A Significant Data Fiduciary (SDF) is a Data Fiduciary that the Central Government formally notifies under Section 10 of the DPDPA, based on the scale or risk of its data processing. SDF status is not something an organisation declares about itself. It is a government notification, published in the Official Gazette, naming a specific entity or class of entities.
Who decides SDF status
Under Section 10(1), the Central Government makes this determination, not the organisation. There is no self-assessment checklist built into the Act itself. An entity becomes an SDF only when named in a notification.
What factors trigger SDF classification
Section 10(1) lists the volume and sensitivity of personal data processed as a factor the government considers, along with other relevant factors it may determine — including risk to the rights of Data Principals and potential impact on India’s sovereignty and integrity. The Act does not fix numerical thresholds for “volume.” Those figures, if set, would come through subordinate rules or specific notifications, not the Act’s text.
What an SDF must do
Once notified, Section 10(2) sets out three obligations:
- Appoint a Data Protection Officer (DPO): based in India, accountable to the Board of Directors or equivalent governing body, and serving as the point of contact for grievance redressal
- Appoint an independent data auditor: to evaluate the SDF’s compliance with the Act
- Undertake additional measures: including periodic Data Protection Impact Assessments (DPIAs) covering the rights of Data Principals affected by processing, and – under Rule 13 of the DPDP Rules 2025 – due diligence to confirm that any algorithmic software used for processing does not pose a risk to those rights
What this means for your organisation
If your organisation processes large volumes of personal data, operates in a sector the government has flagged for scrutiny, or uses automated decision-making that affects individuals at scale, SDF notification is a realistic possibility once the government begins issuing these notifications.
The practical step available today is not waiting for a notification but building the underlying capability the obligations require. They include DPO function, audit readiness, and a DPIA process that can be activated without a rebuild.
Organisations already meeting general DPDPA obligations under Section 8 are closer to SDF-readiness than they may assume, since data mapping and consent infrastructure overlap significantly with DPIA requirements.
What we recommend
Waiting for a formal SDF notification before building the underlying capability is the most common mistake we see. A DPO function, an audit-ready processing record, and a working DPIA template take months to stand up properly. It is not something to assemble under regulatory pressure. Our recommendation:
- Treat the Section 10(2) obligations as a target state to build toward now, regardless of whether your organisation has been notified.
- Start with a data inventory and a named privacy owner.
- If you already run DPIAs for GDPR or similar regimes, extend that process to cover DPDPA’s specific rights framework rather than building a parallel one from scratch.
Conclusion
Significant Data Fiduciary status under DPDPA is a government designation tied to the scale and risk of an organisation’s data processing, carrying specific obligations around DPO appointment, independent audits, and DPIAs once notified. Building this capability ahead of a notification, rather than after one, gives your organisation more room to implement it properly. Our DPDPA compliance consultancy can help you assess where your organisation stands against these obligations today.
What is Significant Data Fiduciary in DPDPA FAQs
Is Significant Data Fiduciary status self-declared under DPDPA?
No. Section 10(1) states that the Central Government notifies an entity or class of entities as an SDF. It is not a self-assessment or voluntary registration.
Does DPDPA specify a numerical threshold for SDF classification?
No. The Act refers to “volume and sensitivity of personal data processed” as a factor without fixing a number. Specific thresholds, if introduced, would appear in subordinate rules or notifications, not the Act itself.
What is the penalty for SDF non-compliance under DPDPA?
Breach of the additional obligations specific to SDFs – DPO appointment, independent audit, or DPIA requirements – can attract a penalty of up to ₹150 crore. This is separate from the higher ₹250 crore tier tied to failure to implement reasonable security safeguards, which applies to any Data Fiduciary, not SDFs alone.
When do SDF obligations come into force?
Provisions relating to Significant Data Fiduciaries – including mandatory DPO appointment and independent audit obligations – are expected to come into force on 13 May 2027, alongside the DPDPA’s full enforcement deadline.
How is an SDF different from a regular Data Fiduciary?
Every Data Fiduciary carries baseline obligations under the Act – valid consent, clear notice, reasonable security safeguards, and breach reporting. An SDF carries all of these plus the Section 10(2) obligations: a DPO, an independent auditor, periodic DPIAs, and algorithmic due diligence under Rule 13.
Can a foreign company be classified as an SDF?
The DPDPA applies to processing of personal data outside India if it relates to offering goods or services to Data Principals within India. Section 10 does not exclude foreign entities from SDF notification, so a foreign Data Fiduciary meeting the government’s criteria could be notified in the same way as a domestic one.




