What is Significant Data Fiduciary under India’s DPDP Law

TL;DR: Significant Data Fiduciary (SDF) under India’s DPDPA

• DPDPA adopts a risk-based approach – India’s Digital Personal Data Protection Act, 2023 regulates entities based on risk posed by data processing, not a one-size-fits-all model.
• Data Fiduciary = decision-maker and any entity that determines the purpose and means of personal data processing is a Data Fiduciary.
• Significant Data Fiduciary (SDF) = high-risk subset and SDF is a Data Fiduciary that processes data at a scale or in a manner that creates heightened risk to individuals or the State.
• SDF status is NOT automatic – Entities become SDFs only through Central Government notification, based on evaluation.
• Legal basis: Section 10, DPDPA + DPDP Rules, 2025 and The law empowers the government to identify entities requiring enhanced safeguards.
• Key criteria for SDF designation include Large volume of personal data, Sensitive data (financial, health, biometrics, children’s data), Impact on sovereignty, public order, or national security, Use of AI/ML and emerging technologies etc
•  Likely SDFs (indicative examples) includes Big digital platforms (social, search, ad-tech), Banks, fintechs, payment aggregators, Health-tech and biotech platforms, Large e-commerce and logistics players, Government and public digital infrastructure
• SDFs face additional compliance obligations like Mandatory Data Protection Officer (DPO), Mandatory Data Protection Impact Assessment (DPIA), Periodic independent data audits and Stronger governance and accountability controls
• Higher regulatory scrutiny applies The Data Protection Board of India can demand audits, seek information, and impose higher penalties on SDFs.
• Core shift in philosophy and DPDPA moves India from uniform compliance to risk-based governance, with SDFs at the center of enforcement.

India’s Digital Personal Data Protection Act, 2023 (DPDPA) introduces a risk-based data protection regime. One of its most critical concepts is the Significant Data Fiduciary (SDF)—a category of data fiduciaries that process personal data at a scale or in a manner that poses heightened risk to individuals and to the State.

The classification of an entity as an SDF triggers additional compliance, governance, and accountability obligations, making it a cornerstone of India’s data protection framework.

Who is a Data Fiduciary?

Under the DPDPA, A Data Fiduciary is any person, company, State entity, or body that alone or jointly determines the purpose and means of processing personal data. A Significant Data Fiduciary is a subset of data fiduciaries that meets certain risk-based thresholds.

Meaning of Significant Data Fiduciary (SDF)

A Significant Data Fiduciary is a data fiduciary that is notified by the Central Government based on specified criteria, considering the nature, volume, and impact of data processing. Importantly, SDF status is not automatic, it is conferred through government notification after evaluation.

Legal Basis and the concept of SDF is provided under Section 10 of the DPDPA, 2023 and further operationalized through the DPDP Rules, 2025 wherein there are provision that empower the government to identify entities whose data practices require enhanced safeguards.

Criteria for Designation as a Significant Data Fiduciary (SDF)

1. Volume of Personal Data Processed – Large-scale processing of personal data + Millions of users or extensive customer databases
2. Sensitivity of Personal Data – Processing of sensitive personal data such as Financial data, Health records, Biometric identifiers, Children’s data and data of national and strategic importance.
3. Risk to Rights of Data Principals – Potential harm due to profiling, behavioral tracking, automated decision-making, surveillance-like activities.
4. Impact on Sovereignty and Public Order – Processing that may affect subjects like National security, Electoral integrity, Public order, State interests etc.
5. Use of New or Emerging Technologies – AI/ML-based profiling, Large-scale data analytics, Algorithmic decision systems
6. Any Other Factor Deemed Necessary – Government retains residual discretion to include additional risk factors.

Examples of Significant Data Fiduciaries (Likely)

While official notification is required, the following are practical examples of entities likely to qualify:

1.  Digital Platforms – Social media platforms, Search engines, Online advertising networks
2.  Financial Institutions – Large banks, Fintech platforms, Payment aggregators and wallets
3. Health & Biotech Companies – Digital health platforms, Telemedicine providers, Health data aggregators
4. E-commerce & Marketplaces – Large online marketplaces, Food delivery and logistics platforms
5. Government & Public Authorities – Aadhaar-related entities, Welfare delivery platforms, Citizen data portals

Additional Obligations of Significant Data Fiduciaries

Once designated, an SDF must comply with enhanced obligations beyond those applicable to ordinary data fiduciaries like Appointment of a Data Protection Officer (DPO), Data Protection Impact Assessment (DPIA), Periodic Independent Data Audits, Enhanced Governance Measures. Once created, the Data Protection Board of India will proactively monitor compliance of SDFs and it can seek information and audit reports. May impose significantly higher penalties for violations by SDFs

Key Differences: Data Fiduciary vs Significant Data Fiduciary

Categorizing data fiduciary and concept of Significant Data Fiduciary represents a shift from uniform compliance to risk-based governance under India’s data protection law. Organizations handling vast, sensitive, or high-impact personal data must prepare for enhanced compliance, audits, and oversight.