The Digital Personal Data Protection (DPDP) Act, 2023, is India’s first comprehensive law on personal data protection. It lays down rules for how personal data should be collected, stored, processed, and safeguarded as recognition of individuals’ rights over their data. Within this structure, it creates a special category of entities called Significant Data Fiduciaries (SDF). These are organisations that handle large volumes of personal data or process data that could pose higher risks to individuals’ rights. Rule 13 of the DPDP Rules, 2025 specifically addresses the obligations of SDFs, further emphasising their accountability and the need for stricter compliance measures. 

Who Are Significant Data Fiduciaries? 

Being recognised as an SDF means that the entity handles large volumes of sensitive personal data or poses significant risks to individuals’ rights and national interests. It then becomes subject to stricter compliance obligations, such as having to appoint a Data Protection Officer and conducting regular audits and impact assessments. It also requires that transparency is ensured to data principals and that data localisation norms are adhered to. The law, furthermore, however, provides no explicit safe harbour from liability for non-compliance or data breaches. Section 10 of the DPDP Act empowers the Central Government to designate an entity as an SDF on the basis of the following requirements: 

• The volume and sensitivity of personal data processed. 

• The risk to the rights of Data Principals (people whose data is being processed). 

• Impact on sovereignty, public order, or national security. 

• Threats to electoral democracy. 

This is important because these organisations have a crucial responsibility to protect sensitive information; hence, the stringent responsibilities of ensuring that they are transparent, accountable, and compliant are introduced by the law and the DPDP Rules, 2025. 

Obligations of Significant Data Fiduciaries Under Rule 13 

• Annual DPIA and Audits: Every SDF must conduct a Data Protection Impact Assessment and an audit once every twelve months from the date it is designated as an SDF. The DPIA reviews how personal data is processed and identifies privacy risks, while the audit checks whether the organisation is complying with the DPDP Act and its rules. These assessments help uncover weaknesses early for example, an e-commerce SDF can evaluate whether its customer data practices truly meet security and compliance expectations. 

• Submission of Findings to the Data Protection Board: The individual or firm conducting the DPIA and audit must submit a report with key observations to the Data Protection Board. This ensures the Board has visibility into the SDF’s data handling practices and any significant risks that need attention. 

• Due Diligence on Technical Measures and Algorithms: An SDF must verify that the technical tools and algorithmic systems it uses for hosting, sharing, modifying, storing, or transmitting personal data do not endanger the rights of Data Principals. This includes ensuring algorithms do not cause unfair outcomes or misuse personal information such as a recommendation engine on a social media app unintentionally discriminating against certain users. 

• Data Localisation for Specified Personal Data: SDFs must also ensure that any category of personal data identified by the Central Government based on recommendations of a dedicated committee is processed with strict restrictions on cross-border movement. Such data, along with related traffic data, must not be transferred outside India unless explicitly permitted. This requirement strengthens protection for sensitive personal data by keeping it within Indian jurisdiction. 

Apart from these, some additional obligations have been mentioned under Section 10 of the DPDP Act, 2023, including: 

1. Data Protection Officer: Every SDF shall designate a Data Protection Officer (DPO) who shall have specific duties. The DPO shall play an important role in ensuring compliance and dealing with data protection issues.  

• The DPO shall represent the SDF under the DPDP Act. 

• They shall be located in India so that they are accessible and aligned with local legal requirements. 

• The DPO shall be answerable to the Board of Directors or equivalent governing body of the organisation. 

• The DPO shall be the central contact for resolving complaints or grievances received by data principals. 

An eligible DPO helps an SDF have its data protection measures strengthened and implemented efficiently. 

2. Appointment of an Independent Data Auditor:SDFs should appoint an independent data auditor to carry out periodic data audits. The auditor determines whether the SDF is adhering to the provisions of the DPDP Act. These audits offer an outside perspective on the organization’s privacy practices, identifying weaknesses and improving them. SDFs are also expected to conduct regular DPIAs. 

Best Practices for Compliance 

1. Appoint a DPO: Significant Data Fiduciaries must appoint a Data Protection Officer to oversee how personal data is treated. This DPO should be someone who understands privacy laws and has experience managing data-related risks and resides in India so that the organisation or authority concerned can satisfy local matters. Also, the DPO directly reports to the top management of the organisation, such as the Board of Directors.  

2. Identify and Designate an Independent Data Auditor: SDFs need to engage an independent data auditor to review their compliance with the data protection law. An organisation should have a clear record of all its processing activities. All recommendations of the auditor following the audit must be implemented promptly to resolve identified problems, and regular follow-ups should be made. 

3. Conduct annual DPIAs: DPIAs are used to identify and mitigate risks that may occur when personal data is processed. To do this, SDFs should create a simple and clear process for reviewing their data practices, especially when introducing new systems or technologies. DPIAs should also be updated regularly to reflect any changes in data-handling practices. 

4. Examine Algorithms for Fairness: SDFs must also ensure that the algorithms they use to handle data, such as those for storage, sharing, or processing, do not violate users’ rights. Organisations should also regularly review these algorithms to correct problems that may emerge later. Records of such checks demonstrate that the organisation is serious about protecting users’ data. 

5. Track Data Lifecycle: SDFs must ensure that specific types of personal data (as notified by the Central Govt.) is stored within India to comply with data localisation requirements. This can be achieved by maintaining data in secure facilities located in the country or through collaboration with Indian cloud service providers. 

6. Prepare Documentation for DPB: SDFs are expected to submit periodic reports to the Data Protection Board through their DPIAs and audits. This would require an organisation to assign a team to prepare and review the report. The use of automated data tracking will also make the process faster and more accurate.  

7. Establish Grievance Redressal Mechanisms: Lastly, SDFs should establish an effective grievance redressal system that helps in dealing with user complaints on data privacy. This includes an easy complaint-filing and tracking process on a platform set up by the organisation. A Grievance Redressal Committee comprising a DPO as coordinator should be established to resolve complaints in a just and consistent manner.  

These practices help SDFs to not only meet their statutory obligations but also build trust with their users. 

Conclusion 

The DPDP Act, 2023, and its Rules, 2025, focus on the protection of personal data in today’s digital world. SDFs, because of their size and impact, play an important role in promoting responsible data handling. Compliance can be achieved by building privacy into systems, conducting regular audits, and being clear about how personal data is being used. Quick response to complaints and open communication with users builds trust. 

This can help the SDFs meet their legal obligations and win the confidence of the users. The confidence, therefore, would distinguish them in a world where data is very important. In the course of ever-changing rules and regulations, SDFs should take the lead and prove their commitment towards responsibly dealing with personal data.