Not All Data Fiduciaries Are Equal Under the DPDP Act

Every organisation that determines the purpose and means of processing personal data is a Data Fiduciary under India's Digital Personal Data Protection (DPDP) Act 2023. But the Act goes a step further — it creates a special category called Significant Data Fiduciaries (SDFs) that face additional, more demanding obligations.

If you are processing large volumes of personal data, handling sensitive categories, or your operations pose risks to India's sovereignty and public order, the government may classify you as an SDF. This is not a self-designation — it is a notification by the Central Government based on specific criteria.

The question every growing business should ask: Could we be designated as a Significant Data Fiduciary, and are we prepared for what that means?

What Is a Significant Data Fiduciary?

Section 10 of the DPDP Act empowers the Central Government to notify certain Data Fiduciaries as "Significant" based on an assessment of risk factors. Once designated, these organisations must comply with a set of enhanced obligations that go well beyond what is required of regular Data Fiduciaries.

Think of it as a tiered compliance system:

  • All Data Fiduciaries must follow the Act's baseline requirements — lawful processing, consent management, data security, breach notification, and honouring data principal rights
  • Significant Data Fiduciaries must do all of the above plus additional governance, audit, and accountability measures

Criteria for SDF Designation

The Central Government considers multiple factors when deciding whether to designate an organisation as an SDF. While the exact thresholds will be specified through rules, the Act identifies these assessment criteria:

1. Volume and Sensitivity of Data Processed

Organisations that process personal data of a very large number of individuals are more likely to be designated. This includes:

  • Telecom operators with millions of subscriber records
  • E-commerce platforms with extensive customer databases
  • Financial institutions handling transaction data at scale
  • Social media platforms with large Indian user bases

2. Risk to the Rights of Data Principals

If the nature of your data processing poses significant risk to individuals' rights and freedoms, the government may classify you as an SDF. This includes processing that involves:

  • Profiling and automated decision-making
  • Processing of children's data at scale
  • Data used for credit scoring, insurance underwriting, or employment decisions

3. Impact on Sovereignty and Integrity of India

Organisations whose data processing could affect national security, public order, or India's sovereignty face heightened scrutiny. This criterion is particularly relevant for:

  • Companies handling critical infrastructure data
  • Defence and government contractors
  • Organisations processing data related to electoral processes

4. Risk to Electoral Democracy

Any organisation whose data processing could influence or undermine democratic processes may be designated. This is directly relevant to social media platforms and political communication tools operating in India.

5. Other Factors the Government Deems Relevant

The Act gives the government flexibility to consider additional factors, which means the criteria may evolve as India's data protection framework matures.

What Additional Obligations Apply to SDFs?

Once designated, a Significant Data Fiduciary must comply with several additional requirements. Here is what changes:

Appoint a Data Protection Officer (DPO) Based in India

SDFs must appoint a Data Protection Officer who:

  • Is based in India (not a remote or overseas appointment)
  • Acts as the primary point of contact for the Data Protection Board of India
  • Represents the SDF in all matters related to DPDP compliance
  • Is responsible for overseeing internal data protection practices

This is not a ceremonial role. The DPO must have genuine authority and resources to fulfil their mandate.

Appoint an Independent Data Auditor

SDFs must engage an independent data auditor to evaluate their compliance with the DPDP Act. This audit must:

  • Be conducted periodically (frequency to be specified in rules)
  • Cover all aspects of the SDF's data processing operations
  • Be performed by a qualified, independent professional — not an internal team
  • Result in a formal audit report submitted to the Data Protection Board

Conduct Periodic Data Protection Impact Assessments (DPIAs)

SDFs must undertake regular DPIAs to evaluate the impact of their data processing activities on individuals' rights. A DPIA should cover:

  • Description of the processing operations and their purposes
  • Assessment of the necessity and proportionality of data processing
  • Identification of risks to data principals
  • Measures to address and mitigate those risks

Complynz's DPDP Assessment Module helps organisations conduct structured impact assessments aligned with the Act's requirements.

Periodic Review and Compliance Reporting

SDFs must periodically review their data protection policies and practices to ensure ongoing compliance. This includes maintaining up-to-date documentation and being prepared for regulatory inspections at any time.

