Key Takeaways
- Section 10 of the DPDP Act empowers the government to classify certain Data Fiduciaries as 'Significant' based on volume of personal data, sensitivity, risk to Data Principals and risk to electoral democracy or state security.
- Likely SDFs: large social media platforms, major e-commerce, fintech and payment processors, health-tech with regulated data, large SaaS platforms, NBFCs and banks. Notification criteria expected in DPDP Rules 2025.
- SDF obligations: appoint a DPO, conduct DPIA for high-risk processing, undergo independent annual audit, register with DPB, additional reporting.
- Most Indian SMBs are NOT SDFs but enterprise customers increasingly ask for SDF-equivalent documentation in vendor due diligence.
- Prepare now regardless of designation: an SDF-ready programme satisfies all customer due diligence and positions you for any future notification.
What is a Significant Data Fiduciary?
Section 10 of the DPDP Act 2023 introduces a special category of Data Fiduciary subject to enhanced obligations: the Significant Data Fiduciary (SDF). The central government will notify which Data Fiduciaries (or classes of them) qualify as SDFs based on factors specified in the Act.
The SDF designation is not based purely on size or revenue. It is based on the nature and impact of personal data processing. A small fintech startup processing high-volume payment data might be designated; a large manufacturing company processing only employee records might not.
As of mid-2026, the government has not published the SDF notification list. Draft DPDP Rules 2025 specify the consultation process. Most Indian businesses are preparing in parallel: maintain SDF-equivalent documentation regardless of formal designation, because customer due diligence and good practice converge on the same controls.
The Section 10 Designation Criteria
Section 10(1) authorises the central government to notify any Data Fiduciary or class of Data Fiduciaries as 'Significant' based on:
1. Volume and Sensitivity of Personal Data Processed
Larger volumes plus more sensitive categories (financial, health, biometric, special category) push toward SDF designation. Likely thresholds (speculation, not yet published): millions of Data Principals, processing of sensitive data at scale.
2. Risk to the Rights of Data Principals
Processing that has higher potential for harm to individuals (identity theft, financial fraud, discrimination, manipulation) is more likely to trigger SDF status. This captures social media platforms with content amplification, ad-tech platforms with behavioural profiling, fintech with credit scoring algorithms.
3. Potential Impact on Sovereignty and Integrity of India
Processing with national security implications: telecom data, geolocation at scale, sensitive personal data of government officials or strategic-sector employees.
4. Risk to Electoral Democracy
Processing that could influence elections: social media platforms, political ad-tech, voter targeting analytics.
5. Security of the State, Public Order
Processing relevant to law enforcement and public safety: surveillance providers, identity verification services with large user bases.
Need a DPDP Compliance Programme?
Codesecure runs DPDP Act 2023 compliance programmes for Indian businesses: data mapping, notice and consent redesign, data principal rights workflow, breach playbook. ISO/IEC 27001:2022 certified delivery, fixed-fee engagements.
Get a DPDP Roadmap →Who Will Likely Be Classified as SDF
Based on the Section 10 criteria and parallel regulations in other jurisdictions, likely SDF candidates in India include:
Definitely Likely
Large social media intermediaries (Meta, X, LinkedIn India operations, ShareChat, Koo), major e-commerce platforms (Flipkart, Amazon India, Meesho, Reliance Retail digital), large fintech and payment processors (Paytm, PhonePe, Razorpay, BharatPe), credit bureaus (CIBIL, Experian, Equifax India), account aggregators, major banks and NBFCs.
Probably Likely
Large health-tech platforms (1mg, PharmEasy, Tata 1mg, Practo), major SaaS platforms with India-resident user data at scale, online education platforms at scale (BYJU'S, Unacademy, Vedantu), ride-hailing and food delivery (Ola, Uber India, Zomato, Swiggy), tax and identity service providers, insurance aggregators.
Possibly Likely
Mid-sized fintech with credit decisioning, HR-tech platforms with employee personal data at scale, real estate platforms with KYC data, online gaming platforms, matrimonial and dating platforms.
Probably NOT SDF
Most B2B SaaS startups (process customer employee data, not Data Principal data at scale), small e-commerce businesses, service businesses with employee-only personal data, most Indian SMBs below a few hundred thousand users.
SDF Additional Obligations
Once designated, Significant Data Fiduciaries take on obligations beyond the baseline Data Fiduciary obligations:
Section 10(2)(a): Data Protection Officer Appointment
SDFs must appoint a Data Protection Officer (DPO) based in India, reporting to the board of directors or equivalent. The DPO is the official point of contact for the Data Protection Board, Data Principals seeking rights, and grievances. The DPO must be qualified, independent and resourced. This is separate from the Section 14 grievance officer.
