Section 10 · DPDP Act 2023
Section 10 designates a class of Data Fiduciaries with extra obligations — DPO, independent auditor, periodic DPIA, periodic audit. Here is who qualifies, what changes the day you are designated, and a 12-point self-assessment to find your exposure today.
Last reviewed by checkDPDP editorial ·
Section 10(1) of the DPDP Act lets the Central Government designate a Data Fiduciary as Significant based on six factors. The Government can apply one or several — you do not need to fail all six to be designated.
01
How much personal data you process and how sensitive it is. A platform with 50 million Indian users by definition crosses any reasonable volume threshold; a clinical diagnostics platform with 100,000 patient records crosses the sensitivity threshold.
02
Whether your processing could meaningfully harm users — profiling, automated decision-making that affects credit, employment, education or healthcare, or any processing where a mistake could be expensive for the individual.
03
Aimed at platforms whose dataset has national-security implications — large-scale geolocation, national-ID linkage, biometric identifiers at scale, or processing that could enable foreign surveillance of Indian citizens.
04
Targeted at platforms with the reach to influence elections — major social media, political-targeting tools, micro-targeted political ad networks. The Central Government can designate any platform whose data could enable election interference.
05
Defence-adjacent processing, critical-infrastructure data, processing for or about armed forces personnel, and similar categories where compromise affects national security.
06
Processing whose compromise could provoke unrest — anything involving caste, religion, or other socially sensitive markers at scale, where a breach could fuel communal incidents.
Section 10(1), DPDP Act 2023. The factors are non-exhaustive — the Central Government can designate any Data Fiduciary it considers Significant having regard to the above and other relevant factors.
Four obligations attach immediately on SDF designation under Section 10(2). Each is a concrete deliverable, not a principle — the Data Protection Board will ask for the artefact, not the intent.
Section 10(2)(a)
Section 10(2)(a). The DPO must be India-resident, senior in the organisation, and report directly to the Board of Directors (or equivalent governing body). A foreign-resident "global privacy lead" does not satisfy DPDP — you need a separate India-resident appointment. The DPO is the named contact for the Data Protection Board and the public Grievance Officer route under Section 8(10).
Section 10(2)(b)
Section 10(2)(b). An independent professional or firm — not your in-house team and not your statutory financial auditor — empanelled to conduct the periodic data audit required below. Independence is the operative word: the same firm cannot both build your privacy programme and audit it.
Section 10(2)(c)
Section 10(2)(c). A periodic DPIA covering every processing activity, the legal basis, data flows, retention, vendor exposures, breach history, and proposed mitigations. The DPIA is a living document — refresh on every material change to processing, not just annually. The DPIA is the single most-cited evidence pack in any Section 33(2) mitigation argument.
Section 10(2)(c)
Section 10(2)(c). The independent auditor conducts a documented audit on a cadence set by the Rules (currently annual at minimum). The audit covers technical controls, organisational controls, vendor management, breach response, and rights-request handling. Audit findings and remediation status are reportable to the Board.
Section 10(2)
Section 10(2). The Act contemplates additional measures the Central Government may notify for specific SDFs — for example, data localisation, sector-specific reporting, or restrictions on cross-border transfers. These are notified case-by-case via the Rules.
The Act does not enumerate industries — the Central Government does. But the published criteria map cleanly onto these sectors. If you operate in any of them at scale, plan as if designated and budget for the four obligations now.
Volume + electoral-democracy risk + public-order risk all trip simultaneously above roughly 50 million Indian users.
Examples: Major social networks, large messaging platforms, video-sharing networks
Volume + sensitivity (financial data) + RBI sector overlay (master directions on data localisation, breach reporting) mean any large BFSI firm should plan for SDF designation, not hope to avoid it.
Examples: Large private banks, top-5 payment aggregators, top-10 NBFCs
Health data is intrinsically sensitive under Section 2(t). Diagnostics chains, hospital groups, and digital-health platforms above a few million records will be designated even at modest volumes.
Examples: Pan-India hospital chains, large diagnostic networks, telemedicine platforms
Children-data (Section 9) automatically elevates risk-to-Data-Principals scoring. Any EdTech with millions of student records is a near-certain SDF.
Examples: K-12 learning platforms, large coaching platforms, language-learning apps for children
Subscriber metadata, location, call records — all sovereignty-implicating categories. Telcos sit at the intersection of DoT licence conditions and DPDP.
Examples: Major telcos, ISPs above a threshold subscriber base
UIDAI authentication or Aadhaar e-KYC at volume couples national-ID exposure with biometric-derived data. The sovereignty and security-of-the-State factors apply directly.
