Who is a Significant Data Fiduciary under DPDP?

 

What does ‘Significant Data Fiduciary’ mean under the DPDP Act?

The Digital Personal Data Protection (DPDP) Act, 2023 introduces multiple layers of responsibility for entities that handle digital personal data in India. One of the most important distinctions it makes is between a Data Fiduciary and a Significant Data Fiduciary.

At its core, a Data Fiduciary is any person, company, or organization that determines the purpose and means of processing personal data. This includes businesses, apps, platforms, and even government departments when they handle data relating to individuals.

However, the DPDP Act recognizes that not all data fiduciaries carry equal risk. A local e-commerce store handling hundreds of user profiles is not the same as a major fintech firm processing sensitive financial data of millions. This is where the concept of Significant Data Fiduciary (SDF) comes in.

Under Section 10 of the DPDP Act, the term Significant Data Fiduciary refers to a subset of data fiduciaries who, due to the scale or sensitivity of the data they handle, or the nature of their operations, are subject to enhanced obligations. But crucially, this label isn’t self-assigned. It must be notified by the Central Government after assessing specific risk factors.

This classification reflects a risk-based approach to data governance, ensuring that larger or more impactful entities are held to higher compliance standards.

Up next, we’ll explore the exact factors the government considers when deciding whether an organization qualifies as a Significant Data Fiduciary.

How does the government decide who is a Significant Data Fiduciary?

Being labeled a Significant Data Fiduciary (SDF) under the DPDP Act is not arbitrary. The Central Government makes this designation based on a clear set of criteria outlined in Section 10(1) of the Act.

Here’s a breakdown of the factors used to assess whether a Data Fiduciary should be classified as “significant”:

1. Volume of Personal Data Processed
   Organizations handling very large amounts of personal data—such as major e-commerce, fintech, or social media platforms—are more likely to be classified as SDFs due to the scale of impact a potential breach or misuse could have.
2. Sensitivity of the Data
   If the data involves financial information, health records, biometric identifiers, or any other type of sensitive personal data, the organization faces greater scrutiny.
3. Risk to the Rights of Data Principals
   This includes the risk of data misuse, unauthorized profiling, or discriminatory outcomes based on data analytics.
4. Potential Impact on Sovereignty and Integrity of India
   For example, a platform facilitating large-scale political conversations or citizen service delivery could fall under this lens.
5. Risk to Electoral Democracy or Public Order
   Entities that may influence public opinion, elections, or have the ability to affect law and order—such as news aggregators or political tech platforms—are also candidates.
6. Security of the State
   Companies whose data practices may intersect with national security concerns may be classified accordingly.

It’s important to note that these criteria are not cumulative. The government may designate a Data Fiduciary as significant even if only one of these factors applies, depending on the perceived level of risk.

This risk-based classification allows for tiered regulation—placing heavier compliance expectations only on those who pose more significant threats or influence.

In the next section, we’ll unpack what this classification actually means in practice: What additional obligations come into play once an organization is labeled a Significant Data Fiduciary?

What extra obligations apply to a Significant Data Fiduciary?

Once an organization is designated as a Significant Data Fiduciary (SDF) under the DPDP Act, it must comply with a stricter set of requirements beyond what regular Data Fiduciaries are expected to follow. These are laid out in Section 10(2) of the Act and are designed to ensure greater transparency, accountability, and risk management for entities handling high-stakes personal data.
Here are the key obligations an SDF must fulfill:

1. Appoint a Data Protection Officer (DPO)

• The DPO must be based in India.
• They must report directly to the Board of Directors (or an equivalent governing body).
• This person becomes the main point of contact for grievance redressal under the Act.
• The DPO represents the SDF before the Data Protection Board of India.

2. Conduct Independent Data Audits

• The SDF is required to engage an independent data auditor.
• The purpose is to assess and certify whether the organization is complying with the obligations set out in the DPDP Act.
• This must be done periodically, although the frequency may be prescribed further in upcoming rules.

3. Carry Out Data Protection Impact Assessments (DPIAs)

• This is a formal risk evaluation process.
• A DPIA must assess the purpose of data processing, the rights of Data Principals, and how the organization manages risk.
• It acts as a proactive measure to ensure that data processing does not lead to unintended harm or misuse.

4. Perform Regular Audits and Implement Additional Measures

• SDFs must conduct periodic internal audits.
• They must also undertake any other prescribed compliance measuresas laid out by future regulations.

These obligations reflect the principle of “accountability through design”, shifting the burden onto large or high-risk processors to prove that they are not just compliant on paper, but in practice.

In the next section, we’ll look at the timeline—when these obligations will actually begin applying to organizations based on the latest government notification.

When will Significant Data Fiduciary rules start applying?

Understanding when compliance obligations begin is just as important as knowing what those obligations are. The DPDP Act is being rolled out in a phased manner, and the rules governing Significant Data Fiduciaries (SDFs) come with their own implementation timeline.

According to the official government notification published in the Gazette on 13 November 2025, the provisions under Section 10—which define and regulate Significant Data Fiduciaries—will come into force 18 months from the date of publication.

That means:

SDF obligations will become enforceable from May 13, 2027.

Until then, organizations are expected to begin internal readiness activities, such as identifying if they might qualify as an SDF based on the criteria discussed earlier, budgeting for compliance tools, and preparing governance structures.

Why does this gap exist?
The law allows this ramp-up period so that organizations—especially those processing large or sensitive volumes of data—can adapt operationally and technologically to the additional compliance load.

