your users children?
- Influence: Does your platform shape public discourse? Do advertisers use your platform for political campaigns?
- Geography: Is your business model dependent on processing data at national scale across India?
If you answer yes to multiple questions, prepare for SDF-level compliance — even if the formal notification has not arrived.
The 4 Additional SDF Obligations
Beyond the standard Data Fiduciary obligations, Section 10 imposes four additional requirements:
1. Appointment of a Data Protection Officer (DPO)
SDFs must appoint a DPO who is based in India (non-negotiable — a remote appointment from overseas does not qualify), represents the SDF before the Data Protection Board, and reports directly to the Board of Directors — not the CISO, General Counsel, or CTO. This independence of reporting line is deliberate: the DPO must be free from conflicts of interest. For the full picture on the DPO role, read Part 5 of this series on the DPO under the DPDP Act.
2. Appointment of an Independent Data Auditor
SDFs must engage an Independent Data Auditor to evaluate the SDF compliance with the DPDP Act, audit data management practices, processing activities, and technical safeguards, and audit algorithms if the SDF uses automated profiling or decision-making. This is analogous to financial audits — an external, objective assessment that goes beyond self-certification.
3. Periodic Data Protection Impact Assessments (DPIAs)
SDFs must conduct DPIAs — a structured evaluation of how specific processing activities impact Data Principal rights. A DPIA covers what data is processed and why, what risks it poses to individuals, mitigating controls in place, and residual risk assessment. DPIAs are not one-time exercises — they must be conducted whenever a new high-risk processing activity is introduced.
4. Algorithmic Transparency and Fairness Obligations
If an SDF uses algorithms for profiling, recommendation, or automated decision-making, it must conduct audits of those algorithms, assess whether algorithms introduce bias or discriminatory outcomes, and publish or make available to the Board algorithm audit results. This is a significant obligation for platforms using AI or ML at the core of their product.
SDF vs Standard Data Fiduciary — Side by Side
| Obligation | Standard Fiduciary | SDF |
|---|---|---|
| Obtain valid consent | ✅ | ✅ |
| Grievance mechanism | ✅ | ✅ |
| Breach notification | ✅ | ✅ |
| Appoint Grievance Officer | ✅ | ✅ |
| Appoint DPO (India-based) | ❌ | ✅ |
| Independent Data Audit | ❌ | ✅ |
| Conduct DPIAs periodically | ❌ | ✅ |
| Algorithm audits | ❌ | ✅ |
| Cross-border transfer scrutiny | Possible | Heightened |
Cross-Border Data Transfers — Additional Scrutiny for SDFs
The DPDP Act (Section 16) restricts transfer of personal data to countries notified by the Central Government. SDFs face heightened scrutiny in this area, and their data transfer agreements are more likely to be subject to Government review. If you are an SDF using global cloud infrastructure (AWS US regions, Azure Europe), your data localisation or transfer safeguards will be examined more rigorously.
SDF Compliance Roadmap — Where to Start
- Immediate: Identify and appoint a DPO — India-based, with a direct Board reporting line. This takes time to recruit, so start early. Commission an Independent Data Audit to assess your current DPDP posture.
- Short-term (3–6 months): Build a DPIA programme — define which processing activities require DPIAs, assign ownership, and conduct your first round. Map your algorithms — list every algorithm that processes personal data and assess for bias and risk.
- Ongoing: Periodic DPIAs built into your product release and change management process. Algorithm audit cycle at minimum annually. DPO reporting cadence to the Board of Directors.
Failure to observe SDF-specific obligations can attract penalties in the higher ranges — up to ₹150–250 crore per violation category, as assessed by the Data Protection Board. Beyond financial penalties, Board findings are public — reputational damage to a large-scale platform can be severe and lasting.
Frequently Asked Questions
The Central Government uses the criteria in Section 10(2) — including volume of data processed, sensitivity of personal data, risk to the rights of Data Principals, potential national security impact, risk to electoral democracy, public order implications, and impact on India's sovereignty and integrity. The classification is a Government notification and can be updated as the digital landscape evolves.
Yes. This is non-negotiable. A DPO located in Singapore, the US, or the UK does not satisfy the DPDP Act requirement. The DPO must be India-based and available to represent the SDF before the Data Protection Board of India. Additionally, the DPO must report directly to the Board of Directors — not to the CISO, General Counsel, or any other function.
A DPIA is a structured evaluation of how a specific processing activity impacts Data Principal rights. It covers what data is processed and why, what risks it poses to individuals, mitigating controls in place, and residual risk assessment. Only Significant Data Fiduciaries are required to conduct periodic DPIAs under the DPDP Act, though any Data Fiduciary undertaking high-risk processing should consider them as best practice.
SDFs must meet four additional obligations beyond standard Fiduciary requirements: (1) Appointment of an India-based DPO reporting to the Board, (2) Engagement of an Independent Data Auditor for periodic compliance audits, (3) Periodic Data Protection Impact Assessments for high-risk processing activities, and (4) Algorithm audits for bias, fairness, and transparency where AI/ML is used.
Failure to observe SDF-specific obligations can attract penalties in the higher ranges of the DPDP Act penalty schedule — up to ₹150–250 crore per violation category, as assessed by the Data Protection Board. Beyond financial penalties, Board findings are public records, meaning reputational damage compounds financial penalties for large-scale platforms.