Significant Data Fiduciary Under DPDP Act: Are You One and What Must You Do?

Not All Data Fiduciaries Are Equal Under the DPDP Act Every organisation that determines the purpose and means of processing personal data is a Data Fiduciary under India's Digital Personal Data Protection (DPDP) Act 2023. But the Act goes a step further — it creates a special category called Significant Data Fiduciaries (SDFs) that face additional, more demanding obligations. If you are processing large volumes of personal data, handling sensitive categories, or your operations pose risks to India's sovereignty and public order, the government may classify you as an SDF. This is not a self-designation — it is a notification by the Central Government based on specific criteria. The question every growing business should ask: Could we be designated as a Significant Data Fiduciary, and are we prepared for what that means? What Is a Significant Data Fiduciary? Section 10 of the DPDP Act empowers the Central Government to notify certain Data Fiduciaries as "Significant" based on an assessment of risk factors. Once designated, these organisations must comply with a set of enhanced obligations that go well beyond what is required of regular Data Fiduciaries. Think of it as a tiered compliance system: All Data Fiduciaries must follow the Act's baseline requirements — lawful processing, consent management, data security, breach notification, and honouring data principal rights Significant Data Fiduciaries must do all of the above plus additional governance, audit, and accountability measures Criteria for SDF Designation The Central Government considers multiple factors when deciding whether to designate an organisation as an SDF. While the exact thresholds will be specified through rules, the Act identifies these assessment criteria: 1. Volume and Sensitivity of Data Processed Organisations that process personal data of a very large number of individuals are more likely to be designated. This includes: Telecom operators with millions of subscriber records E-commerce platforms with extensive customer databases Financial institutions handling transaction data at scale Social media platforms with large Indian user bases 2. Risk to the Rights of Data Principals If the nature of your data processing poses significant risk to individuals' rights and freedoms , the government may classify you as an SDF. This includes processing that involves: Profiling and automated decision-making Processing of children's data at scale Data used for credit scoring, insurance underwriting, or employment decisions 3. Impact on Sovereignty and Integrity of India Organisations whose data processing could affect national security, public order, or India's sovereignty face heightened scrutiny. This criterion is particularly relevant for: Companies handling critical infrastructure data Defence and government contractors Organisations processing data related to electoral processes 4. Risk to Electoral Democracy Any organisation whose data processing could influence or undermine democratic processes may be designated. This is directly relevant to social media platforms and political communication tools operating in India. 5. Other Factors the Government Deems Relevant The Act gives the government flexibility to consider additional factors, which means the criteria may evolve as India's data protection framework matures. What Additional Obligations Apply to SDFs? Once designated, a Significant Data Fiduciary must comply with several additional requirements. Here is what changes: Appoint a Data Protection Officer (DPO) Based in India SDFs must appoint a Data Protection Officer who: Is based in India (not a remote or overseas appointment) Acts as the primary point of contact for the Data Protection Board of India Represents the SDF in all matters related to DPDP compliance Is responsible for overseeing internal data protection practices This is not a ceremonial role. The DPO must have genuine authority and resources to fulfil their mandate. Appoint an Independent Data Auditor SDFs must engage an independent data auditor to evaluate their compliance with the DPDP Act. This audit must: Be conducted periodically (frequency to be specified in rules) Cover all aspects of the SDF's data processing operations Be performed by a qualified, independent professional — not an internal team Result in a formal audit report submitted to the Data Protection Board Conduct Periodic Data Protection Impact Assessments (DPIAs) SDFs must undertake regular DPIAs to evaluate the impact of their data processing activities on individuals' rights. A DPIA should cover: Description of the processing operations and their purposes Assessment of the necessity and proportionality of data processing Identification of risks to data principals Measures to address and mitigate those risks Complynz's DPDP Assessment Module helps organisations conduct structured impact assessments aligned with the Act's requirements. Periodic Review and Compliance Reporting SDFs must periodically review