A Significant Data Fiduciary (SDF) is a Data Fiduciary that the Central Government designates under Section 10 of the DPDP Act, 2023 because the scale or sensitivity of its data processing creates heightened risk to individuals, public order or national security. An SDF must do everything an ordinary Data Fiduciary does, and then a layer more: appoint an India-based Data Protection Officer, engage an independent data auditor, run an annual Data Protection Impact Assessment and audit, perform algorithmic due diligence, and observe any data localisation the government specifies. You do not classify yourself. Designation comes only by government notification, and it takes effect from that date.
If you process data at scale, the right move is to prepare as though designation is coming, because the duties that follow take months to build.
What is a Significant Data Fiduciary?
Think of the DPDP Act as a risk-based law. Every organisation that processes personal data is a Data Fiduciary with a baseline set of duties. On top of that, the Act carves out a second tier for the organisations whose data activities carry the most risk. That tier is the Significant Data Fiduciary.
All SDFs are Data Fiduciaries. Not all Data Fiduciaries are SDFs. The difference is not what you do, it is the scale and scrutiny at which you do it.
How designation works
This is the part people get wrong, so be precise about it. Under Section 10(1), the Central Government notifies a Data Fiduciary, or a class of Data Fiduciaries, as significant, based on an assessment of relevant factors:
- The volume and sensitivity of personal data processed.
- The risk to the rights of Data Principals.
- The potential impact on the sovereignty and integrity of India.
- The risk to electoral democracy.
- The security of the State and public order.
There is no fixed user-count threshold in the Act, no self-classification, and no voluntary opt-in. You become an SDF when, and only when, the government says so, and the status takes effect from the date of that notification. Any specific numbers you see quoted online are illustrative, not legal triggers.
Who is likely to be designated
While the formal list comes from the government, certain profiles are obvious candidates: large social media and user-generated-content platforms, big e-commerce and online gaming intermediaries, major financial and health-data processors, and organisations whose algorithms materially shape what users see, are eligible for, or can access. If you process the data of a very large number of Indians, handle sensitive categories at scale, or run consequential automated decision systems, plan on the assumption that you could be designated.
The extra obligations of an SDF
These come from Section 10(2) of the Act and Rule 13 of the DPDP Rules, 2025. They sit on top of all the baseline duties.
1. An India-based Data Protection Officer
You must appoint a DPO who is based in India, represents the SDF, is responsible and accountable to your Board of Directors or governing body, and serves as the point of contact for grievance redressal. The role cannot be outsourced to a vendor and cannot be held by an executive who lives outside India. For multinationals that run privacy out of a European or US headquarters, this means a senior, India-resident, board-reporting privacy lead is non-negotiable.
2. An independent data auditor
You must engage an independent data auditor, a third party with no organisational affiliation, to evaluate your compliance with the DPDP Act and Rules.
3. An annual DPIA and audit
Under Rule 13(1), you must undertake a Data Protection Impact Assessment and an audit once every twelve months from the date you are notified as an SDF. The DPIA identifies privacy risks in how you process data; the audit checks whether you actually comply.
4. Reporting significant findings to the Board
Under Rule 13(2), the person who carries out the DPIA and audit must submit a report of significant observations to the Data Protection Board. This is a level of regulator visibility that ordinary Data Fiduciaries do not have, and the Board can request reports, so audit-readiness has to be a year-round state, not an annual scramble.
5. Algorithmic due diligence
Under Rule 13(3), you must exercise due diligence to verify that your technical measures, including algorithmic software, used to host, display, upload, modify, publish, transmit, store, update or share personal data, are not likely to pose a risk to the rights of Data Principals. In plain terms: if you run AI or machine-learning systems that touch personal data, algorithmic fairness and risk are now a legal obligation, not just an ethics conversation.
6. Data localisation for specified data
Under Rule 13(4), the government, on the recommendation of a constituted committee, may specify categories of personal data (and related traffic data) that an SDF must not transfer outside India. This is targeted localisation, not a blanket ban: only the specified categories are restricted, and everything else continues to follow the ordinary cross-border rules under Section 16. Map your data flows now so you can respond fast if your categories get named.