However, keep in mind:

• The designation as an SDFwill happen via official notification by the Central Government, which can be issued at any time before the enforcement date.
• Once designated, organizations cannot delay action until May 2027. They must begin preparations immediately upon notification.

In the next section, we’ll answer a practical question: How will organizations know if they’ve been classified as Significant Data Fiduciaries?

How can an organization find out if it has been classified as a Significant Data Fiduciary?

Unlike general compliance rules that apply across the board, the classification of a Significant Data Fiduciary (SDF) is not automatic. It is a formal designation made by the Central Government through a notification in the Official Gazette, based on the assessment criteria outlined in Section 10(1) of the DPDP Act.

This means:

• Your organization will not need to self-identifyas an SDF.
• You will only be obligated to follow SDF-specific rules once you receive an official notificationor are listed in a public notification by the government.

What should organizations watch for?

1. Gazette Notifications:
   The official list of SDFs will be published in the Gazette of India. These notices are legally binding and will include either individual organizations or entire classes of Data Fiduciaries.
2. Direct Communication (Possible):
   In addition to gazette publication, affected entities may be informed via direct communication, especially if additional compliance assistance is being offered.
3. Sectoral Monitoring:
   Entities in sectors known to handle large volumes or sensitive categories of data—like banking, healthcare, social media, or government services—should be especially alert. These are often first in line for SDF classification.
4. Policy Watch:
   Keep an eye on industry associations, legal bulletins, or regulatory updates that might hint at upcoming classifications or shifts in compliance scope.

In short, classification is not speculative. If you are designated as a Significant Data Fiduciary, you will know—officially.

In the following section, we’ll explore why this classification matters and what’s at stake for organizations that fall under it.

Why does this classification matter for your organization’s compliance roadmap?

Being designated as a Significant Data Fiduciary (SDF) is more than just a legal label—it signals that your organization plays a critical role in India’s digital data ecosystem. And with that recognition comes both greater responsibility and higher scrutiny.

Here’s why this classification should be central to your compliance strategy:

1. Higher Penalties for Non-Compliance

The DPDP Act outlines a tiered penalty structure, with stricter enforcement and steeper fines for organizations that fail to meet SDF-specific obligations such as conducting audits or appointing a Data Protection Officer. Penalties may extend up to ₹250 crore per instance, depending on the nature and impact of the breach.

2. Public Accountability

Once notified as an SDF, your data governance practices are no longer just internal policies—they become a matter of regulatory and public interest. Any slip-ups in consent handling, data breaches, or failure to respond to grievances could trigger regulatory action from the Data Protection Board of India, which is now fully operational.

3. Operational omplexity

From appointing a Data Protection Officer who reports to your Board, to implementing independent audits and impact assessments, SDF compliance involves cross-functional coordination. Legal, IT, compliance, and leadership teams must align early to build efficient processes that can stand up to regulatory review.

4. Reputational Risk

Beyond financial penalties, failing to meet SDF obligations can erode trust among users, partners, and investors. In a privacy-conscious market, transparent and robust data practices become a competitive differentiator.

5. Readiness Is a Journey, Not a Switch

With the enforcement date set for May 13, 2027, organizations have a clear runway to assess their risk exposure, upgrade systems, and educate internal teams. But readiness requires long lead times—especially for tech integration, audit mechanisms, and DPO onboarding.

The next and final section will introduce how Certinal can help organizations navigate this high-stakes compliance landscape with confidence.

How Certinal helps organizations meet SDF obligations

For organizations navigating the complexities of the DPDP Act—especially those classified as Significant Data Fiduciaries—Certinal offers the tools to stay compliant without slowing down operations.

Certinal’s consent management platform is built to align with the strictest requirements of the Act. Features include:

• Centralized Data Processing Dashboardsfor audit readiness
• Automated Data Protection Impact Assessment (DPIA)workflows
• Support for appointing and integrating DPO functions
• Grievance redressal trackingin line with Board mandates
• Built-in breach notification mechanismsand retention logic

Whether you’re preparing for a potential SDF designation or have already been notified, Certinal equips you to meet both the letter and the spirit of the DPDP Act.

Book a demo to explore how Certinal e-Consent.DPDP can support your compliance journey.

Frequently Asked Questions (FAQs)

1. Who is considered a Significant Data Fiduciary under the DPDP Act?
A Significant Data Fiduciary is a data fiduciary officially notified by the Central Government based on the volume, sensitivity, and risk profile of personal data it processes. The designation is made under Section 10 of the DPDP Act, 2023.

2. How is a Significant Data Fiduciary different from a Data Fiduciary?
All entities processing personal data are Data Fiduciaries, but only high-risk or large-scale processors are classified as Significant Data Fiduciaries. SDFs are subject to enhanced compliance obligations like audits, DPIAs, and DPO appointment.

3. What factors are used to classify an organization as a Significant Data Fiduciary?
The government considers factors such as data volume, data sensitivity, risk to individuals’ rights, impact on sovereignty, public order, electoral democracy, and national security. Even one factor can be sufficient for designation.

4. What additional obligations apply to Significant Data Fiduciaries?
SDFs must appoint an India-based Data Protection Officer, conduct independent data audits, perform Data Protection Impact Assessments, and implement ongoing compliance measures as prescribed under the DPDP Act.

5. When do Significant Data Fiduciary obligations come into force?
SDF obligations become enforceable from May 13, 2027, which is 18 months after the official notification dated November 13, 2025. However, organizations must start preparations immediately upon being notified as an SDF.