DPDP Act 2023 · Section 10 & Rule 13 · Significant Data Fiduciary
Significant Data
Fiduciary
Significant Data Fiduciaries (SDFs) face enhanced obligations including mandatory DPO appointment, periodic audits, and Data Protection Impact Assessments.
SDF-specific defaults attract penalties of up to ₹150 crore — designation brings an India-based DPO, an independent data auditor, and periodic DPIAs.
DPDP Act 2023 · Section 10 + Rule 13, DPDP Rules 2025 · Last reviewed June 2026
Direct Answer
What is a Significant Data Fiduciary (SDF)?
A Significant Data Fiduciary (SDF) is a data fiduciary that the Central Government designates under Section 10 of the DPDP Act 2023 because of the volume and sensitivity of the personal data it processes and the risk it poses — to data principals, to electoral democracy, and to the security of the State and public order. An organisation cannot self-classify; it becomes an SDF only when the government notifies it, a power the Ministry of Electronics and Information Technology (MeitY) administers.
Once designated, an SDF takes on three obligations beyond those of an ordinary fiduciary (detailed under Rule 13): appoint an India-based Data Protection Officer, engage an independent data auditor, and run periodic Data Protection Impact Assessments (DPIAs) and audits. SDF-specific defaults attract penalties of up to ₹150 crore — you can model your exposure with our DPDP penalty calculator — so likely candidates should stand up these functions well ahead of the phased deadlines running into 2027. Our DPDP Act knowledge hub maps the full obligation set.
Designation Factors
Who is a Significant Data Fiduciary?
The Central Government notifies Data Fiduciaries as SDFs based on factors including:
Volume of Data
Processing personal data of a significant number of Data Principals
Sensitivity of Data
Processing sensitive personal data at scale
Risk to Rights
Processing that poses significant risk to rights of Data Principals
Impact Assessment
Processing that may have significant impact on sovereignty or security
Technology Used
Use of new technologies with high privacy risks
The Obligation Set
SDF Obligations at a Glance
The additional duties an SDF carries under Section 10 and Rule 13, the source provision, and the typical cadence at which each must be performed.
| Obligation | Source | Cadence | Key Requirement |
|---|---|---|---|
| Data Protection Officer (DPO) | Section 10 / Rule 13 | Standing role | Based in India, senior management, reports to the board |
| Independent Data Auditor | Section 10 / Rule 13 | Periodic (typically annual) | Independent of the SDF; evaluates DPDP compliance and reports to the board |
| Data Protection Impact Assessment (DPIA) | Section 10 / Rule 13 | Periodic | Assess risk to data principals and document mitigations; DPO-approved |
| Periodic Compliance Audit | Section 10 / Rule 13 | Periodic (typically annual) | Comprehensive scope with remediation tracking and board reporting |
In Detail
Additional SDF Obligations
Appoint Data Protection Officer (DPO)
Designate a senior officer as DPO based in India who represents the SDF and is point of contact for Data Principals and the Board.
Appoint Independent Data Auditor
Engage an independent data auditor to evaluate compliance with DPDP Act provisions.
Conduct Data Protection Impact Assessment (DPIA)
Undertake periodic DPIA to assess risks to Data Principal rights from processing activities.
Periodic Compliance Audits
Conduct periodic audits to ensure ongoing compliance with all DPDP Act obligations.
The DPO Role
Data Protection Officer Responsibilities
Significant Data Fiduciary — Frequently Asked Questions
The questions organisations ask when they may be designated as an SDF.
What is a Significant Data Fiduciary under the DPDP Act?
A Significant Data Fiduciary (SDF) is a class of data fiduciary that the Central Government notifies under Section 10 of the Digital Personal Data Protection Act, 2023. The designation is based on factors including the volume and sensitivity of personal data processed, the risk to the rights of data principals, the potential impact on the sovereignty and integrity of India, the risk to electoral democracy, and security of the State and public order. An organisation does not self-classify — it becomes an SDF only when notified by the government.
What additional obligations do SDFs have?
Beyond every ordinary data-fiduciary duty, an SDF must do three extra things under Section 10 and Rule 13: (1) appoint a Data Protection Officer based in India who represents the SDF and reports to its board; (2) appoint an independent data auditor to evaluate DPDP compliance; and (3) undertake periodic Data Protection Impact Assessments and audits, plus any other measures the government prescribes — such as restrictions on transferring certain personal or traffic data outside India.
Does an SDF have to appoint a Data Protection Officer (DPO)?
Yes. A DPO is mandatory for an SDF. The DPO must be based in India, operate at senior-management level, report to the board of directors or equivalent governing body, and serve as the point of contact for the grievance-redressal mechanism. Their contact details must be published so data principals and the Data Protection Board can reach them directly.
What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a structured assessment of the rights of data principals and the risks arising from a processing activity, together with the measures taken to manage those risks. SDFs must conduct DPIAs periodically. A DPIA typically documents the purpose and necessity of processing, the categories of data and data principals involved, the risks identified, and the mitigation and safeguards applied — and is reviewed and approved by the DPO.
What happens if an SDF fails to meet its obligations?
Breach of the additional obligations imposed on Significant Data Fiduciaries under Section 10 can attract a penalty of up to ₹150 crore, on top of penalties for any underlying failures such as inadequate security safeguards (up to ₹250 crore). Because these duties are designation-triggered and time-bound under the phased DPDP Rules 2025 deadlines, organisations likely to be notified should build their DPO, audit, and DPIA functions early. Tranquility Cybersecurity (TCSA) provides SDF-readiness support across all three.
Not sure whether SDF duties will reach you? Begin with the DPDP Act knowledge hub, review verified engagement outcomes on our proof page, and engage Tranquility Cybersecurity (TCSA) for DPDP compliance consulting in India covering DPO, independent audit, and DPIA support.
Written By Expert Auditors
Keep Exploring
Related Reading
DPDP Knowledge Hub
Rules 2025, penalties, SDF obligations and 14 deep-dive guides.
Read moreDPDP Rules 2025
The subordinate rules under the DPDP Act — timelines, obligations, SDF thresholds.
Read moreDPDP Penalties & Enforcement
Penalty tiers up to ₹250 Cr and the Data Protection Board process.
Read moreDPDP Compliance Checklist
A step-by-step checklist for DPDP Act readiness.
Read moreDPDP Implementation Roadmap
Phased roadmap from gap assessment to full compliance.
Read moreDPDP Act Overview
India's Digital Personal Data Protection Act, explained.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours