Most businesses reading about the DPDP Act focus on the obligations that apply to every Data Fiduciary: consent, notice, security safeguards, breach notification. Fair enough. Those are universal, and they demand attention. But buried in Section 10 of the Act is a second tier of compliance that relatively few people are discussing with the specificity it deserves.
The concept is the Significant Data Fiduciary, or SDF. If the Central Government designates your organisation as one, your compliance programme does not merely expand. It transforms.
Key Takeaways
- The Central Government can designate any Data Fiduciary as a Significant Data Fiduciary (SDF) under Section 10 of the DPDP Act 2023, based on data volume, sensitivity, risk to individuals, and national security considerations.
- SDFs must appoint a Data Protection Officer (DPO) based in India, who reports directly to the board of directors.
- SDFs must engage an independent data auditor and undergo annual compliance audits, with significant findings reported to the Data Protection Board.
- Data Protection Impact Assessments (DPIAs) are mandatory for SDFs, conducted at least once every 12 months.
- The penalty for non-compliance with SDF-specific obligations is up to ₹150 crore per violation, in addition to standard penalties that apply to all Data Fiduciaries.
What is a Significant Data Fiduciary Under the DPDP Act?
Section 2(z) of the DPDP Act 2023 defines a Significant Data Fiduciary as any Data Fiduciary, or class of Data Fiduciaries, that the Central Government notifies under Section 10. The designation is not self-assessed. You do not decide whether you qualify. The government tells you.
This is a critical distinction from frameworks like GDPR, where most compliance obligations scale based on a processor's own assessment of risk and volume. Under the DPDP Act, the SDF classification is an affirmative government action: a notification published in the Official Gazette.
For a foundational understanding of what a Data Fiduciary is and the baseline obligations that apply before any SDF designation, see our guide to Data Fiduciary obligations under DPDP.
How Does the Government Decide Who is an SDF?
Section 10(1) lists the factors the Central Government considers when deciding whether to designate a Data Fiduciary as significant. These are not thresholds with precise numbers. They are assessment criteria, and the government retains broad discretion.
| Designation Factor | Section Reference | What it Means in Practice |
|---|---|---|
| Volume of personal data processed | Section 10(1) | Organisations processing data of millions of individuals are more likely to be designated |
| Sensitivity of personal data processed | Section 10(1) | Financial data, health records, biometric data, and children's data increase the likelihood |
| Risk of harm to Data Principals | Section 10(1) | Potential for financial loss, identity theft, discrimination, or reputational damage |
| Impact on sovereignty and integrity of India | Section 10(1) | Entities handling data relevant to national infrastructure or defence |
| Risk to electoral democracy | Section 10(1) | Social media platforms, political communication services |
| Security of the State | Section 10(1) | Entities processing data related to law enforcement, intelligence, or public order |
Note that Section 10(1) does not limit the factors to this list. It includes the phrase "having regard to such factors as it may consider necessary," which gives the government room to introduce additional criteria through the DPDP Rules or subsequent notifications.
As of February 2026, the Central Government has not yet published the formal criteria or issued notifications designating specific entities as Significant Data Fiduciaries. This is widely expected before the May 2027 full enforcement date.
Which Companies Are Likely to Be Designated as SDFs?
While no official list exists yet, the designation criteria point toward a predictable set of candidates. This is not speculation for the sake of it; understanding who is likely to be designated helps businesses in adjacent categories assess their own risk.
High-probability sectors:
- Banking and financial services: RBI-regulated entities already subject to extensive data governance requirements. They process sensitive financial data at massive scale.
- Telecommunications: Carriers hold subscriber data, call records, and location data for hundreds of millions of users.
- Large e-commerce platforms: Transaction data, payment information, and delivery addresses across millions of customers.
- Social media and messaging platforms: User-generated content, behavioural data, and direct messages. The "risk to electoral democracy" factor specifically targets this category.
- Healthcare platforms and health-tech: Patient records, diagnostic data, and prescription histories are among the most sensitive personal data categories.