Section 10(2)(b): Independent Data Auditor
SDFs must appoint an independent data auditor to evaluate compliance with the Act, the Rules and Section 10 obligations. Audit periodicity is not yet specified by the Rules; likely annual based on parallel regulations. The auditor reports must be made available to the DPB on request.
Section 10(2)(c): Data Protection Impact Assessment (DPIA)
SDFs must conduct DPIAs for processing operations the Rules will specify (likely high-risk processing, large-scale processing of sensitive categories, automated decision-making with significant effects). DPIA documentation includes: nature, scope, context, purpose; necessity assessment; risk to Data Principals; mitigation measures. Similar in structure to GDPR Article 35 DPIA.
Section 10(2)(d): Other Measures Specified by Rules
The Rules can prescribe additional measures: enhanced security safeguards, periodic external review of processing, data localisation requirements for specific data categories, additional transparency obligations. Draft DPDP Rules 2025 hint at some of these but final form is pending.
How to Prepare Whether or Not You Are Designated
Regardless of formal SDF designation, the operational programme is similar. Prepared Indian businesses build SDF-ready programmes proactively for three reasons: (1) customer due diligence increasingly asks for SDF-equivalent documentation, (2) good practice converges on the same controls, (3) once notified, the implementation timeline is short.
Build the SDF-ready programme: appoint a DPO or DPO-equivalent (can be outsourced retainer), conduct DPIA for high-risk processing, run annual independent audit (Codesecure provides this independently of the consulting engagement), build comprehensive RoPA and rights workflow, document everything. Total additional cost over baseline DPDP: typically INR 50K-1.5L per year depending on scope.
Frequently Asked Questions
How do we know if we are a Significant Data Fiduciary under DPDP?
The central government will notify the criteria and the specific Data Fiduciaries or classes that qualify. As of mid-2026 no list is published. Use Section 10 criteria as guidance: volume and sensitivity of personal data, risk to Data Principals, electoral democracy, state security. Likely SDFs: large social media, major e-commerce, fintech, health-tech, credit bureaus, account aggregators. Most Indian SMBs are NOT SDFs.
If we are not SDF, do we still need a DPO?
Section 10 DPO requirement is for SDFs only. Other Data Fiduciaries must appoint a grievance officer under Section 14 (can be any responsible employee). Many Indian businesses voluntarily appoint a DPO-equivalent (outsourced retainer or named internal role) because enterprise customer due diligence increasingly asks for it. Codesecure offers outsourced DPO advisory typically INR 30K-60K per quarter.
What is a Data Protection Impact Assessment (DPIA)?
A formal documented assessment of high-risk personal data processing covering: nature, scope, context, purpose of processing; necessity and proportionality assessment; risks to Data Principals; mitigation measures. SDFs must conduct DPIA for processing operations the Rules will specify. The methodology is similar to GDPR Article 35 DPIA. Codesecure provides DPIA templates and conducts assessments as part of DPDP programmes.
Who can be the independent data auditor for SDFs?
Section 10(2)(b) requires an independent data auditor, separate from the SDF's regular consultants. Likely qualifying parties: established audit firms (Big 4, Indian mid-tier), specialised data protection consultancies, ISO 27001 certification bodies. Codesecure operates as independent data auditor for SDF clients separate from our consulting engagements with non-SDF clients, maintaining the independence required by the Act.
Should we wait for official SDF notification before implementing?
No. Two reasons: (1) once notified, the implementation timeline is short and you do not want to scramble, (2) the SDF-ready programme overlaps significantly with baseline DPDP, ISO 27001 and customer due diligence requirements, so the work is not wasted regardless. Prepared Indian businesses build SDF-ready programmes proactively.
What is the cost difference between SDF and non-SDF DPDP programmes?
Codesecure pricing: baseline non-SDF DPDP programme INR 75K-2L. SDF-ready programme INR 2L-2.5L+ (adds DPO advisory retainer INR 30K-60K per quarter, DPIA methodology and execution, independent audit support). The additional cost is small relative to the SDF non-compliance penalty (up to INR 250 crore).
Does being an SDF affect our cross-border data transfers?
Section 16 governs cross-border transfers for all Data Fiduciaries. SDFs may face additional restrictions or data localisation requirements via Section 10(2)(d) 'other measures' in the Rules. Draft DPDP Rules 2025 hint at potential data localisation for specific data categories of SDFs but final form is pending. Plan architecture flexibility to keep certain data classes in India.
Build an SDF-Ready DPDP Programme Now, Before Notification
Codesecure runs DPDP Act 2023 compliance programmes including SDF-ready preparation for likely-designated Indian businesses. DPO advisory, DPIA methodology, independent audit, rights workflow. ISO/IEC 27001:2022 certified delivery, fixed-fee engagements.
