Are You Likely to Be a Significant Data Fiduciary Under DPDP?

Some Indian businesses will have ordinary Data Fiduciary obligations under the DPDP Act. A smaller group will have extra governance obligations if the Central Government notifies them as Significant Data Fiduciaries, often shortened to SDFs.

The hard part is that DPDP does not give a simple public threshold like "more than X users" or "more than Y crore revenue." Section 10 lets the Central Government notify a Data Fiduciary or a class of Data Fiduciaries as significant after considering factors such as data volume, sensitivity, risk to Data Principal rights, sovereignty and integrity of India, electoral democracy, security of the State, public order, and other relevant factors.

That means businesses should not claim certainty before notification. But they can still prepare intelligently.

This guide explains what a Significant Data Fiduciary is, which risk signals matter, what additional obligations apply, and how to build a practical readiness plan before a formal notification arrives.

Quick Answer: What Is A Significant Data Fiduciary Under DPDP?

A Significant Data Fiduciary is a Data Fiduciary or class of Data Fiduciaries that the Central Government may notify under Section 10 of the DPDP Act based on factors such as data volume, data sensitivity, risk to individual rights, impact on sovereignty and integrity of India, electoral democracy, security of the State, public order, and other relevant factors. SDFs have additional obligations, including a Data Protection Officer, independent data auditor, DPIA-style assessments, periodic audits, and other prescribed measures.

Until a business is notified, it should avoid calling itself an SDF as a legal conclusion. A better approach is to assess likely exposure and prepare if the risk profile is high.

SDF Status Is A Notification Question, Not A Self-Certification Badge

The DPDP Act does not say every large platform automatically becomes an SDF. It also does not say that only Big Tech can become an SDF.

SDF status depends on government notification. The government may notify an individual Data Fiduciary or a class of Data Fiduciaries. That gives the government flexibility to respond to sectors, platforms, business models, or categories of processing that create elevated risk.

For compliance planning, separate these three ideas:

Question	Practical answer
Are we legally an SDF today?	Only if notified by the Central Government.
Are we likely to face SDF scrutiny?	Possibly, if we process large-scale or sensitive personal data, affect many people, or create public, democratic, security, or rights risks.
Should we prepare before notification?	Yes, if our risk signals are high or if our sector is likely to attract regulatory attention.

This conservative framing protects credibility. It avoids fake thresholds while still giving management a reason to prepare.

Section 10 Criteria: What The Government May Consider

Section 10 allows the Central Government to consider several factors when deciding whether a Data Fiduciary or class of Data Fiduciaries is significant.

Section 10 factor	What it means in practice	Example risk signals
Volume of personal data processed	Scale of people, records, events, or transactions	millions of users, national platform, large employee/customer database
Sensitivity of personal data	Type and potential harm of the data	health, finance, children, biometrics, precise location, identity documents
Risk to Data Principal rights	Chance of harm, denial of rights, unfair outcomes, or lack of control	automated decisions, opaque profiling, hard-to-exercise rights
Sovereignty and integrity of India	National-level or strategic impact	critical infrastructure, national-scale digital systems, sensitive cross-border dependencies
Risk to electoral democracy	Potential effect on democratic processes	political profiling, voter targeting, civic influence systems
Security of the State	National security relevance	sensitive communications, defence, strategic information systems
Public order	Ability to affect public safety or stability	mass messaging, crisis platforms, public-safety systems
Other factors	Government discretion for new risks	emerging AI systems, large data brokers, sectoral risk categories

The business takeaway is not "we need a magic threshold." The takeaway is "we need to know which risk signals we have and how mature our controls are."

Who Should Take SDF Readiness Seriously?

You should run an SDF readiness review if any of these descriptions fit your business:

• you process personal data for a very large user base in India
• you hold sensitive or high-impact data, such as health, financial, biometric, identity, children's, or precise location data
• your product makes decisions that affect access to credit, jobs, insurance, healthcare, education, housing, or essential services
• your platform affects public communication, political content, or large-scale civic participation
• you provide infrastructure used by regulated businesses or government-linked services
• you rely on AI or automated systems for ranking, scoring, eligibility, moderation, or fraud decisions
• your users would suffer material harm if data were breached, misused, or made unavailable
• your operations involve multiple processors, international vendors, data warehouses, and complex data flows

None of these signals proves SDF status. They do show that the organisation should not wait until the last minute.

Additional Obligations For Significant Data Fiduciaries

An SDF has all ordinary Data Fiduciary obligations, plus extra governance duties.

1. Appoint A Data Protection Officer

The DPDP Act requires an SDF to appoint a Data Protection Officer. The DPO should be based in India, represent the SDF under the Act, be responsible to the Board of Directors or similar governing body, and act as a point of contact for grievance redressal.

For readiness, prepare:

• DPO role description
• reporting line to board or senior governing body
• authority to request information from product, legal, engineering, security, support, HR, and vendors
• escalation path for high-risk processing
• public contact details or contact mechanism
• backup coverage when the DPO is unavailable

Do not treat the DPO as a support mailbox. The role needs governance authority.

2. Appoint An Independent Data Auditor

SDFs must appoint an independent data auditor to evaluate compliance with the Act.

For readiness, prepare:

• audit scope
• system inventory
• processing inventory
• consent and notice records
• rights request logs
• breach response records
• processor contracts
• security-control evidence
• prior remediation history

The auditor cannot evaluate what the business cannot produce. If evidence is scattered across spreadsheets, ticket threads, and individual inboxes, audit readiness will be painful.

