Compliance Areas

Are You a Significant Data Fiduciary? What the DPDP Act Requires

The Central Government can designate certain businesses as Significant Data Fiduciaries, triggering additional obligations including DPO appointment, impact assessments, and independent audits.

6 min read

A Higher Standard for Higher-Risk Processors

The DPDP Act 2023 creates a two-tier compliance framework. Every organisation that processes personal data must meet the baseline Data Fiduciary obligations. But certain organisations may be designated as Significant Data Fiduciaries (SDFs) by the Central Government, triggering an additional set of mandatory requirements.

The SDF designation is the Act’s mechanism for imposing proportionate obligations. Businesses that process large volumes of sensitive data face higher compliance standards than those handling minimal data.

How Designation Works

The Central Government designates SDFs through notification, considering factors including:

  • Volume of personal data processed: Organisations processing data of millions of individuals are more likely to be designated
  • Sensitivity of data: Processing health data, financial data, or biometric data increases the likelihood of designation
  • Risk to Data Principals: Processing activities that could cause significant harm if breached or misused
  • Impact on sovereignty and security: Processing that could affect national security or public order
  • Risk to electoral democracy: Processing that could influence or undermine democratic processes

The designation is not voluntary. Once notified, the organisation must comply with all SDF obligations within the prescribed timeframe.

Who Is Likely to Be Designated

While specific designations have not yet been issued, the following categories of businesses should prepare for potential SDF status:

  • Large technology platforms: Social media, e-commerce, and digital services with millions of Indian users
  • Financial institutions: Banks, insurance companies, and NBFCs processing extensive financial and identity data
  • Telecom operators: Companies holding subscriber data, call records, and location information
  • Healthcare platforms: Entities processing health records, diagnostic data, and prescription information
  • Government contractors: Organisations processing personal data on behalf of government bodies

The Three Additional Obligations

SDFs must meet all seven standard Data Fiduciary obligations plus three additional requirements:

1. Data Protection Officer (DPO)

Every SDF must appoint a Data Protection Officer who:

  • Is based in India: The DPO must be physically located in India, not operating remotely from another jurisdiction
  • Acts as the Board’s point of contact: The DPO serves as the primary interface between the organisation and the Data Protection Board of India
  • Represents the organisation: The DPO must be empowered to make decisions and commitments on behalf of the organisation regarding data protection matters

The DPO role under the DPDP Act differs from the GDPR model. The GDPR emphasises DPO independence from management. The DPDP Act positions the DPO as a representative who acts on behalf of the organisation in its dealings with the Board.

Practically, the DPO should have:

  • Direct reporting access to senior management or the board of directors
  • Sufficient resources and authority to fulfil the role
  • Knowledge of both the Act’s requirements and the organisation’s data processing activities
  • Authority to halt processing activities that violate the Act

2. Data Protection Impact Assessment (DPIA)

SDFs must conduct periodic Data Protection Impact Assessments covering:

  • Description of processing activities: What data is collected, from whom, for what purpose, and how it flows through the organisation
  • Assessment of necessity: Whether each processing activity is necessary and proportionate to its stated purpose
  • Risk identification: What risks the processing poses to Data Principals’ rights
  • Mitigation measures: What controls are in place to address identified risks
  • Residual risk evaluation: Whether remaining risks are acceptable after mitigation

The DPIA is not a one-time exercise. It must be conducted periodically and updated when processing activities change significantly. New products, new data sources, and new processing purposes all trigger DPIA requirements.

3. Independent Audit

SDFs must undergo periodic audits conducted by an independent Data Auditor. The auditor:

  • Must be independent of the organisation being audited
  • Must assess compliance with the Act’s provisions and the Board’s directions
  • Must submit audit reports to the Data Protection Board

The Board will prescribe the qualifications for Data Auditors and the frequency and scope of audits. Organisations should expect annual audits at minimum, with additional audits triggered by significant changes in processing activities or in response to complaints.

Preparing for Potential Designation

Organisations that expect to be designated as SDFs should begin preparation now, even before formal designation:

  1. Identify a DPO candidate: Determine who will serve as DPO. If no internal candidate has the required expertise, begin recruiting or developing the capability.

  2. Conduct a baseline DPIA: Perform an initial Data Protection Impact Assessment covering all current processing activities. This establishes a baseline and identifies immediate risks.

  3. Build an audit trail: Ensure all data processing activities are documented with sufficient detail to support an independent audit. This includes consent records, data flow maps, security controls documentation, and incident response records.

  4. Establish governance structures: Create internal governance frameworks for data protection, including clear roles, escalation procedures, and decision-making authority.

  5. Budget for compliance: DPO compensation, DPIA exercises, and independent audits represent ongoing costs. Factor these into operational budgets.

The Timeline

SDF designations are expected to begin as the enforcement date approaches in November 2026. The Central Government may issue designations in phases, starting with the largest and most data-intensive organisations.

Organisations that wait for formal designation before beginning preparation will face a compressed compliance timeline. Those that prepare in advance will transition more efficiently.

Penalties for SDF Non-Compliance

SDFs that fail to meet their additional obligations face the same penalty framework as other Data Fiduciaries, with the added scrutiny that comes with their designation. The Data Protection Board is likely to hold SDFs to a higher standard of accountability.

Failure to appoint a DPO, conduct DPIAs, or submit to independent audits would constitute a violation of the Act’s provisions, carrying penalties of up to ₹250 crore per violation.

Assess Your Position

Whether or not you expect SDF designation, understanding your compliance position is the first step. The free DPDP Gap Assessment evaluates your organisation across all five compliance areas and identifies gaps in your current data protection practices.