Do not assume SMBs are safe. The Act allows designation of a "class of Data Fiduciaries," not just individual entities. The government could, for example, designate all Data Fiduciaries processing health data above a certain volume, or all fintech companies holding payment credentials for more than a threshold number of users. If your business falls into a designated class, you become an SDF regardless of your company's size.
What Additional Obligations Does an SDF Face?
This is where Section 10(2) changes the compliance equation. The obligations below apply only to Significant Data Fiduciaries, on top of every obligation that applies to ordinary Data Fiduciaries under Section 8. For a complete breakdown of those baseline obligations, see our DPDP Act 2023 complete guide.
1. Appoint a Data Protection Officer Based in India
Under Section 10(2)(a), every SDF must appoint a Data Protection Officer (DPO). This is not a checkbox appointment. The Act and the DPDP Rules 2025 establish specific requirements:
- The DPO must be based in India. A DPO sitting in Singapore, Dublin, or San Francisco does not satisfy this requirement, regardless of their qualifications.
- The DPO is answerable to the board of directors (or equivalent governing body). This is not a mid-level compliance manager reporting to a VP. The Act positions the DPO as a board-level accountability function.
- The DPO serves as the point of contact for Data Principals exercising their rights and for the Data Protection Board when conducting inquiries.
- Contact details for the DPO must be publicly available on the organisation's website, mobile app, and any relevant communications with Data Principals.
For companies that already have a DPO under GDPR, the DPDP requirement introduces a jurisdictional constraint. Your EU-based DPO cannot double as your DPDP DPO unless they are physically based in India.
2. Appoint an Independent Data Auditor
Section 10(2)(b) requires SDFs to appoint an independent data auditor. The operative word is "independent." Your internal compliance team conducting a self-assessment does not qualify.
Under the DPDP Rules 2025, the independent data auditor must:
- Conduct a comprehensive compliance audit at least once every 12 months from the date of SDF designation.
- Evaluate whether the SDF's data processing practices, security safeguards, consent mechanisms, and DSR processes comply with the Act and Rules.
- Submit a report containing significant observations to the Data Protection Board of India. This is not a report that sits in your internal files. The regulator receives it.
The annual audit requirement creates a recurring compliance cycle. Unlike a one-time implementation, this demands ongoing investment in documentation, process maintenance, and audit readiness. Companies accustomed to ISO 27001 surveillance audits will find the rhythm familiar, though the substantive focus is different.
3. Conduct Data Protection Impact Assessments
Section 10(2)(c) mandates periodic Data Protection Impact Assessments (DPIAs). The DPDP Rules 2025, specifically Rule 13, operationalise this requirement:
- DPIAs must be conducted at least once every 12 months.
- Each DPIA must include a description of the rights of Data Principals that may be affected and the purpose of the processing activity under assessment.
- The DPIA must include an assessment and management plan for risks to Data Principal rights.
- Significant findings from the DPIA must be submitted to the Data Protection Board alongside the audit report.
A critical nuance: the DPIA obligation under DPDP is not triggered by specific high-risk processing activities (the way GDPR's Article 35 works). For SDFs, it is an unconditional, periodic requirement. You conduct a DPIA because you are an SDF, full stop. The scope covers all your processing activities.
4. Ensure Algorithmic Accountability
Rule 13 of the DPDP Rules 2025 introduces an obligation that has received less attention than it deserves. SDFs must ensure that algorithmic software deployed for hosting, display, uploading, modification, publishing, transmission, storage, updating, or sharing of personal data does not pose a risk to the rights of Data Principals.
In practice, this means:
- If your platform uses automated systems to process, classify, or make decisions about personal data, those systems are within scope.
- The obligation covers recommendation engines, automated content moderation, fraud detection systems, and any other algorithmic processing that touches personal data.
- You need to be able to demonstrate that these systems have been assessed for risks to Data Principal rights.