3. Conduct DPIA-Style Assessments

SDFs should prepare for data protection impact assessments and similar risk assessments. A DPIA should explain how a processing activity affects Data Principal rights and what controls reduce risk.

At minimum, assess:

• processing purpose
• categories of personal data
• categories of Data Principals
• legal basis
• necessity and proportionality
• risk to individuals
• automated decision-making or profiling
• vendor and cross-border dependencies
• retention periods
• safeguards and mitigations
• residual risk and approval

Start with high-risk products first, not every low-risk internal workflow.

4. Run Periodic Audits

SDF readiness is not a one-time exercise. The organisation should be ready for recurring review.

Periodic audits should check whether:

• notices still match actual processing
• consent records are complete
• withdrawal works downstream
• erasure works across systems
• vendors follow instructions
• breach response is tested
• rights requests are resolved on time
• sensitive data is minimised
• access controls remain appropriate
• security evidence is current

5. Prepare Algorithmic And Automated-Decision Evidence

If your business uses automated systems, AI models, scoring, ranking, fraud detection, eligibility rules, moderation, or personalisation, prepare documentation now.

Useful evidence includes:

• system purpose
• inputs and outputs
• personal data used
• model or rule owner
• testing and validation records
• bias or unfair-outcome checks, where relevant
• human review process
• appeal or grievance route
• change history

The DPDP Act uses a risk-based SDF concept. Opaque automated systems that affect people can increase that risk profile.

SDF Readiness Matrix

Area	Low readiness	Better readiness
Data map	No current inventory	System-level map of personal data, purposes, vendors, retention
Governance	Privacy owned ad hoc	Named privacy owner, board escalation, DPO candidate
Rights	Requests handled manually	Tracked workflow with SLA, evidence, vendor action
Consent	Logs in multiple tools	Unified consent record and withdrawal path
Vendors	Contracts inconsistent	Processor contracts with rights, breach, audit, deletion support
Security	Controls undocumented	Evidence-backed safeguards and incident response plan
DPIA	Not performed	High-risk processing assessments with mitigations
Audit	No audit pack	Evidence library for notices, consents, requests, incidents, processors
Algorithms	Little documentation	Purpose, data inputs, testing, review, grievance path

90-Day SDF Readiness Plan

If your business may become an SDF, use the next 90 days to create evidence and governance, not just policy text.

Days 1-15: Identify Risk Signals

• list major processing activities
• identify high-volume systems
• identify sensitive data categories
• identify children's data, financial data, health data, biometrics, location, and identity documents
• list automated decisions and profiling systems
• map critical vendors and processors
• identify public-order, electoral, security, or large-scale societal-risk exposure

Days 16-30: Build The Governance Skeleton

• assign privacy owner
• identify DPO candidate or DPO operating model
• create board or leadership reporting path
• define risk review trigger points
• create incident escalation path
• create rights request owner and vendor escalation owner

Days 31-60: Create Evidence

• complete processing inventory for high-risk systems
• collect notices and consent flows
• document withdrawal flows
• map retention rules
• collect processor contracts
• prepare breach response plan
• create rights request tracker
• start DPIA for highest-risk processing

Days 61-90: Test And Remediate

• run mock access request
• run mock erasure request
• run breach tabletop exercise
• test vendor deletion confirmation
• review one automated decision system
• identify remediation owners
• prepare audit evidence folder
• brief leadership on gaps and timeline

What Not To Say Publicly

Avoid these claims unless verified by official notification or legal advice:

• "We are definitely not an SDF."
• "Only companies above X users are SDFs."
• "Startups cannot be SDFs."
• "SDF rules apply only to social media platforms."
• "We can wait until notification before doing any work."

Better wording:

• "We are assessing SDF exposure based on Section 10 factors."
• "We are preparing governance and audit evidence in case additional obligations apply."
• "We have not been notified as an SDF, but our risk profile justifies readiness work."

FAQ

What is a Significant Data Fiduciary under DPDP?

A Significant Data Fiduciary is a Data Fiduciary or class of Data Fiduciaries notified by the Central Government under Section 10 of the DPDP Act based on factors such as data volume, sensitivity, risk to Data Principal rights, impact on sovereignty and integrity, electoral democracy, security of the State, public order, and other relevant factors.

Is there an official user threshold for SDF status?

The DPDP Act does not provide a simple universal threshold such as a fixed number of users. SDF status depends on government notification and the factors listed in Section 10. Businesses should treat thresholds in unofficial commentary as assumptions, not law.

What extra obligations do SDFs have?

SDFs must appoint a Data Protection Officer, appoint an independent data auditor, conduct DPIA-style assessments, undergo periodic audits, and comply with other prescribed measures.

Can a startup become an SDF?

Possibly, if it is notified or falls within a notified class. Size alone is not the only factor. A smaller organisation processing highly sensitive data or creating high rights risk may need serious readiness work.

Should businesses prepare before being notified?

Yes, if their risk signals are high. Waiting for notification can leave too little time to appoint governance roles, map data, run DPIAs, update vendor contracts, and create audit evidence.

Bottom Line

SDF readiness is not about guessing whether your company will be named. It is about asking whether your data processing creates enough scale, sensitivity, or public-risk exposure that extra governance would be expected.

If the answer is yes, start building the evidence now. Data maps, DPO governance, audit records, DPIAs, vendor controls, and rights workflows are useful even if SDF notification never arrives. If notification does arrive, they become essential.