Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Back To Home
DPDP Act

Introduction
The implementation of the Digital Personal Data Protection Act (DPDPA) has brought up a plethora of crucial developments to India’s privacy law, one of the most notable being the introduction of the concept of Significant Data Fiduciary classification. A Significant Data Fiduciary is a designation given to an organisation or a company based on certain pertinent factors, including but not limited to the kind of data being processed, the volume of the data, and the purpose for which it is being processed. For instance, if an organisation deals with extremely sensitive data and if the operations carried out by it have the potential to cause an impact on the user's privacy or data security, that organisation may be classified as a Significant Data Fiduciary under the Act. Therefore, apart from the main obligations that are supposed to be followed by all the data fiduciaries as per the Act, being classified as an SDF would mean that such organisations would have to comply with additional compliance requirements.
What Section 10 stipulates
Section 10 of the DPDP Act gives the Central Government the power to notify any Data Fiduciary as a Significant Data Fiduciary. It stipulates some extra obligations to be adhered to by such SDFs, making the compliance process stricter. Now, under GDPR, organisations are not specifically designated as “Significant Data Fiduciaries.” India is one of the jurisdictions to use a formal government designation mechanism for high-risk data controllers/fiduciaries in this manner.
Under the DPDP Act and its rules, the Central Government is responsible for identifying and designating organisations as Significant Data Fiduciaries (SDFs) under Section 10 of the Act. However, the lack of clarity regarding the criteria, process for selection, and timelines for making such determinations has led to uncertainty among businesses and industry stakeholders. Therefore, it is important for organisations to actively assess whether they might fall under the SDF criteria based on the relevant factors stipulated under Section 10 of the Act.
Classification criteria to be an SDF:
While the threshold to be an SDF is not exhaustive yet, there are some factors that the Government may consider while designating organisations into this category. Therefore, organisations can conduct an internal assessment based on these broad factors to be ready for a potential designation, as and when the Central Government notifies them. These factors are broadly laid down under Section 10(1) of the DPDP Act. They are:
Volume of Personal Data Processed: The amount of personal data processing undertaken by an organisation/Data Fiduciary may be considered while considering whether it should be designated as a Significant Data Fiduciary. While this “significant volume” has not yet been defined conclusively, international thresholds indicate that those processing the personal data of 50 lakh or more individuals, having an annual turnover of ₹250 crore or above, or operating across multiple sectors and handling diverse categories of personal data could be classified as SDFs. Some of the factors that could be considered are the size of the user base and customer database, volume of the transactions being processed, revenue scale of an organization, etc.
Sensitivity of Personal Data: Organisations handling sensitive categories of personal data, such as health, financial, or biometric information, may attract additional regulatory inspection due to the potential impact of a data breach or misuse. Section 8 of the DPDP Act lays down what constitutes sensitive personal data. Therefore, if any organization processes sensitive data coupled with additional personal data, it may have the potential to be classified as an SDF.
Risk to the Rights of Data Principals: The government may assess whether an organisation's data processing activities pose a significant risk to the rights and interests of individuals whose data is being processed to protect the pursuits of society as a whole. This may include decisions relating to loan approvals, insurance premiums, hiring and promotion, university admissions, healthcare treatment, eligibility for government benefits, law enforcement actions, or content moderation on online platforms.
Impact on Sovereignty and Integrity of India: Data processing activities that could affect India's sovereignty and integrity may be taken into account when evaluating an entity's designation as an SDF.
Risk to Electoral Democracy: Organisations whose data processing activities have the potential to influence electoral processes, or democratic institutions may be subject to enhanced oversight.
Security of the State: The possible implications of an organisation's data processing practices on national security may be a relevant consideration.
Public Order Considerations: Data processing activities that could affect public order or social stability may also be considered in determining SDF status.
Organisations that have the potential to be classified as SDFs:
Although the Central Government has not yet notified any Significant Data Fiduciaries (SDFs) under the DPDP Act, organisations that process large volumes of personal data, handle sensitive information, or have a significant impact on individuals and society are likely the organisations who may attract designation from the Central Government. These may include major social media platforms, search engines, e-commerce marketplaces, digital payment service providers, banks, insurance companies, healthcare providers, health-tech platforms, telecommunications companies, credit bureaus, and other digital businesses that engage in large-scale data processing.
Organisations that rely a lot on profiling, behavioural tracking, or algorithmic decision-making may also be subjected to greater regulatory scrutiny due to the potential risks posed to the rights of Data Principals and national security. While the exact criteria for designation will depend on the Central Government's assessment under Section 10 of the Act, the broad factors as enshrined under Section 10 suggest that entities with a substantial data footprint and heightened risk profile are the most likely to be classified as SDFs.
Enhanced Compliance measures that have to be undertaken once qualified as an SDF:
As per Section 10(2), an SDF must comply the following:
Appoint a Data Protection Officer (DPO) who is based in India, represents the Significant Data Fiduciary under the DPDP Act, is accountable to the Board of Directors or a similar governing body, and serves as the point of contact for grievance redressal.
Appoint an independent Data Auditor to conduct data audits and evaluate the Significant Data Fiduciary's compliance with the provisions of the DPDP Act.
Undertake periodic Data Protection Impact Assessments (DPIAs), which involve describing the purpose of processing personal data, identifying the rights of Data Principals that may be affected, and assessing and managing risks to those rights.
Conduct periodic audits to review and assess compliance with the requirements of the DPDP Act and related obligations.
Implement any other measures that may be prescribed by the Central Government, provided such measures are consistent with the provisions of the DPDP Act.
Additional Obligations upon SDF Designation under Rule 13
Once designated as an SDF, organisations are subject to enhanced compliance obligations under Rule 13 of the DPDP Rules, 2025. One such obligation requires SDFs to periodically assess any algorithmic software used in the processing of personal data, so as to evaluate potential risks to the rights of Data Principals. Other requirements are appointing an India-based Data Protection Officer (DPO) who reports directly to the Board of Directors and serves as the primary point of contact for Data Principals, engaging an independent data auditor to evaluate compliance with the Act, and conducting periodic Data Protection Impact Assessments (DPIAs) to identify and mitigate risks arising from personal data processing. This reflects a heightened regulatory focus on AI-driven and automated data processing activities.
Conclusion:
The SDF framework aims to provide greater accountability for those organizations that process sensitive data that poses greater risks to individuals by providing higher compliance standards. While the Act provides criteria for classification of SDFs and additional compliance requirements, it does not specifically designate the organizations that may fall under the ambit of Section 10. This leaves many enterprises and organizations in a state of legal and business uncertainty.
In the meantime, it is important for businesses and organizations to conduct self-assessment, plan beforehand and monitor their thresholds based on the above-mentioned criteria, thereby embracing these requirements at an early stage for a smoother future compliance. Ultimately, the SDF framework represents a significant step toward a more accountable data protection system in India, ensuring that organisations having substantial influence over personal data are held to a higher standard of accountability.
Talk to a Privacy Expert
Get a free 1:1 session on AI compliance, DPDPA readiness, or incident response planning.
Related articles











