Significant Data Fiduciary: Are You One and Don't Know It?
The criteria for Significant Data Fiduciary classification under DPDPA are broader than most assume. This definitive checklist helps you determine your precise obligations and risk exposure.
Part 1 of 5
What is a Significant Data Fiduciary?
Under Section 10 of the DPDPA 2023, the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary (SDF) based on several assessment factors. Rule 13 of the DPDP Rules 2025 further elaborates the criteria and additional obligations for SDFs.
The factors the Central Government considers include: the volume and sensitivity of personal data processed; the risk of harm to Data Principals; the potential impact on the sovereignty and integrity of India, public order, and security of the State; and the use of new technologies for processing. While the exact numerical thresholds are being operationalised, indicative criteria based on industry practice and regulatory guidance suggest entities processing personal data of 50 lakh (5 million) or more Indian residents, or having annual revenue of ₹250 Crore or more, are at heightened risk of SDF classification.
The consequences of operating as an SDF without fulfilling SDF obligations are severe: penalties under Section 10 non-compliance can reach ₹150 Crore under The Schedule of the Act.
Part 2 of 5
Key Factors for SDF Classification
The Central Government assesses multiple factors when determining SDF status. These are not rigid numerical thresholds but qualitative and quantitative criteria that, when met individually or in combination, trigger classification:
Factor 1 — Volume of Personal Data Processed: Organisations processing personal data of a large number of Data Principals in India. Indicative thresholds suggest 50 lakh (5 million) or more individuals. This includes all categories: customers, employees, contractors, vendors, website visitors (if identifiable), referrals, and dependents.
Factor 2 — Sensitivity of Data: Processing of sensitive categories — financial data, health data, biometric data, genetic data, caste, religious or political beliefs, trade union membership, or sexual orientation data — at scale increases SDF risk regardless of volume.
Factor 3 — Risk of Harm to Data Principals: Automated decision-making that produces legal or similarly significant effects — credit scoring, hiring algorithms, insurance pricing, treatment recommendations — creates heightened SDF risk because processing errors directly harm individuals.
Factor 4 — Impact on Sovereignty, Public Order, and Security: Data Fiduciaries whose processing activities could affect national interests, critical information infrastructure, or public order. Organisations designated as Key Information Infrastructure (KII) operators under the Information Technology Act, 2000 are automatically at heightened SDF risk.
Factor 5 — Use of New Technologies: Adoption of advanced technologies for data processing — including AI/ML-based profiling, large-scale behavioural analytics, and cross-source data combination — contributes to SDF assessment.
Part 3 of 5
Cross-Border Transfers and SDF Risk
Cross-border data transfers add a significant dimension to SDF assessment. Organisations that transfer personal data of Indian Data Principals to entities or jurisdictions outside India — whether through cloud infrastructure (AWS, Google Cloud, Azure), SaaS platforms (Salesforce, HubSpot, etc.), global parent companies, or third-party service providers — face heightened scrutiny.
Section 16 of the DPDPA governs cross-border transfers and requires transfers to be made through prescribed mechanisms. The intersection of cross-border transfer activity with large-scale processing increases the likelihood of SDF classification.
Practical implication: A majority of SaaS companies, fintech platforms, and e-commerce firms in India transfer data offshore through cloud infrastructure without recognising that this contributes to their SDF risk profile. Cloud hosting in foreign jurisdictions — even for processing purposes — constitutes a cross-border transfer.
Part 4 of 5
Obligations Once Classified as SDF
Once an entity is notified as an SDF under Section 10, it must comply with enhanced obligations beyond those applicable to general Data Fiduciaries:
Obligation 1 — Appoint a Data Protection Officer (DPO): The DPO must be based in India, serve as the point of contact for the DPBI, oversee compliance, conduct impact assessments, and handle Data Principal grievances. The DPO must have direct reporting access to the board of directors.
Obligation 2 — Appoint an Independent Data Auditor: The auditor evaluates the SDF's compliance with DPDPA provisions and certifies compliance status to the Board.
Obligation 3 — Conduct Data Protection Impact Assessments (DPIAs): SDFs must conduct DPIAs for high-risk processing activities, including those involving sensitive data, large-scale profiling, or decision-making systems affecting Data Principals.
Obligation 4 — Periodic Audits: Annual compliance reviews assessing adherence to DPDPA principles, implementation of protection measures, and fulfilment of Data Principal rights.
Obligation 5 — Enhanced Record-Keeping: Detailed records including a Data Processing Register, consent records, incident logs, DPIA reports, audit reports, and records of Data Principal requests — maintained for at least 7 years.
Non-compliance with these obligations attracts penalties up to ₹150 Crore under The Schedule.
Part 5 of 5
SDF Risk Assessment Checklist
Use this assessment to evaluate your organisation's SDF risk profile. Affirmative answers to any of the following indicators suggest your organisation may be classified as an SDF:
Do you process personal data of 50 lakh (5 million) or more individuals in India across all systems?
Does your annual revenue exceed ₹250 Crore?
Do you process sensitive personal data (financial, health, biometric, genetic, religious, political, union membership) at scale?
Do you perform automated profiling (credit scoring, hiring decisions, treatment recommendations, insurance pricing) that produces legal or similarly significant effects?
Do you transfer personal data of Indian Data Principals outside India — including through cloud hosting, SaaS platforms, or offshore service providers?
Are you designated as a Key Information Infrastructure operator under the IT Act, 2000?
Do you combine personal data from multiple sources to create detailed profiles or behavioural predictions affecting large populations?
Do you operate in multiple sectors with diverse data categories?
If you answered YES to one or more indicators: Your organisation has a material SDF risk profile and should conduct a formal SDF classification assessment with legal counsel. Proactive classification and compliance is significantly more defensible than reactive classification following a regulatory inquiry.
Key Takeaways
SDF classification under Section 10 is determined by the Central Government based on multiple qualitative and quantitative factors — not a single bright-line test
Key factors include volume of data processed (indicatively 50 lakh+ Data Principals), sensitivity of data categories, risk of harm, and use of new technologies
Cross-border data transfers — including cloud hosting offshore — contribute to SDF risk profile and increase classification likelihood
Once classified, SDFs must appoint a DPO, conduct DPIAs, undergo annual audits, and maintain enhanced records for 7+ years
Non-compliance with SDF obligations under Section 10 attracts penalties up to ₹150 Crore under The Schedule — independent of other violation penalties
Statutory References
Section 10: Obligations of Significant Data Fiduciaries
Rule 13 DPDP Rules 2025: SDF Criteria and Additional Obligations
Section 33 read with The Schedule: Penalty for SDF Non-Compliance — up to ₹150 Crore
Section 8(5): Reasonable Security Safeguards
Section 16: Cross-Border Transfer of Personal Data
Section 9: Additional Obligations for Children's Data
Information Technology Act, 2000: Key Information Infrastructure Designation