Regular Data Fiduciary vs Significant Data Fiduciary: A Comparison

ObligationRegular Data FiduciarySignificant Data Fiduciary
Lawful data processingRequiredRequired
Consent managementRequiredRequired
Data security safeguardsRequiredRequired
Breach notification to BoardRequiredRequired
Honour data principal rightsRequiredRequired
Appoint India-based DPONot requiredMandatory
Independent data auditNot requiredMandatory (periodic)
Data Protection Impact AssessmentNot requiredMandatory (periodic)
Algorithmic fairness assessmentNot requiredMay be required
Compliance reporting to BoardOn requestProactive and periodic

Self-Assessment: Could You Be Designated as an SDF?

While only the Central Government can formally designate an SDF, you should proactively assess your risk. Ask yourself:

  • User scale — Do you process personal data of more than 1 million individuals in India?
  • Data sensitivity — Do you handle health records, financial data, children's data, or biometric information?
  • Automated decisions — Do you use algorithms to make decisions that affect individuals (credit, insurance, hiring, content moderation)?
  • Cross-border transfers — Do you transfer Indian personal data to servers or processors outside India?
  • Market position — Are you a dominant player in your sector with significant data accumulation?
  • Critical infrastructure — Is your platform or service considered essential infrastructure (telecom, banking, energy)?

If you answered "yes" to three or more of these questions, you should prepare for potential SDF designation.

A Practical Compliance Roadmap for Potential SDFs

Don't wait for designation to arrive. Here is a phased approach to get ready:

Phase 1: Assess Your Current State (Month 1-2)

  • Conduct a comprehensive data inventory — know what data you hold, where it flows, and who accesses it
  • Run a DPDP compliance assessment to identify gaps across all obligations
  • Map your data processing activities against the SDF designation criteria

Phase 2: Build the Governance Structure (Month 2-4)

  • Identify and appoint a qualified DPO with authority and resources
  • Establish a data protection governance committee with cross-functional representation
  • Draft internal data protection policies covering processing, retention, access, and incident response
  • Use Complynz's Policy Generator to create framework-aligned policies

Phase 3: Implement Technical and Operational Controls (Month 4-6)

  • Deploy consent management infrastructure that meets DPDP standards
  • Implement data subject request (DSR) handling workflows
  • Set up breach detection and notification processes
  • Conduct your first Data Protection Impact Assessment

Phase 4: Audit and Continuous Compliance (Month 6+)

  • Engage an independent data auditor for your first compliance audit
  • Establish a regular audit cadence (annually at minimum)
  • Use the Remediation Planner to track and close identified gaps
  • Set up continuous monitoring to catch compliance drift before it becomes a problem

What Happens If You Are Designated but Not Compliant?

The penalty framework under the DPDP Act applies across the board, but SDFs face heightened regulatory scrutiny. Penalties for non-compliance can reach up to ₹250 crore depending on the nature and extent of the violation.

More importantly, SDFs are expected to be proactive — the regulator is unlikely to accept "we didn't know" as a defence from an organisation that has been formally designated as handling significant data responsibilities.

Industries Most Likely to Be Designated as SDFs

Based on global precedents and the criteria outlined in the Act, these sectors are most likely to see SDF designations:

  • Banking and Financial Services — large-scale transaction and identity data
  • Telecommunications — subscriber data, location data, call records
  • E-commerce and Retail Tech — extensive purchase history and behavioural data
  • Social Media and Content Platforms — user-generated content, profiling, and recommendation algorithms
  • Healthcare and Insurance — sensitive health data at scale
  • EdTech — large volumes of children's data (intersects with Section 9 obligations)
  • Government Contractors and IT Service Providers — handling government data and critical systems

Start Preparing Now

The DPDP Act's SDF provisions represent a clear message: with great data comes greater responsibility. Whether or not you are formally designated today, the obligations outlined for SDFs represent best practices that every data-intensive organisation should aspire to.

Start with a DPDP compliance assessment to understand where you stand. Explore the complete DPDP Guide for a section-by-section walkthrough of the Act. And if you need help building a remediation plan, the Remediation Planner can help you prioritise and track every action item.