What Is a Significant Data Fiduciary? How to Know If You Are One β€” and What to Do About It

What Is a Significant Data Fiduciary? How to Know If You Are One β€” and What to Do About It

Introduction

Most organisations reading about the DPDP Act focus on the baseline obligations β€” privacy notices, consent, data deletion, breach reporting. These apply to every Data Fiduciary. But for a specific subset of organisations, the DPDP Act has a second tier of obligations that goes considerably further.

This tier applies to Significant Data Fiduciaries (SDFs) β€” organisations designated by the Central Government as processing data at a scale or sensitivity that creates heightened risk to individuals, public order, or national security. SDFs must comply with everything standard Data Fiduciaries must do, and then a layer more: an India-based Data Protection Officer, an independent data auditor, an annual Data Protection Impact Assessment, and algorithmic due diligence on every AI and machine learning system they run.

This article explains exactly what an SDF is, how designation works, who is likely to be designated, what the enhanced obligations involve, and what organisations should be doing right now to prepare β€” even before the formal designation list is published.

The Legal Basis: Section 10 of the DPDP Act

Under Section 10 of the DPDP Act, the Central Government is empowered to notify any Data Fiduciary β€” or a class of Data Fiduciaries β€” as a Significant Data Fiduciary, based on a risk assessment. Rule 13 of the DPDP Rules, 2025, then specifies the additional obligations that apply to SDFs.

SDF designation is not automatic. It is not self-declared. It is a status conferred by the Central Government through a formal notification, after an evaluation of the entity’s data processing activities against the criteria in Section 10.

The formal SDF list has not yet been published as of February 2026. Designation is expected to begin post-May 2027 for most entities. However, organisations that are likely to be designated should begin preparing now β€” the obligations are substantial enough that 18 months of lead time is not excessive.

The Criteria for SDF Designation

Section 10 specifies the factors the Government must consider when evaluating whether to designate an entity as a Significant Data Fiduciary:

1. Volume of Personal Data Processed

The larger the volume of personal data, the greater the potential impact of a breach, misuse, or unlawful processing. Organisations handling tens of millions of records are clearly in scope. The threshold has not been numerically specified β€” the Government retains discretion.

2. Sensitivity of Personal Data

This is arguably the most important criterion for mid-size organisations. An entity does not need to be large to be designated an SDF β€” it needs to process sensitive data. The categories most likely to trigger SDF designation include:

  • Biometric data (fingerprints, facial recognition, iris scans used for identity verification)
  • Health and medical data (patient records, clinical data)
  • Financial data (detailed account information, transaction histories, credit profiles)
  • Children’s personal data (at scale)
  • Government-issued ID data (Aadhaar, passport numbers, PAN, Voter ID)

A medium-sized genetic testing startup could be designated an SDF because of the sensitivity of the genomic data it handles β€” even if a much larger logistics company with more records but less sensitive data is not.

3. Risk of Harm to Data Principals

Does the nature of the data processing create a potential for significant harm if it goes wrong? The risk profile includes:

  • Identity theft or financial fraud
  • Discrimination based on profiled data
  • Physical harm (for location or health data)
  • Reputational harm from disclosure

4. Impact on India’s Sovereignty, Integrity, and National Security

Organisations processing data that, if compromised or misused, could affect national security, electoral processes, or public order attract heightened attention. This particularly applies to:

  • Telecom and internet infrastructure providers
  • Government service intermediaries
  • Platforms processing voter or census data
  • Defence sector supply chain organisations

5. Use of Emerging Technologies

AI, machine learning, deep learning, and other advanced technologies applied to personal data processing β€” particularly when they make decisions affecting individuals β€” increase the risk profile and the likelihood of SDF designation. This criterion is forward-looking: as AI use expands in workplace management, hiring, financial services, and healthcare, it brings more organisations into SDF scope.

6. Any Other Factor Prescribed by the Government

The Government retains a catch-all criterion, allowing designation based on factors that cannot be anticipated in advance. This maintains regulatory flexibility but creates uncertainty for organisations.

Who Is Likely to Be Designated an SDF?

While the formal list has not been published, sector analysis and the designation criteria together point to these likely categories:

High Probability:

  • Major digital platforms (social media, search engines, e-commerce, digital payments)
  • Banks, NBFCs, and payment aggregators (financial data + large volumes)
  • Health-tech platforms processing clinical or diagnostic data at scale
  • Telecom operators
  • Large HR tech and background verification platforms (biometric data + employee records at scale)
  • EdTech platforms with children’s data at scale
  • Government service intermediaries

Moderate Probability:

  • Large enterprises processing biometric attendance for tens of thousands of employees
  • Health insurance platforms
  • Logistics companies with driver biometric verification
  • Large co-working and facility management platforms with biometric access control
  • AI-driven hiring and workforce platforms

Lower Probability (but not zero):

  • Genetic testing companies (high sensitivity, smaller volume)
  • Specialised security and surveillance firms
  • High-volume consumer platforms in non-sensitive categories

The Enhanced Obligations of a Significant Data Fiduciary

Being designated an SDF triggers Rule 13 β€” a set of obligations that go beyond the standard DPDP Act requirements. These obligations become active from the date of designation notification, at annual intervals thereafter.

Obligation 1: Appoint a Data Protection Officer (DPO)

Under Section 10(2)(a) and Rule 13, SDFs must appoint a Data Protection Officer who:

  • Is a resident of India (not based offshore or remotely managing from another country)
  • Reports directly to the Board of Directors or equivalent senior governing body β€” not to the CTO or Legal function as a subordinate
  • Serves as the primary point of contact for the DPBI and for Data Principals
  • Has independent authority to raise compliance concerns at the board level
  • Oversees the organisation’s data protection programme, including DPIA design, audit findings, and breach response

The DPO’s India-residency requirement is significant for multinationals who typically run privacy functions from European or US headquarters. For SDF-designated entities, a senior, India-based privacy professional in a board-reporting role is non-negotiable.

