What are the key statutory references for SDF Obligations?

The key statutory references include: DPDPA Section 10, DPDPA Section 10(2), DPDP Rules 2025 Rule 12, DPDP Rules 2025 Rule 13.

What are the main takeaways from the SDF Obligations visual guide?

Designation by Central Government based on data volume, sensitivity, and risk Mandatory DPO appointment with India residency requirement Periodic DPIA obligations for systematic risk assessment Annual independent audit with DPB submission Enhanced record keeping and transparency requirements

Governance

Significant Data Fiduciary (SDF) Obligations

Enhanced compliance requirements for Section 10 designated entities

24 January 2026

5 min read

Visual Guide

Significant Data Fiduciary (SDF) Obligations

Executive Summary

Significant Data Fiduciaries face enhanced governance obligations including mandatory DPO appointment, periodic DPIAs, and independent audits under Section 10 of DPDPA.

Significant Data Fiduciary (SDF) Obligations — AMLEGALS DPDPA Visual Guide Series

The SDF Designation Criteria

Section 10(1) empowers the Central Government to designate certain Data Fiduciaries as Significant Data Fiduciaries based on several criteria. These include the volume and sensitivity of personal data processed, risk to Data Principal rights, potential impact on India's sovereignty and integrity, and risk to electoral democracy.

This designation creates a tiered regulatory system where entities handling substantial data volumes or sensitive categories face enhanced scrutiny.

Unlike GDPR's automatic threshold based categorisation, DPDPA uses a notification based approach. This means organisations cannot definitively assess their SDF status until formal designation happens. Large data processors need to anticipate potential designation and build compliance capabilities proactively rather than waiting for notification.

Enhanced Governance Mandates

Section 10(2) imposes additional obligations on designated SDFs that significantly increase their compliance burden.

The requirement to appoint a Data Protection Officer based in India has human resource implications for multinationals that typically centralise privacy functions globally. DPOs must have appropriate qualifications and operate independently. They cannot be penalised for doing their job and must report directly to the board or highest management level.

Periodic Data Protection Impact Assessments become mandatory rather than optional. These require systematic evaluation of processing operations against privacy risks. Perhaps most significantly, SDFs must engage independent auditors to verify compliance annually, with audit reports submitted to the Data Protection Board. This external verification transforms compliance from internal attestation to externally validated accountability.

Key Takeaways

1Designation by Central Government based on data volume, sensitivity, and risk
2Mandatory DPO appointment with India residency requirement
3Periodic DPIA obligations for systematic risk assessment
4Annual independent audit with DPB submission
5Enhanced record keeping and transparency requirements

Back to All Visual Guides