The Digital Personal Data Protection (DPDP) Act 2023 is set to revolutionize India's approach to data privacy - for users it means greater protection of their data and privacy. For organizations it means grappling with strict new laws and penalties, the likes of which we have never seen before in India. Now, data protection compliance is set to become a high-stakes high-pressure game with each misstep costing up to ₹250 Crore in penalties.
Especially, if your business processes sensitive personal data at a significant scale, the government may soon classify you as a Significant Data Fiduciary (SDF). Imagine a tech company managing millions of users' personal data, a financial institution processing critical banking information, or a healthcare provider storing sensitive medical records. These types of organizations must manage privacy risks that could have national or even global consequences.
The Indian government has the power to impose stricter rules on these heavyweights of the data world. From appointing Data Protection Officers (DPOs) to conducting yearly audits and Data Protection Impact Assessments (DPIAs), the compliance burden for SDFs is far heavier than other organizations. In this article, we’ll explore exactly what it means to be classified as an SDF, the specific obligations that come with the title, and why preparing now could save your organization from penalties, reputation damage, and lost trust in the future.
Further, SDFs face additional compliance requirements outlined in the recently released Draft DPDP Rules 2025. These include regular audits, annual Data Protection Impact Assessments (DPIAs), ensuring algorithmic transparency, and restrictions on cross-border data transfers. Non-compliance with these obligations can result in penalties of up to ₹150 Crores per instance of breach.
What makes a Data Fiduciary ‘Significant’?
Under the DPDP Act, the government is authorized to classify certain data fiduciaries (organizations that collect and process personal data) or class of fiduciaries as SDFs via notification. In earlier drafts of the law, this power was to rest with the Data Protection Board (DPB) but now the central government enjoys this power.
Organizations that process personal data at a scale or sensitivity level that poses significant risks to privacy can be classified as an SDF. The government can look at discretionary relevant factors which will include:
1. Volume and Sensitivity of Data: Organizations processing vast amounts of personal data or handling particularly sensitive information, such as financial, health, or biometric data, are prime candidates for SDF classification.
For instance, a large bank like the State Bank of India would be storing millions of customers' financial data, including account balances, transaction history, and loan details. A breach in such a large collection of sensitive data could wreak havoc which makes SBI a likely candidate for being notified as an SDF.
2. Risk to Data Principals: If the data processing activities of a business expose individuals (Data Principals) to heightened risks — whether through breaches, misuse, or unauthorized access — it can trigger SDF status.
A health tech company that collects and processes patients’ medical records, test results, and treatment plans faces the risk of serious harm to individuals if that data is stolen or misused. Such a company may be notified as an SDF.
3. Impact on National Interests: Data processing activities that could influence public order, electoral integrity, national security, or sovereignty can place an organization under stricter scrutiny.
For example, a social media platform with millions of users can impact public discourse, electoral processes, and even national security through the data it collects and the content it facilitates. Misuse of this data could lead to massive misinformation campaigns or disturbance of public order. That is why large social media companies are likely to be notified as SDFs.
By classifying such organizations as SDFs, the government can ensure that those managing massive amounts of data or handling sensitive information are held to the highest standards of compliance.
SDFs under GDPR
While there's no direct equivalent in the General Data Protection Regulation (GDPR), both laws address high-risk data processing. The GDPR imposes obligations like Data Protection Impact Assessments (DPIAs) and Data Protection Officers (DPOs) for organizations handling sensitive data. However, the DPDP Act allows the government to formally classify entities as SDFs adding an extra layer of control. We have covered a detailed comparison between the DPDP Act and GDPR elsewhere on this blog.
What are the DPDP Obligations for an SDF?
The DPDP Act imposes strict obligations on all data fiduciaries - for a detailed list of general DPDP obligations for fiduciaries, read our DPDP Compliance Checklist. But with greater power comes greater responsibility. Once classified as an SDF, an organization must comply with an exclusive and heavier set of compliances. The penalty for failing to meet the SDF obligations is ₹150 Crores per instance of breach. Here’s the additional compliances for an SDF:
1. Appointment of a DPO
One of the key requirements for an SDF is to appoint a Data Protection Officer (DPO). The DPO must be based in India and will be accountable to the board of directors or equivalent governing body. This role is crucial because the DPO serves as the point of contact for any data-related grievances from users. As per a leaked copy of the upcoming DPDP Rules, SDFs must publish the DPO’s business contact information, including a toll-free number and email address, on their websites and other public-facing platforms.
The DPO’s responsibilities also include ensuring that the organization complies with all the data protection rules, reporting on breaches, and responding to government inquiries.
2. Annual Data Protection Impact Assessments
SDFs must conduct Data Protection Impact Assessments (DPIAs) at least once every year. A DPIA is a structured process where the organization evaluates how it processes personal data, assesses the potential risks, and outlines steps to mitigate those risks. This ensures that SDFs continuously review their practices to protect personal data from breaches or misuse. For instance, if ICICI Bank is classified as an SDF, it would need to conduct annual DPIAs to assess how its systems, processes, and third-party vendors manage customer data and whether any risks have emerged over the past year.
