Significant Data Fiduciary Under DPDP
Who Qualifies & Obligations
Significant Data Fiduciary classification under Section 10 of the DPDP Act 2023 imposes the highest tier of data protection obligations on designated entities. Banks, large NBFCs, social media platforms, e-commerce marketplaces, and government bodies processing data at scale are the most likely candidates for SDF designation. The additional obligations — mandatory Data Protection Officer, independent data audits, and Data Protection Impact Assessments — require dedicated budgets, new appointments, and operational changes that cannot be implemented overnight.
This guide analyses who will be classified as SDF, what the additional obligations require in practice, expected timelines, and how to prepare. By Advocate Subodh Bajpai.
Section 10 — Classification Criteria
The SDF classification is not automatic — it requires an affirmative notification by the Central Government. Section 10(1) lists six factors the government will consider, but does not prescribe quantitative thresholds. The actual thresholds will be set through rules under Section 40. Based on the legislative intent and global precedent, the factors break down into two categories: scale-based (volume and sensitivity of data) and impact-based (sovereignty, democracy, security, public order).
Scale-based classification will likely follow a data volume threshold — entities processing personal data of a certain number of Data Principals (industry expectation: 10 million or more) or processing sensitive personal data above a threshold. Impact-based classification will target entities whose data processing has outsized societal impact: social media platforms that influence public discourse, election technology providers, entities processing data relevant to national security, and government bodies with access to citizen data at population scale.
The Central Government can designate individual entities or classes of entities. Designating a class — such as “all scheduled commercial banks” or “all social media intermediaries with more than 50 lakh registered users in India” — enables broad coverage without entity-by-entity notification. This is the approach India has used under the IT Act for designating significant social media intermediaries (SSMIs) under the IT Rules 2021.
Who Will Be Classified as SDF
Banks and Large NBFCs
Scheduled commercial banks process personal and financial data of hundreds of millions of Indians. They already comply with RBI IT Governance requirements that parallel SDF obligations. Large NBFCs (asset size above Rs.500 crore or customer base above 10 million) are equally likely candidates. The financial sector will almost certainly be among the first classes designated as SDF.
Social Media Platforms
Platforms already designated as Significant Social Media Intermediaries (SSMIs) under IT Rules 2021 — those with 50 lakh+ registered users — are natural SDF candidates. The overlap in regulatory philosophy (large-scale user impact = enhanced obligations) makes this designation almost certain. Meta, Google, X, LinkedIn, Snapchat, and ShareChat are in this category.
E-Commerce Marketplaces
Amazon India, Flipkart, Myntra, and other large e-commerce platforms process purchase data, payment data, address data, and behavioural data of millions of consumers. The combination of data volume, financial data sensitivity, and consumer impact makes large e-commerce platforms strong SDF candidates.
Telecom Operators
Jio, Airtel, Vi, and BSNL process subscriber data, location data, and communication metadata at national scale. Telecom data has both commercial sensitivity and national security implications. Telecom operators are likely to be classified as SDFs under both scale-based and impact-based criteria.
Government Bodies and PSUs
Large government platforms — Aadhaar (UIDAI), DigiLocker, CoWIN successor platforms, income tax e-filing — process citizen data at population scale. While government processing under Section 7 (legitimate uses) has different consent requirements, SDF obligations regarding DPO, audit, and DPIA would still apply to government SDFs.
Healthcare and Insurance
Large hospital chains, health-tech platforms, and insurance companies processing health data — classified as sensitive under most global frameworks — may be designated as SDFs. The sensitivity of health data, combined with the volume processed by entities like IRDA-regulated insurers and ABHA-integrated hospitals, supports classification.
Three Enhanced Obligations — DPO, Audit, DPIA
Appoint a Data Protection Officer (India-Based)
Section 10(2)(a) requires every SDF to appoint a DPO based in India who acts as the point of contact for the Data Protection Board and for Data Principals exercising their rights. The DPO must be a senior officer with sufficient authority and resources. The DPO role cannot be outsourced to a law firm or consultancy — it must be an individual appointed by the SDF. The DPO’s contact details must be published and accessible to Data Principals.
