Key Takeaways
- A company becomes a Significant Data Fiduciary only after a Central Government notification.
- There is no user, revenue, or employee threshold under the DPDP Act.
- SDFs must appoint a DPO, conduct annual DPIAs and audits, and comply with additional governance requirements.
- Rule 13 obligations are expected to become enforceable from May 2027.
- Businesses handling large volumes of sensitive personal data should begin preparing now.
A Significant Data Fiduciary (SDF) is a company that the Central Government designates under Section 10 of the DPDP Act, 2023. It receives this designation because its data processing creates a higher risk for individuals.
Many people believe a company automatically becomes an SDF after reaching a certain number of users or revenue. That isn’t true. The law does not work that way. There is no threshold and no self-assessment. A company becomes an SDF only after the government issues an official notification.
Deadlines:- Event Date
DPDP Act:- 11 August 2023
DPDP Rules:- 13 November 2025
Rule 13 enforcement:- May 2027
Who Decides If You Are a Significant Data Fiduciary?
The Central Government decides. Under Section 10 of the DPDP Act, the Central Government can notify any data fiduciary or a class of data fiduciaries as significant. A notification is simply an official order published by the government. Until your company is officially notified, it remains a regular data fiduciary, regardless of its size or the amount of data it processes.
Simplify Your Compliance & Stay Audit-Ready
Help your team manage controls, risks, and audits with ease
What Factors Does the Government Consider?
Section 10 lists the factors that guide this decision:
- Volume and sensitivity of data: The amount of personal data you process and how sensitive it is. Health records and financial data carry more weight than basic contact details.
- Risk to individual rights: Can the data you process harm the individual’s rights?
- Impact on national interests: Any potential effect on the sovereignty and integrity of India, the security of the State, or public order.
- Risk to electoral democracy: Platforms with the reach to influence voters at scale fall under this factor.
A company’s size, revenue, or employee count alone does not determine SDF status. Instead, the government looks at the type of data processed and the risks involved.
What is Data Fiduciary vs Significant Data Fiduciary?
Any organisation that decides why and how personal data is processed is a data fiduciary. This covers a small online store with a customer list as much as a bank with crores of account holders. The core rules of the DPDP Act apply to both.
A Significant Data Fiduciary is simply a data fiduciary with additional compliance responsibilities because it processes large amounts of personal data or highly sensitive data. Think of it like income tax slabs. Everyone pays tax, but higher income brings a higher slab and closer scrutiny. In the same way, Higher data risk means stricter compliance requirements.
- What stays the same: Both must obtain valid consent, provide clear notice, apply reasonable security safeguards, report breaches, and honour the rights of data principals under Sections 4 to 9 of the Act.
- What gets added: A significant data fiduciary must also appoint a DPO in India, engage an independent auditor, complete a yearly DPIA and audit, report findings to the Data Protection Board, review its algorithms, and follow data localisation orders where they apply.
Every significant data fiduciary is a data fiduciary, but not every data fiduciary is significant.
Which Companies are Likely to Be Notified?
The government has not published a list yet. Based on these factors, some types of businesses are more likely to be notified. Banks, NBFCs, insurers, telecom operators, large e-commerce and social media platforms, fintech apps, health tech companies, and edtech platforms that handle student data are some of the organization that may get notified. Businesses that process personal data at a large scale, especially financial or health data, should prepare in advance instead of waiting for a notification.
What Extra Duties Do Significant Data Fiduciaries Have?
Section 10 of the Act sets out the core obligations, and Rule 13 of the DPDP Rules 2025 explains how they work in practice. Once notified, a company must do the following:
- Appoint a Data Protection Officer: The DPO must be an individual based in India, must report to the Board of Directors or an equivalent governing body, and acts as the point of contact for grievance redressal.
- Engage an independent data auditor: An independent auditor checks whether the company complies with the DPDP Act and its Rules.
