Consent & Obligations
Significant Data Fiduciaries: Designation and Extra Obligations
A Significant Data Fiduciary (SDF) is a Data Fiduciary or class of Data Fiduciaries that the Central Government notifies under Section 10 of the DPDP Act, based on factors like data volume, sensitivity, and risk. SDFs must appoint a Data Protection Officer in India, conduct annual audits, and complete Data Protection Impact Assessments.
What Is a Significant Data Fiduciary?
Section 10 of the DPDP Act 2023; Rule 13 of the DPDP Rules 2025
The Central Government may designate certain Data Fiduciaries as Significant Data Fiduciaries based on risk factors. SDFs face heightened obligations — including a resident DPO, annual audits and impact assessments, algorithmic risk verification, and potential data localisation requirements.
Not all Data Fiduciaries are treated equally under the Act. Section 10 empowers the Central Government to designate certain organisations as Significant Data Fiduciaries (SDFs). This designation is based on factors such as the volume and sensitivity of personal data processed, the risk to the rights of Data Principals, the potential impact on sovereignty and integrity of India, the risk to electoral democracy, the security of the State, and public order.
Once designated as an SDF, three additional obligations apply. First, the SDF must appoint a Data Protection Officer (DPO). This is not a nominal role — the DPO must be based in India, must represent the SDF in dealings with the Board and Data Principals, must be answerable to the Board of Directors, and must serve as the point of contact for grievance redressal.
Second, the SDF must appoint an independent data auditor to conduct compliance evaluations. This auditor must be external and independent — the SDF cannot audit itself.
Third, the SDF must undertake periodic Data Protection Impact Assessments (DPIAs) and periodic audits. These are not one-time exercises but recurring obligations.
Rule 13 adds further detail and additional requirements. DPIAs and audits must be conducted at least once every twelve months — making them annual obligations. Any significant observations from these assessments must be reported to the Data Protection Board.
Rule 13 also introduces an algorithmic accountability requirement: SDFs must verify that any algorithmic software they use does not pose a risk to the rights of Data Principals. This covers automated decision-making systems, recommendation engines, and similar technologies.
Finally, Rule 13 addresses data localisation. The Central Government, on the recommendation of a committee, may restrict certain categories of personal data from leaving India. When such a restriction is in place, the affected SDF must ensure that the specified personal data is stored and processed within India's borders.
Key Points
- The Central Government designates SDFs based on data volume, sensitivity, risk to rights, and national security considerations.
- SDFs must appoint a Data Protection Officer — based in India, answerable to the Board of Directors, and serving as the grievance contact point.
- SDFs must appoint an independent external data auditor.
- Data Protection Impact Assessments and audits must be conducted annually (every 12 months).
- Significant findings from DPIAs and audits must be reported to the Board.
- Algorithmic software must be verified to not pose risks to Data Principal rights.
- The Central Government may restrict certain personal data from being transferred outside India (data localisation).
Not sure if you meet these requirements?
Take the free DPDP Readiness Assessment to get an instant compliance score and a detailed gap analysis report.
Disclaimer: This guide is for informational purposes only and does not constitute legal advice. It is a plain-English interpretation of the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. The official gazette text is the only authoritative source. Consult qualified legal counsel before making compliance decisions.