DPDP Act17 May 2026 7 min read

Significant Data Fiduciary Under DPDP Act: Are You One?

Learn what makes a company a Significant Data Fiduciary under the DPDP Act, the additional obligations triggered, and how to prepare before classification.

Key Takeaways

Significant Data Fiduciaries (SDFs) are classified by the Central Government based on volume, sensitivity, national security risk, and societal impact.
SDFs must appoint a Data Protection Officer based in India and conduct periodic Data Protection Impact Assessments.
SDFs must engage an independent auditor to conduct annual data audits.
Cross-border transfer restrictions are more stringent for SDF-classified entities.
Being classified as an SDF before you are operationally ready can trigger immediate enforcement risk — prepare in advance.

In this guide

What Is a Significant Data Fiduciary?
Classification Criteria Under Section 10
Additional Obligations for SDFs
Data Protection Officer Requirement
Data Protection Impact Assessments
Annual Data Audit Requirement
How to Prepare Before You Are Classified

What Is a Significant Data Fiduciary?

The DPDP Act creates a two-tier system. All Data Fiduciaries must comply with baseline obligations (consent, notice, security, rights fulfilment). But a subset — Significant Data Fiduciaries (SDFs) — face a heightened regime with additional structural and governance requirements. Section 10 of the Act establishes this category.

Classification as an SDF is not automatic. The Central Government must notify specific entities or classes of entities as SDFs. This happens after considering the factors listed in Section 10(1). Once classified, a company has a defined period (to be specified in the notification) to become compliant with SDF-specific obligations.

As of April 2026, no entities have been formally classified as SDFs — classification will follow Rules finalisation. However, large Indian tech companies, major e-commerce platforms, telecom operators, health platforms, and financial services entities are widely expected to be among the first cohort.

Classification Criteria Under Section 10

Section 10(1) lists the factors the Central Government considers when classifying an SDF: (a) the volume of personal data processed; (b) the sensitivity of the personal data processed; (c) the risk to the rights of Data Principals; (d) potential impact on the sovereignty and integrity of India; (e) risk to electoral democracy; (f) security of the State; (g) public order; and (h) any other relevant factor.

Volume and sensitivity are the most business-relevant factors. A platform processing health data for millions of users, a financial services app with payment histories for tens of millions of customers, or a social media platform operating at scale would score high on multiple criteria simultaneously.

The threshold for "high volume" is not yet defined in the Act or draft Rules. Industry bodies have lobbied for specific numeric thresholds (e.g., processing personal data of more than 10 lakh — 1 million — individuals). Watch the Rules notification closely; this number will determine which mid-size companies are caught.

Additional Obligations for SDFs

Section 10(2) imposes four obligations on SDFs beyond the baseline: (a) appoint a Data Protection Officer; (b) appoint an independent data auditor; (c) undertake such other measures — including Data Protection Impact Assessments — as may be prescribed; and (d) comply with any other obligation prescribed by the Rules.

The phrase "as may be prescribed" gives the Central Government and MEITY significant flexibility to add SDF obligations through Rules without amending the Act. This means the SDF compliance surface can expand over time. SDFs should build a compliance programme that can absorb new requirements, not just a point-in-time checklist.

Cross-border data transfer permissions may also be more restricted for SDFs. The Central Government can prohibit or restrict transfer of SDF data to specific countries or territories. This creates a data localisation risk that SDFs should factor into their cloud architecture decisions.

Data Protection Officer Requirement

SDFs must appoint a Data Protection Officer (DPO) who is based in India. The DPO's contact details must be published in the privacy notice and provided to the Data Protection Board. Unlike GDPR's DPO, the DPDP Act DPO is not required to have a specific professional qualification — the Rules may specify this.

The DPO represents the SDF before the Data Protection Board, handles Data Principal grievances at the escalation level, and oversees the internal compliance programme. In practice, the DPO should have authority over the data protection programme, access to senior management, and a direct reporting line to the Board or equivalent governance body.