- Complete a DPIA every 12 months: A Data Protection Impact Assessment (DPIA) reviews how personal data is processed, identifies possible risks, and checks whether existing safeguards are enough.
- Complete an audit every 12 months: The audit is conducted every year along with the DPIA, starting from the date the company is notified as an SDF.
- Report findings to the Data Protection Board: The auditor must submit a report of important findings to the Data Protection Board. This gives the regulator direct visibility into the company’s data practices.
- Review algorithmic systems: The company must review its AI and automated systems to ensure they do not negatively affect the rights of data principals. Recommendation engines and automated decision systems fall within this duty.
- Keep specified data within India: Certain categories of personal data, identified by the government, cannot be transferred outside India. The traffic data linked to it must also remain within the country. This restriction applies only to the specified categories, not to all personal data.
What Happens If You Ignore These Rules?
The DPDP Act backs these obligations with substantial penalties. A failure to meet significant data fiduciary obligations can attract a penalty of up to Rs 150 crore per violation. A failure of security safeguards sits in the highest tier, at up to Rs 250 crore. After an inquiry, the Data Protection Board decides the penalty based on the seriousness of the violation, how long it continued, and the company’s compliance history.
Maximum Penalties
Violation Maximum Penalty
Failure to meet SDF obligations ₹150 crore
Failure to implement security safeguards ₹250 crore
Common Mistakes Companies Make About SDF Status
Much of the early confusion around this topic falls into a few predictable traps:
- Assuming small means safe: Sensitivity matters as much as volume. A mid-sized company that processes health or financial records can still be notified.
- Planning for a vendor or overseas DPO: The DPO must be an individual based in India who reports to the board. A consulting firm cannot hold the role, and neither can an executive located abroad.
- Combining the DPO and auditor roles: These are separate appointments, and the auditor must be independent for the audit to carry any weight.
- Treating the DPIA as a one-time exercise: Rule 13 requires a fresh DPIA and audit every 12 months. A single assessment at the start does not satisfy the requirement.
- Reading localisation as universal: Only the data categories specified by the government committee must remain in India. Map your data flows now, but there is no need to restructure your entire cloud setup before those categories are announced.

How Should You Prepare Before May 2027?
- Map your data: List the personal data you collect, where it is stored, and who has access to it.
- Assess your likely status: If you process the data of millions of users, or handle financial and health records, work on the assumption that you will be notified.
- Identify your DPO: Shortlist a candidate based in India with genuine privacy and risk experience.
- Establish a DPIA process: Run your first assessment before any notification arrives, so the annual cycle is already in place.
- Review your algorithms: Document that your automated systems do not harm user rights, and keep that evidence ready for audit.
- Check your data locations: Know which data leaves India today, so localisation orders do not disrupt your operations later.
Frequently Asked Questions
Ques: Is There a User or Revenue Threshold for Becoming a Significant Data Fiduciary?
Ans: No, there is no numeric threshold in the Act or the Rules. The status comes only through a Central Government notification under Section 10.
Ques: Has the Government Published a List of Significant Data Fiduciaries?
Ans: Not yet, no official list has been notified so far. Companies with high-volume or high-risk processing should prepare in advance rather than wait.
Ques: Do Significant Data Fiduciaries Have to Store All Data in India?
Ans: No, Localisation applies only to data categories specified by the government based on committee recommendations, along with the related traffic data. Everything else follows the general cross-border transfer rules.
Ques: How Often Must a Significant Data Fiduciary Conduct a DPIA?
Ans: Once every 12 months from the date of notification, along with an audit. Significant findings from both go to the Data Protection Board.
Ques: What Is the Penalty for Breaking Significant Data Fiduciary Rules?
Ans: Up to Rs 150 crore per violation for SDF obligation failures. Security safeguard failures carry the highest penalty under the Act, at up to Rs 250 crore.
Ques: When Do Significant Data Fiduciary Obligations Start?
Ans: Rule 13 takes effect in the 18-month phase of the rollout, which means May 2027.