This is a nascent obligation globally. Even GDPR's automated decision-making provisions under Article 22 are narrower in some respects. The DPDP Rules cast a wide net over algorithmic processing, and the specifics of enforcement will develop as the Data Protection Board begins interpreting this provision.
How Do SDF Obligations Compare to Standard Data Fiduciary Obligations?
The table below consolidates the full compliance picture. Every obligation in the left column applies to all Data Fiduciaries. The right column shows what SDFs must do in addition.
| Compliance Area | All Data Fiduciaries (Section 8) | Additional SDF Obligations (Section 10 + Rule 13) |
|---|---|---|
| Consent management | Obtain valid consent per Section 6; provide notice per Section 5 | Same, plus demonstrate compliance to independent auditor |
| Security safeguards | Implement reasonable security safeguards (Section 8(4)) | Same, plus auditor evaluates adequacy annually |
| Breach notification | Notify DPBI and affected Data Principals within 72 hours | Same, plus breach response included in DPIA scope |
| Data retention | Erase data when purpose is fulfilled (Section 8(7)) | Same, plus retention practices reviewed in annual audit |
| Data Processor agreements | Valid contract with all processors (Section 8(2)) | Same, plus processor compliance included in audit scope |
| DPO appointment | Not required | Required; must be India-based, board-accountable |
| Independent audit | Not required | Required annually; report submitted to DPBI |
| DPIA | Not required | Required annually; findings submitted to DPBI |
| Algorithmic accountability | Not required | Required; must assess algorithmic risks to Data Principals |
| Cross-border data restrictions | General rules under Section 16 | Additional restrictions may be imposed on specified data categories |
The cost and resource implications are significant. An ordinary Data Fiduciary can, in principle, manage DPDP compliance with internal resources and a reasonable technology stack. An SDF needs a dedicated DPO, an external auditor, a structured DPIA framework, and the documentation infrastructure to support all three on a recurring basis.
What Are the Penalties for SDF Non-Compliance?
The Schedule to the DPDP Act assigns a specific penalty ceiling for SDF-related violations.
Non-fulfilment of additional SDF obligations: up to ₹150 crore per violation.
This is separate from the standard penalty framework. An SDF that fails to appoint a DPO, skips its annual audit, or neglects to conduct a DPIA faces penalties of up to ₹150 crore for those specific failures, in addition to any penalties incurred under the general provisions (which go up to ₹250 crore for security failures leading to data breaches).
To put this in context: the SDF penalty ceiling of ₹150 crore is higher than the general non-compliance penalty of ₹50 crore but lower than the breach-related penalties (₹200-250 crore). The Act is signalling that SDF obligations are taken seriously, second only to the most severe violations involving actual data breaches.
The Data Protection Board has discretion to set the actual penalty amount within these limits, considering factors like the severity of non-compliance, whether the SDF made good-faith efforts, and whether voluntary corrective action was taken.
What Should Potential SDFs Do Now?
The SDF notification has not been issued yet. But waiting for the gazette notification before preparing is a strategy that trades runway for panic. Organisations that expect to be designated have a clear set of preparatory steps.
Phase 1: Assessment (Now)
- Map all personal data processing activities across your organisation. You need a complete picture of data flows, data categories, volumes, and processing purposes.
- Identify which designation criteria (volume, sensitivity, risk, sector) apply to your business. If two or more criteria clearly apply, assume you will be designated.
- Assess your current data governance maturity. If you have an existing ISO 27001 or SOC 2 programme, map the overlap with DPDP SDF requirements.
Phase 2: Structural Preparation (Q1-Q2 2026)
- Identify or recruit a DPO candidate who is based in India and has the seniority to report to the board. Do not wait until the notification to start this search; qualified candidates in this domain are scarce.
- Research and shortlist independent data auditors. The auditor must be genuinely independent; not your existing IT auditor wearing a different hat.
- Design a DPIA framework. This includes templates, risk assessment methodologies, and a process for documenting and reporting findings.
Phase 3: Implementation (Before May 2027)
- Formalise DPO appointment with board resolution, defined responsibilities, and published contact details.