Data Fiduciary versus Significant Data Fiduciary
| Obligation | Data Fiduciary | Significant Data Fiduciary |
|---|---|---|
| Notice, consent, security, breach reporting, retention, grievance | Yes | Yes |
| Data Protection Officer | Not required (publish a contact point) | Required, India-based, board-reporting |
| Independent data auditor | No | Required |
| Annual DPIA and audit | No | Required, every 12 months |
| Reporting findings to the Board | No | Required |
| Algorithmic due diligence | No | Required |
| Data localisation | Per general cross-border rules | Required for specified categories |
What to do now, even before designation
Designation can arrive with little runway, and the SDF duties take months to stand up. If you are a plausible candidate, start here.
- Run a pre-emptive DPIA. Do not wait for the notice. Knowing your risk profile is useful regardless.
- Identify your DPO. Line up a senior, India-resident privacy professional who can report to the board.
- Inventory your algorithms. Document every automated system that touches personal data and assess its risk to individuals.
- Map your data flows. Know exactly what personal data you hold and where it lives, so localisation under Rule 13(4) is a configuration change, not a crisis.
- Align your audit cycle. Coordinate the DPDP audit with your existing statutory audit so it is one rhythm, not two.
- Build audit-ready governance. Policies, roles, approvals and records that let you face an audit, or a Board request, without scrambling.
What it costs to get this wrong
Breach of the additional obligations of an SDF under Section 10 attracts a penalty of up to ₹150 crore. That sits alongside the baseline exposures, up to ₹250 crore for security failures and ₹200 crore for breach-reporting failures. SDF failures fall into a few buckets: governance gaps (no DPO, a non-resident DPO, no independent auditor), procedural gaps (missed DPIA or audit), and localisation breaches under Rule 13(4), which the government treats seriously because they touch sovereignty. The Data Protection Board sets the amount after inquiry.
Where this fits
SDF duties are the top tier of a larger framework. For the baseline that applies to everyone, see the DPDP compliance checklist and the DPDP Act explained. To gauge your exposure and readiness, take the free Axiom DPDP readiness assessment, or let Axiom’s DPDP compliance service run a Section 10 gap analysis with you.
FAQs
How do I know if I am a Significant Data Fiduciary?
You become one only when the Central Government notifies you, or your class of fiduciaries, as significant under Section 10(1). There is no self-assessment and no automatic threshold. That said, if you process the data of a very large number of Indians, handle sensitive data at scale, or run consequential algorithms, you are a strong candidate and should prepare in advance.
Does every business need a Data Protection Officer under the DPDP Act?
No. A formal DPO is mandatory only for designated SDFs, and that DPO must be India-based and accountable to the board. Every other Data Fiduciary must still publish a contact point and run a grievance mechanism that resolves complaints within 90 days, but it does not have to be a designated DPO.
What is the difference between a DPIA and a data audit?
A Data Protection Impact Assessment identifies and assesses the privacy risks in how you process personal data, ideally before or as you deploy a system. A data audit independently checks whether you are actually complying with the DPDP Act and Rules. SDFs must do both, once every twelve months, and report significant findings to the Board.
Does the DPDP Act require data localisation?
Only in a targeted way. The baseline regime allows cross-border transfers unless the government restricts a country. Separately, under Rule 13(4), the government can specify categories of personal data that an SDF must not transfer outside India. So most data can flow abroad, but specified SDF categories may be locked to India once notified.
Can a foreign company be designated a Significant Data Fiduciary?
Yes. The DPDP Act applies extraterritorially under Section 3 to foreign entities offering goods or services to people in India, and such an entity can be designated an SDF. The India-resident DPO requirement still applies, which is a meaningful operational change for multinationals running privacy from abroad.
See where you actually stand
The free Axiom DPDP readiness assessment turns this guide into your number, your gaps, and your next move, in a few minutes.
Take the free assessment