Significant Data Fiduciary Determination Under DPDPA
Understanding and determining Significant Data Fiduciary status under DPDPA 2023.
Under DPDPA, organisations meeting specific criteria are classified as Significant Data Fiduciaries and must comply with enhanced obligations including mandatory DPO appointment. This framework identifies those criteria and their operational implications.
Definitional Criteria
The DPDPA defines Significant Data Fiduciary through four criteria, meeting any one of which triggers the classification.
Key Points
- •Annual turnover exceeding specified threshold
- •Storing or processing personal data of one million or more data principals
- •Data processing activities likely to cause harm to data principals
- •Government designation based on notified criteria
Organisational Impact of Designation
Significant Data Fiduciary status creates specific legal obligations and operational requirements.
Key Points
- •Mandatory appointment of Data Protection Officer based in India
- •Requirement to publish Privacy Impact Assessments
- •Enhanced breach notification obligations
- •Board-level accountability for data protection
Threshold Analysis & Calculation
Methodology for determining whether thresholds are met.
Key Points
- •Definition of annual turnover for SDF purposes
- •Scope of data principal counts (domestic vs foreign)
- •Aggregation of group entities
- •Timing of assessment (financial year basis)
Harm Assessment
Framework for evaluating whether processing activities are likely to cause harm.
Key Points
- •Categories of harm contemplated under DPDPA
- •Vulnerability of affected data principals
- •Sensitivity of personal data processed
- •Scale and scope of processing
Statutory References
- ⚖Section 2(l): Definition of Significant Data Fiduciary
- ⚖Section 10: DPO requirements for Significant Data Fiduciaries
- ⚖Rule 10: Determination of Significant Data Fiduciary status
- ⚖Rule 11: Publication of Privacy Impact Assessment