Appoint an Independent Data Auditor
Section 10(2)(b) requires SDFs to appoint an independent data auditor to periodically audit compliance with the DPDP Act. The auditor must be independent of the SDF — the internal audit function does not satisfy this requirement. The audit scope covers: lawfulness of processing, consent management, data security, breach response preparedness, Data Principal rights implementation, and cross-border data transfer compliance. Audit reports must be filed with the Data Protection Board.
Conduct Data Protection Impact Assessments
Section 10(2)(c) requires SDFs to periodically undertake DPIAs. A DPIA systematically evaluates processing activities to identify risks to Data Principals and measures to mitigate those risks. DPIAs must be conducted for new high-risk processing activities and periodically for existing processing. The DPIA must assess necessity and proportionality of processing, identify risks, and document mitigation measures. DPIAs are not a one-time exercise — they must be repeated when processing changes materially.
Data Protection Officer — Role and Requirements
The DPO under DPDP is not identical to the DPO under GDPR. The DPDP DPO is primarily a representative and contact point — the Act does not prescribe the advisory and monitoring role that GDPR Article 39 assigns to EU DPOs. However, in practice, the DPO will need to perform advisory functions (guiding the organisation on DPDP compliance), monitoring functions (ensuring processing activities remain compliant), and interface functions (responding to Data Principal requests and Data Protection Board communications).
The DPO must be based in India. For multinational companies with Indian operations, this means a local DPO appointment — the global DPO or chief privacy officer based outside India does not satisfy the requirement. For Indian companies with subsidiaries, each entity designated as an SDF needs its own DPO unless the rules permit group-level appointments.
The DPO market in India is nascent. Companies competing for qualified DPOs — individuals with legal, compliance, and technology expertise — will face talent scarcity. Early movers who recruit and develop DPO talent before SDF notifications are issued will have a significant advantage. Companies that delay DPO hiring until formal notification risk non-compliance from day one of the designation.
Expected Timeline and Preparation
The DPDP Act received Presidential assent in August 2023. The Central Government is in the process of notifying rules under Section 40. SDF designation is expected in the second or third round of rule notifications — after the baseline rules on consent, Data Principal rights, and the Data Protection Board are operationalised. Industry expectation is that SDF notifications will begin in late 2025 or early 2026, with compliance timelines of 6 to 12 months from notification.
Entities that expect SDF designation should begin preparation now. The preparation roadmap includes: (1) appoint a DPO or DPO-designate and begin building the data protection function; (2) engage data audit firms and initiate baseline compliance assessments; (3) develop DPIA methodology and conduct pilot DPIAs on high-risk processing activities; (4) map all personal data processing activities and document lawful bases; (5) review and upgrade consent management infrastructure; (6) establish board-level data protection governance.
The cost of SDF compliance is substantial — DPO compensation, audit fees, DPIA consultancy, technology upgrades, and training can range from Rs.50 lakhs to Rs.5 crore annually depending on the organisation’s size and complexity. However, this must be weighed against penalty exposure of up to Rs.150 crore per contravention of SDF obligations (Schedule Sl.4, Section 10). The economics strongly favour proactive compliance.
FAQs — Significant Data Fiduciary
What is a Significant Data Fiduciary under DPDP?
What criteria will the government use to classify SDFs?
Are banks automatically classified as Significant Data Fiduciaries?
What is the role of the Data Protection Officer (DPO)?
What does a Data Protection Impact Assessment (DPIA) involve?
Who will conduct data audits for SDFs?
What additional penalties do SDFs face?
Preparing for SDF Designation?
Unified Chambers advises banks, NBFCs, and technology companies on Significant Data Fiduciary readiness — DPO advisory, audit framework design, and DPIA methodology. Advocate Subodh Bajpai available directly.