Significant Data Fiduciary: Are You One Without Knowing It?
The thresholds, the obligations, and the practical signals that you're operating like an SDF — even before formal designation. Includes a self-assessment.
Section 10 of the Digital Personal Data Protection Act, 2023 lets the Central Government designate a Data Fiduciary — or a class of Data Fiduciaries — as a Significant Data Fiduciary (SDF). Once designated, the obligations step up meaningfully: appoint an India-based Data Protection Officer, appoint an independent data auditor, run DPIAs, and other prescribed measures.
Most Indian SMEs assume SDF status is a large-enterprise problem. It isn't. Consumer platforms, health tech, edtech, and fintech are frequently one growth quarter away from tripping thresholds. Here is a practical way to think about it.
What triggers SDF designation
Section 10(1) lists the factors the government considers:
- Volume and sensitivity of personal data processed
- Risk to the rights of data principals
- Potential impact on the sovereignty and integrity of India
- Risk to electoral democracy
- Security of the State
- Public order
These are broad and discretionary. There is no bright-line "10 million users" number in the Act. Designation happens by notification, and the criteria have been signalled through consultation drafts.
The practical signals
Instead of waiting for formal designation, run these five signals against your business. If two or more are green, you should be operating as if you were an SDF — even before designation.
Signal 1: Volume
- Yellow: > 1 million monthly active data principals in India.
- Green: > 10 million cumulative Indian data principals.
Consumer platforms cross Yellow fastest. Once you're B2C at scale in India, this signal is almost always active.
Signal 2: Sensitivity
- Yellow: processing financial data, health data, or biometric data at any scale.
- Green: processing children's data as a core purpose (edtech, kids' content, family products).
Fintech, healthtech, and edtech should assume this signal is green from day one.
Signal 3: Cross-context inference
- Yellow: you combine data across contexts to infer sensitive attributes (behavioural targeting, credit inference, health inference).
- Green: the inferences drive automated decisions with material impact (credit, insurance, employment).
Ad-tech, alternative-data lenders, and screening platforms are structurally on this signal.
Signal 4: Public interest exposure
- Yellow: you host user-generated content at national scale or influence public discourse.
- Green: your platform has been involved in a public dispute with a regulator or the government about content, misinformation, or election-related material.
Social platforms, news aggregators, and messaging services.
Signal 5: Concentration
- Yellow: you are the largest or second-largest provider in your category in India.
- Green: you have systemic importance — e.g., payment infrastructure, KYC infrastructure, or identity-adjacent services.
What changes on designation
Section 10(2) obligations:
- Data Protection Officer (India-based). A senior person, physically resident in India, reporting to the board or an equivalent governing body. Publicly named. This role is meaningfully more senior than a typical Privacy Champion — it's a Level 2 executive.
- Independent data auditor. Annually. The auditor evaluates compliance and issues a report to the Board. The auditor cannot be your existing internal or statutory auditor.
- Data Protection Impact Assessments. Mandatory for high-risk processing activities. Documented, updated, and reviewable.
- Periodic audit. Broader than the independent audit — covers the full control set annually.
- Other measures as prescribed. The Central Government may layer additional obligations.
The signals no one talks about
Beyond Section 10 itself, a few operational signals suggest SDF-like scrutiny even before designation:
- Media coverage. Once you're in national business press regularly, regulators watch.
- Investor scrutiny. Series B and later investors ask for DPO and data auditor at diligence.
- Enterprise customer diligence. Large customers demand SDF-equivalent controls in their vendor questionnaires. Failing to answer costs contracts.
A pragmatic transition plan
If two or more signals above are green:
Now (month 0):
- Engage a fractional or full-time DPO in India. If full-time isn't in this year's budget, our fractional DPO service exists exactly for this transitional period.
- Publish the DPO name and contact on the website.
Month 1–3:
- Formalise a DPIA methodology and run DPIAs on your top three high-risk processing activities.
- Line up an independent data auditor for an initial baseline audit.
Month 3–6:
- Complete the baseline independent audit; close findings.
- Establish a quarterly board-level privacy review.
- Sequence any outstanding vendor DPAs and cross-border transfer documentation.
Ongoing:
- Annual independent audit.
- DPIA refresh on any material change.
- Board-level briefing at least twice a year.
The cost of pre-designation readiness
For a mid-size Indian business, moving to SDF-equivalent operations costs roughly:
- Fractional DPO: ₹8–15 lakh per year.
- Baseline independent audit: ₹4–8 lakh (one-off).
- DPIA methodology and initial DPIAs: ₹3–5 lakh.
- Annual audit: ₹3–6 lakh per year.
Total year-one incremental: ₹18–34 lakh. Non-trivial, but far lower than the cost of being caught unprepared at designation, or of losing enterprise contracts because you can't answer diligence.
Self-assessment
Answer honestly:
- Do you process personal data of more than 1 million Indian data principals annually?
- Do you process financial, health, biometric, or children's data as a core purpose?
- Do you combine data across contexts to drive automated decisions?
- Have you been publicly involved in a regulator-level content or data dispute?
- Are you a top-two provider in your category in India, or systemically important?
Two or more Yes: operate as an SDF now. One Yes: watch the signals quarterly. Zero Yes: run the standard DPDP program from our checklist and revisit in 12 months.
For a designation-readiness workshop tailored to your business, our DPDP Act compliance program includes an SDF assessment module.
Get help implementing this
Turn this reading into a compliance plan.
Book a free 30-minute consultation. We'll map your DPDP Act exposure and give you a prioritized 90-day action list — no obligation.
Book a free 30-minute consultation