The Digital Personal Data Protection (DPDP) Act, 2023, introduces an overall approach to the protection of the digital personal data of individuals. It has also identified some specific entities as Significant Data Fiduciaries (SDFs) that carry additional responsibilities for their influence over sensitive personal data and the potential risks they may pose to individual rights. Rule 12 of the Draft DPDP Rules 2025, specifically addresses the obligations of SDFs, further emphasizing their accountability and need for stricter compliance measures.
Who Are Significant Data Fiduciaries?
Section 10 of the DPDP Act empowers the Central Government to designate an entity as an SDF on the basis of the following requirements:
- The volume and sensibility of personal data processed.
- The risk to the rights of Data Principals (people whose data is being processed).
- Impact on sovereignty, public order, or national security.
- Threats to electoral democracy.
This is important because these organizations have a crucial responsibility to protect sensitive information, hence the stringent responsibilities of ensuring that they are transparent, accountable, and compliant are introduced by the law and the Draft DPDP Rules, 2025.
Obligations of Significant Data Fiduciaries Under Rule 12
- Annual Data Protection Impact Assessments (DPIA) and Audits: An SDF has to carry out an annual DPIA and audit. The DPIA is a thorough examination used to assess the organization’s data processing activities, with an emphasis on identifying the risks to privacy. The audit ensures that the SDF is complying with all the rules under the DPDP Act. Such measures should be undertaken in order to discover gaps in the privacy practice and take corrective actions before problems begin to surface. For instance, an e-commerce platform classified under the SDF category needs to determine whether it has safe and compliant practices to handle customer data.
- Submission of Report to the Data Protection Board: As per the Draft Rules, the person or organization conducting the DPIA and audit must prepare a report summarizing their findings. This report should highlight any significant risks or observations from the assessment. It must then be submitted to the Data Protection Board, which monitors compliance with the law. This step ensures that the Board stays informed about how SDFs manage personal data and address privacy risks.
- Safe Algorithms: The SDF should be careful of the processing algorithmic software and tools they employ in relation to processing personal data. Due diligence must be observed to ensure that storing, uploading, and sharing data via algorithms does not pose risks to the rights of data principals and does not lead to unauthorized data use or discrimination. For example, a recommendation algorithm for users on a social media platform must be analysed to ensure that it does not discriminate wrongly or misuse other users’ personal data.
- Data Localization Requirements for SDFs as per the Draft DPDP Rules, 2025: SDFs must take steps to ensure that specific types of personal data, as identified by the Central Government, are stored and processed within India. Such data cannot be transferred outside the country unless explicitly permitted. This requirement aims to protect sensitive data by keeping it under the jurisdiction of Indian laws.
Apart from these, some additional obligations have been mentioned under Section 10 of the DPDP Act, 2023, including:
- Data Protection Officer: Every SDF shall designate a Data Protection Officer (DPO) who shall have specific duties. The DPO shall play an important role in ensuring compliance and dealing with data protection issues.
- The DPO shall represent the SDF under the DPDP Act.
- They shall be located in India so that they are accessible and aligned with local legal requirements.
- The DPO shall be answerable to the Board of Directors or equivalent governing body of the organization.
- The DPO shall be the central contact for resolving complaints or grievances received by data principals.
An eligible DPO helps an SDF have its data protection measures strengthened and implemented efficiently.
2. Appointment of an Independent Data Auditor: SDFs should appoint an independent data auditor to carry out periodic data audits. The auditor determines whether the SDF is adhering to the provisions of the DPDP Act. These audits offer an outside perspective on the organization’s privacy practices, identifying weaknesses and improving them. SDFs are also expected to conduct regular DPIAs.