3. Annual Audits
In addition to DPIAs, SDFs are required to undergo a comprehensive audit every year. These audits provide an independent evaluation of the organization’s data handling practices and help identify any gaps in compliance. Audits will be crucial for large organizations that manage millions of records and need constant oversight to avoid regulatory penalties. Both the obligations on DPIAs and Audits have been reinforced in the recently released Draft Digital Personal Data Protection Rules. The results of these assessments and audits must be reported to the Data Protection Board, which need to contain key findings related to their adherence to data protection requirements.
Updated Obligations for SDFS under the Draft DPDP Rules
Algorithmic Transparency and Safety
The Draft DPDP Rules mandate SDFs to maintain transparency in their algorithmic decision-making processes. If your organization employs algorithms for automated approvals, personalized recommendations, or similar activities, you must ensure that these do not infringe on the rights of Data Principals. This includes demonstrating fairness, preventing biases, and ensuring accountability in algorithmic operations. For example, if an SDF uses machine learning models for credit scoring, it must periodically evaluate these models to ensure they are free of discriminatory practices.
Restricted Cross-Border Data Transfers
Under the Draft DPDP Rules 2025, SDFs face additional restrictions on transferring sensitive personal data outside India. Certain categories of data, such as health or financial data, must remain within the country's borders unless the transfer is absolutely necessary and adheres to strict government-imposed conditions. This provision ensures that critical data is safeguarded within the jurisdiction, mitigating risks to national security and individual privacy
Best Practices and Compliance Tips
Compliance is no simple matter for an SDF - they must meet the highest data protection standards ever enforced in India. Here are a few steps your business could take to prepare itself for an SDF level compliance with the DPDP Act:
1. Build a Robust Data Governance Framework
A strong data governance framework includes clearly defining how data is collected, stored, processed, and deleted. Implementing a data governance policy that aligns with the DPDP Act’s principles ensures that your organization handles personal data responsibly and legally. Set up regular data governance reviews to ensure that all departments and teams comply with your internal data protection policies.
2. Appoint a Skilled DPO
The role of the Data Protection Officer (DPO) is crucial for SDFs, not just because it's a legal requirement, but because the DPO serves as the point of contact for both internal stakeholders and Data Principals. Your DPO should have deep knowledge of data privacy laws and be empowered to monitor compliance, handle breaches, and engage with regulators.
3. Conduct Regular Data Audits and DPIAs
These assessments help identify any new risks that could emerge from your data processing activities and ensure that your systems remain secure. Regular audits also demonstrate your commitment to transparency and accountability. Consider integrating automated tools to help streamline the audit and DPIA process, ensuring that assessments are thorough, efficient, and repeatable year over year.
4. Implement Strong Encryption and Data Security Measures
Security breaches can be devastating for SDFs. Implement encryption protocols for both data at rest and data in transit to protect personal data from unauthorized access. Regularly update your encryption methods and cybersecurity protocols to stay ahead of emerging threats. Conduct vulnerability assessments and penetration testing to identify weak points in your system. These will minimize the risk of breaches and show that your organization takes security seriously.
5. Develop a Clear Consent Management Process
Managing consent is vital, especially for organizations processing large amounts of sensitive data. Ensure that your consent processes are transparent, easy to understand, and allow users to opt in and out of data processing easily. Make sure your system can record and track consents in a way that is verifiable and interoperable. Use a reliable consent management tool to streamline the process and ensure compliance with the DPDP Act’s consent requirements. Sign up for a free demo of Leegality Consent Manager to get started.
6. Ensure Algorithmic Accountability
Develop a framework for regular reviews of algorithmic systems. Implement checks to monitor for biases or errors and ensure that the systems align with the principles of fairness and transparency. Establish a clear documentation process to explain how algorithms operate and their impact on Data Principals.
7. Strengthen Cross-Border Data Policies
Review your data transfer protocols to ensure compliance with the stricter requirements. Restrict sensitive data transfers outside India unless absolutely necessary, and secure government approval where required. Ensure that contracts with overseas data processors reflect these constraints.
8. Stay Updated with Regulatory Changes
Regulations surrounding data privacy are constantly evolving. SDFs need to stay updated on any changes or new rules introduced under the DPDP Act. Proactively monitoring legal developments will help your organization remain compliant and ahead of potential regulatory challenges. Employees should be trained regularly on data protection laws, internal data handling policies, and the responsibilities of SDFs under the DPDP Act.
Set up alerts for DPDP Act updates and assign a dedicated compliance team to review and adapt to new regulations quickly. Keep checking this space for our data protection newsletter to stay up to date on legal developments relevant for your business.
The Road Ahead for Significant Data Fiduciaries
As the regulatory framework under the DPDP Act and its Draft Rules continues to evolve, SDFs must remain vigilant and proactive. Non-compliance risks are severe, including steep penalties, reputational damage, and loss of user trust. However, organizations that embrace these changes can position themselves as leaders in data stewardship, leveraging compliance as a competitive advantage.
Begin by conducting a gap analysis of your current data management practices against the updated Draft Rules. Implementing robust governance frameworks, prioritizing algorithmic accountability, and adhering to cross-border data requirements will set your organization on the path to success in a privacy-centric market.
Compliance begins with understanding the law. We suggest you begin by reading our DPDP compliance checklist and articles on DPDP exemptions, applicability, and penalties to have a strong foundational understanding of the law as it stands now.