The Central Government is expected to begin notifying Significant Data Fiduciaries in 2026. Once classified, you have a strict implementation timeline. The organisations that manage this well are those that began preparing before the notification, not after it.
Significant Data Fiduciary classification — what it means and why it demands immediate attention
The DPDPA 2023 creates two tiers of data fiduciary. Every organisation that processes personal data of individuals in India is a data fiduciary and must comply with the Act's general obligations. A subset of those organisations will be notified by the Central Government as Significant Data Fiduciaries — and for them, the compliance obligations are substantially more demanding.
SDF classification is not triggered by a threshold that organisations can easily measure in advance. It is a government assessment across six criteria: the volume and sensitivity of personal data processed, the risk of harm to data principals, potential impact on India's sovereignty and national security, risk to electoral democracy, and the rights and interests of children. The government has not published numerical thresholds. Classification is a discretionary determination, and the organisations most likely to face early classification are large digital platforms, major financial institutions, health data processors and foreign technology companies with significant Indian user bases.
AMLEGALS advises organisations on their classification exposure, helps them build compliance readiness before the government acts, and manages the full post-classification programme on the regulatory timeline.
The six criteria the Central Government considers in classifying an organisation as an SDF
Volume of Personal Data Processed
Organisations processing personal data at significant scale — large consumer platforms, major fintech companies, healthcare networks and telecom providers — face the highest classification risk. No numerical threshold has been published. The assessment is qualitative, and scale alone is sufficient to attract scrutiny.
Sensitivity of Personal Data
Organisations processing large volumes of sensitive personal data — health information, financial data, precise location data, biometric identifiers — face elevated classification risk even where overall data volumes are moderate. Sensitivity is an independent criterion and can be determinative on its own.
Risk of Harm to Data Principals
The potential scale of harm from a breach, misuse or unauthorised access — measured by the number of people affected and the severity of consequences — is an independent classification criterion. Security posture and breach history are therefore directly relevant to an organisation's classification risk.
National Security and Sovereignty
Organisations processing data with implications for national security, public order or India's sovereignty — including technology infrastructure providers and government data processors — are subject to heightened classification scrutiny under this criterion, which operates independently of data volume.
Risk to Electoral Democracy
Organisations whose data processing activities could influence electoral processes — including political advertising platforms, social media companies with large Indian user bases and election technology providers — face a dedicated SDF classification criterion reflecting the legislature's specific concern about data and electoral integrity.
Rights and Interests of Children
Organisations processing significant volumes of children's data — EdTech platforms, gaming companies, social networks with material child user bases — face elevated classification risk. The DPDPA's express prohibitions on behavioural tracking and targeted advertising directed at under-18s signal the legislature's particular concern about this category.
A preliminary indicator of your SDF classification exposure
Answer the five questions below for a preliminary, non-binding indication of your SDF classification exposure based on the criteria the Central Government will apply. For a definitive written legal opinion, contact our team for a formal SDF Exposure Assessment.
Preliminary Indication: Elevated SDF Classification Risk
Your responses indicate characteristics that align with the SDF classification criteria under the DPDPA 2023. We recommend obtaining a formal written SDF Exposure Opinion from AMLEGALS before classification notifications begin. The organisations that manage SDF compliance well are those that prepared in advance.
The four obligations SDF classification triggers — beyond the standard DPDPA requirements
Every SDF must satisfy these four obligations in addition to all standard DPDPA requirements on a timeline prescribed by the DPDP Rules. They are cumulative. An organisation classified as an SDF must satisfy all four.
Data Protection Officer — Appointed from Key Managerial Personnel
Every SDF must appoint a Data Protection Officer drawn from its key managerial personnel. This is a senior internal appointment. The DPO must be based in India and is accountable directly to the Board of Directors. The DPO is the point of contact for data principals exercising their rights and for the Data Protection Board in regulatory engagement. AMLEGALS advises on DPO appointment, terms of reference, Board accountability structure and the governance framework within which the DPO function operates. For organisations requiring interim support while a permanent DPO is recruited, AMLEGALS provides a fractional DPO service.
Independent Data Auditor — Registered with the Data Protection Board
SDFs must have their DPDPA compliance independently audited by a Data Auditor registered with the DPB. The audit covers compliance with all applicable DPDPA obligations — the effectiveness of consent mechanisms, data principal rights infrastructure, breach response capabilities, data processor governance and the overall privacy governance programme. The Data Auditor reports to the DPB, not to the organisation. AMLEGALS prepares organisations for Data Auditor engagement, ensuring the compliance programme is documented, tested and defensible before the auditor begins.
Periodic Data Protection Impact Assessment
SDFs must conduct periodic Data Protection Impact Assessments covering the nature of personal data processed, the purposes and means of processing, the risks to data principals and the adequacy of existing safeguards. The DPDP Rules prescribe the frequency and scope. AMLEGALS conducts the periodic DPIA programme for SDF clients from the initial DPIA through each subsequent assessment, maintaining the documentary record that the Data Auditor and DPB will require.
Additional Transparency Obligations
The Central Government may prescribe further transparency obligations specific to SDFs — including publication of summaries of algorithmic processing, enhanced disclosure of data practices and additional accountability measures. AMLEGALS monitors developments as MeitY and the DPB publish further guidance, and advises SDF clients on compliance as each new requirement is confirmed.
How AMLEGALS takes you from classification risk to full SDF compliance readiness
Classification under the DPDPA arrives without advance warning. The compliance obligations it triggers operate on a timeline the government controls, not the organisation. AMLEGALS' SDF Compliance Programme is structured in four phases to ensure clients are fully prepared before, and fully compliant after, classification.
Formal Written Legal Opinion on Classification Risk
We prepare a written legal opinion on your SDF classification risk, assessing your specific data processing profile against each of the six DPDPA classification criteria, identifying the factors that carry the highest risk, and recommending concrete steps to address unnecessary exposure. This opinion is suitable for presentation to your Board, audit committee and external advisers, and is the document that should exist before any other step in the SDF preparedness process.
Pre-Classification Infrastructure Build
Classification starts a government-prescribed implementation clock. The organisations that meet that clock without difficulty are those that built the necessary infrastructure in advance: DPO role design and appointment advisory, Data Auditor selection and engagement, the first periodic DPIA, enhanced privacy notices in DPDP Rules 2025 format, and Records of Processing Activity in SDF-ready form. AMLEGALS manages this build as a structured programme working alongside your legal, compliance and IT teams.
Post-Classification Implementation
When classification is notified, AMLEGALS manages the complete post-classification compliance programme on the government's prescribed timeline — formalising DPO appointment, managing the first Data Auditor engagement, activating the periodic DPIA programme, issuing enhanced transparency disclosures and establishing Board level governance reporting on SDF compliance status.
Ongoing SDF Compliance Management
SDF compliance is not a one-time exercise. Annual Data Auditor engagements, periodic DPIA refreshes, quarterly regulatory intelligence, DPO advisory support, Board reporting and preparation for DPB inquiries — all of this must be maintained continuously. AMLEGALS manages the ongoing SDF compliance programme for clients who require it, ensuring the programme remains current as MeitY and the DPB publish further SDF-specific rules and guidance.
Speak with our SDF compliance team
Our team advises on SDF classification risk and compliance readiness. If you want to understand your exposure and what preparation would involve for your organisation, we are available for an immediate discussion.
Complete the form below. We will review your details and respond within one working day.
We will respond within one working day. For urgent matters write directly to [email protected] with subject: SDF Assessment.