Best Practices for Compliance
- Appoint a DPO: Significant Data Fiduciaries (SDFs) must appoint a Data Protection Officer to oversee how personal data is treated. The DPO plays an important role in ensuring compliance with the DPDP Act. An organization can meet this requirement by hiring someone who understands privacy laws and has experience managing data-related risks. This DPO should reside in India so that the organization or authority concerned can satisfy local matters and the DPO directly reports to the top management of the organization such as the Board of Directors. This ensures that the DPO acts independently and effectively, making it easier for regular updates on new privacy rules and best practices.
- Identify and Designate an Independent Data Auditor: SDFs need to engage an independent data auditor to review their compliance with the data protection law. This means that to comply with the obligation, the auditor hired needs to be qualified, and specializing in privacy regulation. An organization should have a clear record of all its processing activities. All recommendations of the auditor following the audit must be implemented promptly to resolve identified problems. Regular follow-ups can help ensure that the organization continues to meet compliance requirements.
- Conduct annual DPIAs: DPIAs are used to identify and mitigate risks that may occur when personal data is processed. To do this, SDFs should create a simple and clear process for reviewing their data practices, especially when introducing new systems or technologies. Involving teams from different departments, like IT, legal, and operations, can give a better understanding of potential risks. DPIAs should also be updated regularly to reflect any changes in data-handling practices.
- Examine Algorithms for Fairness: SDFs must also ensure that the algorithms they use to handle data, such as those for storage, sharing, or processing, do not violate users’ rights. This implies testing algorithms before use to ascertain their safety, accuracy, and fairness. Organizations should also regularly review these algorithms to correct problems that may emerge later. Records of such checks demonstrate that the organization is serious about protecting users’ data.
- Track Data Lifecycle to Comply with Localization Requirements: SDFs must ensure that specific types of personal data (as notified by Central Govt.) is stored in within India to comply with data localization requirements. This can be achieved by maintaining data in secure facilities located in the country or through collaboration with Indian cloud service providers. Careful monitoring of data flows also helps prevent the unauthorized transfer of data outside of India. Through regular checks of data storage and transfer practices, compliance will remain consistent.
- Prepare Documentation for DPB: SDFs are expected to submit periodic reports to the Data Protection Board through their DPIAs and audits. This would require an organization to assign a team to prepare and review the report. The use of automated data tracking will also make the process faster and more accurate. The format for the reports should be clear and simple to ensure that the information is presented in an organized manner.
- Establish Grievance Redressal Mechanisms: Lastly, SDFs should establish an effective grievance redressal system that helps in dealing with user complaints on data privacy. This includes an easy complaint filing and tracking process on a platform set up by the organization. Clear timelines for addressing such grievances need to be established, so they are dealt with expeditiously. A Grievance Redressal Committee comprising a DPO as coordinator should be established to resolve complaints in a just and consistent manner.
These practices help SDFs to not only meet their statutory obligations but also build trust with their users.
Conclusion
The DPDP Act, 2023, and its Draft Rules, 2025 focus on the protection of personal data in today’s digital world. SDFs, because of their size and impact, play an important role in promoting responsible data handling. Compliance can be achieved by building privacy into systems, conducting regular audits, and being clear about how personal data is being used. Quick response to complaints and open communication with users builds trust.
This can help the SDFs meet their legal obligations and win the confidence of the users. The confidence, therefore, would distinguish them in a world where data is very important. In the course of ever-changing rules and regulations, SDFs should take the lead and prove their commitment towards responsibly dealing with personal data.
Learn more about the DPDP Act, 2023 and draft DPDP Rules, 2023 by clicking on the links below-
Os brasileiros jogadores gostam de se desafiar! As final impressões
do virtual jogo indústria são as do slot actividades. Estes
actividades apresentam técnica, excelente sorte, rácios,
e um monte de emoção. Eles foram projetados por designers.
À medida que o atividade progride, os jogadores são obrigados a apostar
no compostos pré-jogo princípios à medida que o multiplicador
aumentos. Quando as coisas estão a correr também, porque um
ferimento está prestes a ocorrer, o objetivo é rendimento. https://groups.google.com/g/sheasjkdcdjksaksda/c/OyA_2cd8vtM