Skip to content
checkDPDP

Guide

Are you a Significant Data Fiduciary? What the SDF designation actually means

MeitY can designate any Data Fiduciary as 'Significant' — and the obligations that follow (DPIA, India-resident DPO, periodic audit) change your compliance budget by an order of magnitude. Here's how to tell if you're at risk and what to do today.

22 Apr 2026 · 9 min read

Section 10 of the DPDP Act lets the Central Government designate any Data Fiduciary, or any class of Data Fiduciaries, as a "Significant Data Fiduciary" (SDF). The factors listed are open-ended: volume and sensitivity of personal data processed, risk to electoral democracy, risk to sovereignty and integrity of India, public order, and so on. There is no fixed user-count threshold — MeitY explicitly resisted putting a number in the Rules so the lens stays flexible.

In practice, three buckets are at the front of the queue. One, large consumer platforms — anyone processing tens of millions of Indian Data Principals' data (e-commerce, social, fintech, telco). Two, anything touching children or health data at scale. Three, intermediaries whose data flows could influence elections or public discourse. If you're in one of those buckets, the rational move is to plan as if you will be designated, even before the gazette notification arrives.

What changes once you're designated? Four things land on you: (1) appoint a Data Protection Officer who is based in India and reports to the Board of Directors — not a part-time GC, not a US-based privacy lead; (2) appoint an Independent Data Auditor and undergo a periodic data-protection audit; (3) carry out a Data Protection Impact Assessment (DPIA) for any processing that materially changes risk to Data Principals; (4) periodic reporting and additional measures the Government can prescribe by notification — this is the open-ended bucket.

The DPO appointment is where most foreign-headquartered companies will struggle. The Rules require the DPO to be a senior employee, based in India, who is the contact point for the Data Principal and the Board. That rules out the common "global privacy lead doubling as DPO" pattern and creates pressure to either hire or contract an India-resident senior. India-resident DPO-as-a-Service from firms like Tsaaro, Cygnet or CyberSRC will probably become a standard line item in your compliance budget.

What to do today, even if you're not yet designated: start a DPIA template, name a candidate DPO internally, and book a baseline external audit. The procurement cycle for an Independent Data Auditor under DPDP-acceptable terms will likely run 8–12 weeks once the empanelment list is published; getting in line now is cheaper than scrambling after the gazette notification.

Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.

← All posts