Decoding Significant Data fiduciaries and Non-Significant Data Fiduciaries Under DPDPA

As a company that deeply values digital trust and privacy, we understand that how we handle personal data is no longer just a backend process — it’s a critical factor in how our customers, partners, and regulators perceive our integrity. With the enforcement of the Digital Personal Data Protection Act (DPDPA), 2023, India has introduced a transformative legal framework that clearly defines how organizations like ours must manage personal data.

A key aspect of the DPDPA is the classification of organizations into Significant Data Fiduciaries (SDFs) and Non-Significant Data Fiduciaries (NSDFs). This classification directly affects how we structure our data governance policies. It also defines the responsibilities and safeguards that businesses like ours must implement.

In this post, we’re sharing how both categories work, how classification is determined, and what it means for organizations that handle personal data every day.

What is a Data Fiduciary?

A Data Fiduciary under the DPDPA is any entity (i.e. businesses, government, our start-up etc.) that decides the purpose and means of collecting and using personal data. In short, as soon as we collect (or, have collected for us) a user’s phone number, their email ID, or their behavioral data to provide or improve our services we become a Data Fiduciary.

As a company building and running digital services, we are inherently Data Fiduciaries, with accompanying rights and responsibilities under the law.

When Does a Company Become a Significant Data Fiduciary (SDF)?

The government of India may classify a Data Fiduciary like us as a Significant Data Fiduciary if we meet certain thresholds related to risk and scale. This classification is formal and is carried out by the Central Government under Section 10 of the DPDPA.

We’ve studied the factors that the government considers for SDF designation. These include:

The volume and sensitivity of personal data we handle
Whether we process data related to children or individuals with disabilities
If we use emerging technologies such as AI, personalization engines, or real-time tracking
The degree to which our data activities could impact public order, democracy, or national security
The risk of harm to users in the event of a data breach or misuse

We recognize that even if we’re not yet formally notified as an SDF, the nature of our operations might eventually qualify us under these criteria. That’s why we’re taking a proactive approach to compliance, rather than waiting for formal classification.

How We’re Preparing for SDF-Level Compliance

In anticipation of potentially being designated as a Significant Data Fiduciary, we are already aligning ourselves with the elevated responsibilities set forth under Section 10 of the Act.

Here’s what that means for us in practice:

Data Protection Officer (DPO): We are in the process of appointing or training an internal expert to take on the DPO role. This individual will oversee our data privacy governance and report directly to our leadership.
Data Protection Impact Assessments (DPIAs): For any new product or feature involving large-scale or sensitive data processing, we plan to conduct DPIAs. These help us evaluate potential risks and design safeguards from the start.
Independent Data Audits: We plan to work with external privacy auditors who will regularly evaluate our systems and practices. Their role is to ensure we fully comply with both the spirit and the letter of the DPDPA.
Stronger User Consent Mechanisms: We’re improving the way we capture, manage, and revoke user consent. These updates give users more transparency and greater control over their personal data.
Enhanced Security and Governance: Our engineering and legal teams are actively implementing top-tier encryption, strict access controls, and detailed audit trails to strengthen data security.

This may require us to invest more resources, but we believe it’s essential for building long-term trust in the digital economy.

What If We Are a Non-Significant Data Fiduciary (NSDF)?

While we monitor whether we may be formally designated as an SDF, we currently operate under the assumption that we are a Non-Significant Data Fiduciary (NSDF) — which is the default classification for most businesses unless specifically notified otherwise.

Even as an NSDF, we understand that we still have legal and ethical responsibilities toward our users’ data. We remain committed to:

Obtaining informed user consent in clear, simple language
Notifying users of how and why their data is collected
Allowing users to access, correct, and delete their data on request
Maintaining reasonable security measures to prevent data loss or unauthorized access
Reporting breaches promptly and cooperating with regulatory authorities

We may not be legally required to appoint a DPO or conduct formal audits at this stage, but we still see privacy governance as a competitive advantage, not a checkbox. Therefore we have to

A Self-Assessment Checklist

Ask your legal, IT, or compliance team the following:

Do we collect large volumes of personal data across India?
Are we collecting sensitive information (health, biometric, financial)?
Do we cater to minors or track user behavior in real-time?
Are we using profiling, scoring, or automated decision-making?
Could a data breach harm public trust or national interest?

If you answered “yes” to two or more, you may soon fall under SDF obligations — even if you aren’t notified yet.

How We Help Companies Prepare — With or Without SDF Classification

At Concur, we’ve worked with both SDFs and NSDFs to build privacy-first infrastructure using our Consent Management Platform. Whether you’re handling thousands of user records or millions, we help you: