Significant Data Fiduciary (SDF): Extra DPDPA Obligations Explained

Most organisations under India’s Digital Personal Data Protection Act, 2023 (DPDPA) are ordinary Data Fiduciaries, bound by the Section 8 obligations. But the Act recognises that some Fiduciaries process data at a scale or with a sensitivity that warrants stricter oversight. These are Significant Data Fiduciaries (SDFs), defined and regulated under Section 10.

Being an SDF does not replace your baseline duties — it layers additional, more demanding obligations on top of them: a dedicated Data Protection Officer based in India, an independent data auditor, and periodic Data Protection Impact Assessments and audits. This guide explains how the government decides who is an SDF, what the extra duties involve, and how to tell whether you might be caught.

What is a Significant Data Fiduciary?

A Significant Data Fiduciary is a Data Fiduciary, or a class of Data Fiduciaries, that the Central Government notifies as “significant” under Section 10(1). The designation is not automatic and is not something you self-declare — it follows a government notification, which may target a specific organisation or an entire category of them.

Once notified, an SDF remains subject to every Section 8 obligation that applies to any Data Fiduciary, and additionally must comply with the heightened measures set out in Section 10(2) and any further requirements the DPDP Rules prescribe.

How does the government decide who is an SDF?

Section 10(1) lists the factors the Central Government must take into account when notifying a Data Fiduciary or class as significant. These are not weighted equally — the government assesses them together:

• The volume and sensitivity of personal data processed.
• The risk to the rights of Data Principals.
• The potential impact on the sovereignty and integrity of India.
• The risk to electoral democracy.
• The security of the State.
• Public order.

In practice, this points toward large-scale data processors and platforms whose handling of personal data could affect individuals or national interests at scale — for example, very large social media or e-commerce platforms, major data aggregators, or organisations processing highly sensitive data such as financial or health information about millions of people.

What extra obligations does Section 10 impose?

Section 10(2) sets out the additional duties an SDF must meet, on top of the general Section 8 obligations:

Data Protection Officer (DPO)

An individual the SDF must appoint who is based in India, represents the SDF under the Act, reports to the board of directors or similar governing body, and acts as the point of contact for the grievance redressal mechanism.

Independent data auditor

An auditor the SDF must appoint to carry out data audits — independent of the SDF’s management — to evaluate the SDF’s compliance with the provisions of the Act.

Data Protection Impact Assessment (DPIA)

A periodic assessment that describes the rights of Data Principals, the purpose of processing, an assessment and management of risk to those rights, and other matters the Rules prescribe.

In summary, every SDF must: appoint a DPO based in India who reports to its board or governing body and is the contact point for grievances; appoint an independent data auditor to evaluate compliance; undertake periodic Data Protection Impact Assessments and periodic audits; and undertake such other measures as the Rules prescribe.

Does an SDF need a DPO based in India?

Yes. Section 10(2)(a) is explicit: an SDF must appoint a Data Protection Officer who is based in India. The DPO represents the SDF under the Act, must report to the board of directors or other similar governing body of the SDF, and serves as the point of contact for the grievance redressal mechanism. This is a meaningful governance requirement — the DPO must have real seniority and a direct line to the board, not a nominal title. For a foreign organisation notified as an SDF, it means establishing an accountable, India-resident point of contact.

What is a DPIA and how often is it required?

A Data Protection Impact Assessment is a structured process that documents the rights of Data Principals, the purpose of the processing, and an assessment and management of the risks that processing poses to those rights, together with any other matters the Rules prescribe. Under Section 10(2)(c), an SDF must undertake DPIAs periodically — not as a one-off. The same provision requires periodic audits, with the independent data auditor evaluating compliance. The DPIA is the SDF’s primary tool for identifying and mitigating data-protection risk before it materialises into harm.

What other measures might the Rules require?

Section 10(2)(c) closes with a catch-all: an SDF must undertake “such other measures” as may be prescribed. This gives the DPDP Rules room to impose further, more technical obligations on SDFs, which may include:

• Algorithmic due diligence — verifying that the algorithms used to process personal data are not likely to pose a risk to the rights of Data Principals.
• Restrictions on transferring certain categories of personal data outside India, as may be specified.
• Enhanced record-keeping and reporting obligations beyond those of an ordinary Data Fiduciary.
• Specific traffic and data-flow conditions for very large platforms.

Because these measures are set by notification and Rules, an SDF should monitor government notifications closely and treat the published Rules as a living source of obligations.

How do I tell if I might be an SDF?

You become an SDF only when notified, so no business is an SDF by default. But you can assess your likelihood against the Section 10(1) factors and prepare accordingly. You are more likely to be in scope if several of the following are true:

1. 1You process personal data about a very large number of individuals in India — typically millions of Data Principals.
2. 2You handle sensitive categories such as financial, health, biometric or children’s data at scale.
3. 3Your processing — through profiling, targeting or large-scale decisioning — could materially affect individuals’ rights.
4. 4Your platform or service is large enough that its handling of data could affect public order, electoral democracy or national interests.
5. 5You operate a very large social media, e-commerce, gaming or data-aggregation platform of the kind regulators commonly scrutinise.

If most of these describe you, plan as though SDF designation is plausible: the cost of being ready early is far lower than scrambling after a notification.

How should an organisation prepare for SDF status?

Preparation is straightforward once you treat the Section 10 duties as a programme. Identify a DPO candidate based in India with the seniority to report to your board and own grievance redressal. Engage an independent data auditor and define an audit cadence. Build a repeatable DPIA methodology and run it on your highest-risk processing first. Establish algorithmic governance for any automated decisioning, and review your cross-border data flows. Above all, maintain continuous evidence so that, if you are notified, compliance is a matter of demonstrating what you already do rather than building it from scratch.