Non-SDFs do not have a statutory obligation to appoint a DPO. However, best practice — especially for companies that expect to be classified as SDFs, or that handle significant volumes of sensitive data — is to appoint a data protection lead or privacy officer now.

Data Protection Impact Assessments

SDFs must conduct Data Protection Impact Assessments (DPIAs) as prescribed by the Rules. The draft Rules indicate that DPIAs will be required for new processing activities that pose high risk — such as large-scale profiling, automated decision-making affecting legal or significant interests, or processing new categories of sensitive data.

A DPIA is a structured risk assessment: identify the nature of the processing, assess necessity and proportionality, identify risks to individuals, and determine mitigating measures. The output is a documented record that demonstrates the SDF considered and managed privacy risks before launching a new product or feature.

Even non-SDF companies benefit from running informal DPIAs when launching new data-intensive features. Building this discipline early makes it operationally easier to meet the formal SDF requirement and reduces the likelihood of a privacy incident that could itself trigger SDF classification.

Annual Data Audit Requirement

SDFs must have their personal data processing practices audited annually by an independent data auditor. The auditor will assess compliance with the Act and Rules against standards that may be specified by the Data Protection Board. This is analogous to the SOC 2 audit model: an independent third party validates your controls and practices.

The audit report may be submitted to the Data Protection Board on request or as part of a periodic reporting obligation (the Rules will clarify). SDFs that fail to undergo or adequately address audit findings face regulatory risk. The audit also creates a documentation artefact that the Board can use in any enforcement investigation.

Preparing for a data audit requires the same infrastructure as any compliance audit: a control framework, documented policies and procedures, evidence of implementation (logs, training records, vendor contracts), and a gap remediation process. AuditPath is built to support exactly this evidence management and audit readiness workflow.

How to Prepare Before You Are Classified

If your company processes significant volumes of personal data — even if you are not yet classified as an SDF — prepare as if you will be. Build a data inventory, implement a consent management platform, document your processing activities, and establish a grievance redressal process. These baseline steps are required for all Data Fiduciaries anyway.

For the SDF-specific layer, start identifying a candidate DPO (internal or external), map your high-risk processing activities where DPIAs would be required, and evaluate your audit readiness. If you use cloud infrastructure with cross-border data flows, assess which countries your data transits and whether those routes could be restricted for SDFs.

The window between classification notification and the compliance deadline will be short — potentially 6 to 12 months. Companies that treat SDF readiness as a future problem will find themselves unable to implement structural changes (DPO appointment, DPIA processes, audit infrastructure) in time.

Frequently Asked Questions

If I am not yet classified as an SDF, do any SDF obligations apply to me?

No. SDF obligations are triggered only upon Central Government notification classifying you as an SDF. However, baseline Data Fiduciary obligations (consent, notice, security, rights) apply to all Data Fiduciaries regardless of SDF status.

Can a company be declassified as an SDF once classified?

The Act does not explicitly provide for declassification, but the Central Government has broad powers to modify notifications. In practice, if your data volumes or risk profile reduce significantly, you could petition for removal. This has not been tested as no classifications have occurred yet.

How is the DPDP Act's SDF concept different from GDPR's high-risk processing?

GDPR does not have an SDF equivalent. Under GDPR, all controllers must conduct DPIAs for high-risk processing — it is activity-based, not entity-based. The DPDP Act's SDF classification is entity-based: once you are an SDF, all your processing is subject to heightened governance. This is a significant structural difference.

Does the SDF category include government entities?

It can. The Central Government can classify any Data Fiduciary — including government bodies — as an SDF. However, government entities may benefit from the national security exemptions under Section 17(2)(a), which could partially override SDF obligations in sensitive contexts.

What happens if an SDF fails to appoint a DPO within the required timeframe?

Failure to comply with SDF obligations is subject to penalties under the Act's Schedule. The Data Protection Board can investigate and impose financial penalties. The Board can also issue directions requiring compliance within a specified timeline.