Examples: KYC service providers, identity-verification platforms, government-tech intermediaries
Volume thresholds apply; behavioural-profiling and address-graph data raise rights-to-Data-Principals risk. Most top-10 e-commerce platforms by GMV should plan as if SDF.
Examples: Top 5 horizontal marketplaces, top quick-commerce platforms
Cross-site profiling, audience segments, lookalike modelling — all explicitly listed by international privacy regulators as high-risk processing. Indian AdTech at scale will be designated.
Examples: Large DSPs/SSPs operating in India, profile-aggregation platforms
If three or more of these statements describe your business, your odds of being designated within the 18-month rollout are high enough to start preparing the four obligations now.
You process the personal data of more than 5 million Data Principals.
You process data of children (under 18) at any meaningful scale.
You handle sensitive personal data — health, biometric, financial, caste, religion — for more than 100,000 individuals.
You operate a platform that could influence electoral outcomes through targeting or content distribution.
You process Aadhaar, PAN, voter-ID or other national-identifier data at scale.
Your business model involves automated decision-making about employment, credit, insurance, education, or healthcare access.
You build behavioural profiles or audience segments and license them to third parties.
You operate critical infrastructure — payments rails, identity providers, telecom, healthcare networks.
A breach of your systems could realistically expose Indian-citizen data to a foreign state.
You have an active sector regulator with overlapping data obligations (RBI, IRDAI, SEBI, TRAI, DoT, ICMR).
You have ever been issued a data-protection notice, advisory, or penalty by any Indian regulator.
Your platform has been covered in Indian press in the last 24 months in connection with a data incident.
What Indian compliance and legal teams ask us most often about SDF designation.
Not at the time of writing. The DPDP Rules 2025 notified on 13–14 November 2025 set the procedural mechanism for SDF designation but do not name specific Fiduciaries. The list is expected to be issued in phases as the Data Protection Board operationalises through the 13 May 2027 deadline. Indian companies above the criteria thresholds should plan as if designated and reduce time-to-compliance from the day the notification lands.
Section 10(1) does not impose a revenue or headcount threshold. A small startup processing under-18 user data, biometrics, or national-identifier data at any meaningful scale can be designated. Volume is one of six factors — none of them are dispositive in isolation. A 30-person edtech startup with 2 million student users is a more likely candidate than a 500-person B2B SaaS with no consumer data.
Only if they are India-resident and senior enough to report to the Board. Section 10(2)(a) requires the DPO to be based in India. A London-based or San-Francisco-based privacy lead can advise the Indian DPO but cannot fill the statutory role. Plan for a separate India-resident appointment if you expect SDF designation — recruiting takes 3–6 months in the current market.
The penalty band for SDF-specific failures is up to ₹150 crore under the Schedule to the DPDP Act. This is independent of the ₹250 crore band for failures of reasonable security safeguards under Section 8(5) and the ₹200 crore band for failure to notify a breach. A single incident can trigger multiple bands. The Data Protection Board applies Section 33(2) mitigation factors — gravity, deliberateness, mitigation, cooperation — when setting the actual quantum.
A first-time DPIA documents every processing activity, the legal basis, data flows in and out, retention period, vendor exposures, breach history, and mitigations either in place or planned. Inventory first (RoPA), then map the risk to Data Principals, then document the controls. Most Indian SDFs run their first DPIA over 4–6 weeks. The deliverable is a versioned document the Board can audit — keep it under version control with a change log.
Yes. Section 10(2)(b) requires an independent Data Auditor distinct from your statutory financial auditor. The Data Auditor is empanelled to audit privacy controls, breach response, and rights-request handling — not financial statements. The two audits can share scheduling and documentation infrastructure but cannot be performed by the same firm without explicit separation of teams and reporting lines.
The Rules 2025 contemplate a reasonable transition period from the date of notification, typically aligned with the next audit cycle. The exact window will depend on the designation notification. Practically, you should be in a position to appoint a DPO within 90 days and an independent auditor within 180 days. Sites that scan well today are sites that can absorb designation without a fire drill.
The free scanner checks ten DPDP categories — including the security signals (HTTPS, HSTS, CSP), the grievance officer publication required under Section 8(10), and the cookie-consent UX required under Section 6. Pass scores on these categories are necessary, not sufficient, for SDF readiness. The free audit goes further: a checkDPDP specialist walks every Warn and Fail and proposes the SDF-grade controls (DPIA template, DPO charter, auditor RFP) on top of the technical fixes.
The free scanner gives you the 10-category baseline in 60 seconds. The free audit goes further — a checkDPDP specialist walks every category and proposes the SDF-grade controls on top of the technical fixes.