Obligation 2: Appoint an Independent Data Auditor

Under Section 10(2)(b), SDFs must engage an independent data auditor β€” a third party with no organisational affiliation β€” to conduct periodic compliance audits.

The auditor assesses:

  • Adherence to the DPDP Act and Rules across all processing activities
  • Effectiveness of security safeguards
  • Compliance of consent and notice mechanisms
  • Accuracy of DPIA findings and remediation
  • Handling of Data Principal rights requests
  • Breach detection and response capabilities

Audit findings β€” particularly significant observations and gaps β€” must be shared with the DPBI periodically. This creates transparency with the regulator that standard Data Fiduciaries are not subject to.

Obligation 3: Annual Data Protection Impact Assessment (DPIA)

Under Section 10(2)(c) and Rule 13(1), SDFs must conduct a DPIA at least once every 12 months from the date of designation notification.

The DPIA assesses:

  • A systematic description of planned processing operations and their purposes
  • An assessment of the necessity and proportionality of processing relative to its purposes
  • An evaluation of risks to the rights of Data Principals
  • The measures proposed to address those risks β€” safeguards, security measures, technical controls

For SDFs operating AI or ML systems, the DPIA must specifically address the algorithmic dimension: what decisions the system makes, on what basis, with what risk of discriminatory or harmful outcomes.

Obligation 4: Algorithmic Due Diligence

Rule 13(3) introduces what is one of the most forward-reaching obligations in the entire DPDP framework: algorithmic due diligence.

SDFs must undertake systematic assessment of the technical and algorithmic systems they deploy β€” with specific attention to AI and ML tools that make decisions about individuals. This due diligence must evaluate:

  • What decisions the algorithm makes and on what data
  • Whether those decisions could cause harm, discrimination, or rights violations
  • What safeguards prevent algorithmic bias or error
  • Whether individuals can challenge or appeal algorithmic decisions
  • Whether the algorithm’s logic can be explained and audited

This obligation recognises that the greatest future privacy risk for individuals will come not from traditional data theft but from opaque algorithmic systems making consequential decisions about them β€” in employment, credit, healthcare, and beyond.

Obligation 5: Data Localisation for Specified Categories

Under Rule 13(4), where the Central Government specifies (based on a committee’s recommendations) that certain categories of personal data must remain within India, SDFs must ensure that:

  • The specified personal data is not transferred outside India
  • Traffic data relating to the flow of that data also remains within India

The specific categories subject to localisation have not yet been published. Likely candidates include financial data, government-issued ID data, and potentially health or biometric data. For SDFs with global data infrastructure, this obligation may require significant architectural changes β€” routing specified data flows through India-hosted infrastructure.

What Organisations Should Do Now (Before Formal Designation)

Even without a formal designation, organisations that fall within the likely SDF categories should begin preparing for enhanced obligations. The reasons are practical:

  1. Implementation lead time: Appointing a qualified India-resident DPO, finding an independent data auditor, and designing a DPIA programme each takes months. Starting after designation notification would leave little time before the annual cycle begins.
  2. Risk-based prudence: Even if formal designation is delayed, the factors that make an organisation likely to be designated β€” high volume, sensitive data, AI use β€” also make them higher risk for DPBI investigation following a complaint or breach.
  3. Competitive positioning: The early appointment of a senior DPO signals organisational maturity and privacy commitment β€” a differentiator in enterprise sales contexts where customers (especially multinationals) evaluate vendors’ data protection posture.

Immediate actions for likely SDFs:

The Onfra Context: Which Customers Are Likely SDFs?

For Onfra’s enterprise customers, the SDF question is relevant in specific scenarios:

Large enterprises with biometric attendance at scale β€” organisations using fingerprint or facial recognition for attendance across thousands of employees are processing biometric data at volume; this combination elevates SDF probability.

Healthcare facility operators β€” hospitals and large clinics using Onfra for patient and visitor check-ins are processing health-adjacent data; SDF assessment is warranted.

Financial institutions using biometric security access β€” banks, NBFCs, and financial services companies with biometric-enabled access control for employees and contractors face elevated designation risk.

AI-enhanced workplace analytics β€” customers using AI-driven occupancy analytics, predictive desk booking, or behavioural workplace insights are processing personal data through algorithmic systems β€” a Rule 13(3) trigger for SDF designees.

If you are an Onfra customer in any of these categories, the DPDP Act’s enhanced obligations for SDFs are part of your compliance landscape. Onfra’s data export, audit trail, and privacy notice features are designed to support the documentation and transparency obligations that SDFs require.

The Bottom Line

Significant Data Fiduciary designation is not a penalty β€” it is a recognition that some organisations’ data activities carry enough risk to warrant closer oversight. The designation carries significant compliance obligations, but it also creates an opportunity: organisations that genuinely invest in privacy governance, appoint strong DPOs, conduct rigorous DPIAs, and build robust algorithmic due diligence become more trustworthy, more resilient, and more defensible when things go wrong.

The SDF framework is India’s most ambitious contribution to global data protection governance β€” a forward-looking structure that treats not just current data practices but future AI-driven decisions as subjects of accountability.

Whether or not your organisation is formally designated as an SDF, the principles it represents β€” risk-proportionate governance, board-level accountability, and proactive privacy assessment β€” are best practices for any organisation in India that takes its obligations to the people behind its data seriously.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection professional for specific compliance guidance.

Onfra’s workplace management platform is designed to support DPDP compliance across every module β€” from visitor consent at check-in to audit-trail exports for Data Protection Officers. Learn about Onfra’s privacy architecture β†’