- Conduct a baseline audit and first DPIA cycle. Do not wait for the mandatory deadline to run your first assessment. The first cycle always reveals gaps you did not anticipate.
- Establish an ongoing compliance calendar: annual audit, annual DPIA, periodic consent and security reviews.
Note that even if you are not designated as an SDF, the preparation steps above are sound compliance hygiene. The baseline DPDP obligations still require robust data mapping, security safeguards, and documented consent practices. Building an SDF-ready programme gives you margin rather than scramble.
How Does SDF Compare to GDPR's Heightened Obligations?
Companies operating across both jurisdictions often ask whether GDPR compliance covers the SDF requirements. It does not, though there is meaningful overlap.
| Requirement | DPDP SDF (Section 10) | GDPR Equivalent |
|---|---|---|
| DPO appointment | Mandatory for SDFs; must be India-based | Mandatory for public authorities and large-scale processors (Article 37); no country-of-residence requirement |
| Independent audit | Mandatory annually; report to DPBI | Not mandated by GDPR (though common in practice via binding corporate rules) |
| DPIA | Mandatory annually for all processing | Required only for "high-risk" processing per Article 35 |
| Algorithmic accountability | Broad obligation covering all algorithmic processing of personal data | Article 22 covers automated individual decision-making; narrower scope |
| Penalty for non-compliance | Up to ₹150 crore (fixed cap) | Up to 4% of global annual turnover or EUR 20M |
| Designation mechanism | Government notification | Self-assessment based on Article 37 criteria |
The most operationally significant differences: DPDP's DPIA requirement is unconditional for SDFs (not risk-triggered), the audit report goes directly to the regulator (not an internal exercise), and the DPO must be physically in India.
Frequently Asked Questions
Has the government designated any Significant Data Fiduciaries yet?
As of February 2026, no. The Central Government has not issued formal notifications designating specific entities or classes of entities as Significant Data Fiduciaries. The DPDP Rules 2025 provide the framework, but the actual designations are expected before the May 2027 full enforcement date.
Can a startup be designated as a Significant Data Fiduciary?
Yes, in principle. The designation criteria in Section 10(1) focus on data processing characteristics, not company size or revenue. A startup processing health data for millions of users, or handling sensitive financial credentials at scale, could meet the threshold. The Act also allows designation of a "class of Data Fiduciaries," which could capture smaller entities in high-sensitivity sectors.
What happens if my company is designated as an SDF mid-year?
The DPDP Rules 2025 establish that the 12-month audit and DPIA cycle begins from the date of SDF notification. You would need to appoint a DPO, engage an independent auditor, and begin your first DPIA cycle from the designation date, not from the start of your fiscal year.
Do SDF obligations apply in addition to industry-specific regulations?
Yes. SDF obligations under the DPDP Act are cumulative with existing sectoral regulations. A bank designated as an SDF must comply with both RBI data governance circulars and DPDP SDF requirements. An IRDAI-regulated insurer must satisfy both IRDAI's data handling norms and the SDF audit and DPIA obligations. There is no exemption or substitution mechanism.
Is the SDF audit the same as an ISO 27001 audit?
No. An ISO 27001 audit evaluates your information security management system against the ISO standard. The SDF audit evaluates compliance with the DPDP Act and Rules specifically. There is overlap in areas like access controls, encryption, and incident response, but the DPDP audit also covers consent practices, notice requirements, DSR handling, data retention, and other privacy-specific obligations that ISO 27001 does not address.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
Whether you are a potential SDF or an ordinary Data Fiduciary, DPDP compliance involves consent management, privacy notices in all 22 scheduled Indian languages, DSR workflows, and audit-ready records. ComplyZero handles this in a single self-serve platform, no consultants or legal teams required. Set up in 15 minutes, not 15 weeks.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
ComplyZero handles the complexity for you: consent management, privacy notices in 22 languages, DSR workflows, and audit-ready compliance records. Get your business DPDP-ready in minutes, not months.