1. Significant Data Fiduciary (SDF) Designation
Not all Data Fiduciaries are created equal. Organizations processing large volumes of personal data or handling sensitive information face enhanced obligations under DPDPA. These are designated as Significant Data Fiduciaries (SDFs).
Section 10(1) empowers the Central Government to notify Data Fiduciaries as "Significant" based on assessment of these factors:
- Volume and Sensitivity: Amount and nature of personal data processed
- Risk to Rights: Potential harm to Data Principals' rights
- Sovereignty Impact: Effect on India's sovereignty and integrity
- Electoral Democracy: Risk to democratic processes
- Security of State: National security implications
- Public Order: Impact on public order and safety
Likely SDFs (Based on Criteria):
- š Large Tech Platforms: Google, Meta, Amazon, Microsoft (billion+ Indian users)
- š± Telecom Operators: Airtel, Jio, Vi (comprehensive location and communication data)
- š³ Major E-commerce: Flipkart, Amazon India, Paytm (transaction data at scale)
- š¦ Large Banks & Financial Institutions: SBI, HDFC, ICICI (sensitive financial data)
- š„ Healthcare Platforms: Apollo 24/7, Practo (health data)
- š Major EdTech: BYJU'S, Unacademy (children's data)
Possibly NOT SDFs:
- Small e-commerce with limited user base
- Local healthcare clinics with manual records
- SMEs processing minimal personal data
Once notified as SDF, the organization MUST:
- Appoint Data Protection Officer (DPO) - Must be based in India, responsible to Board
- Conduct Periodic DPIA - Data Protection Impact Assessment annually
- Conduct Independent Audits - External auditor evaluates compliance annually
- Submit Reports to Board - Furnish DPIA and audit findings to Data Protection Board
- Algorithm Due Diligence - Verify algorithmic software doesn't pose risks to Data Principals
- Data Localization (if notified) - Certain sensitive data categories may be restricted from cross-border transfer
SDFs face the highest penalties under DPDPA:
- Up to ā¹250 crores + ā¹150 crores for violations and additional obligations
- Failure to appoint DPO ā Penalty
- Not conducting DPIA/audit ā Penalty
- Non-compliance with data localization ā Severe penalty
The designation as SDF is a serious matter that transforms compliance requirements fundamentally.
DPDPA follows the principle of proportionate regulation: Greater power comes with greater responsibility. Organizations with massive data processing capabilities and potential to cause large-scale harm face correspondingly stricter obligations.
This approach balances:
- Not overburdening small businesses (SMEs get lighter compliance)
- Ensuring big tech and platforms are held to highest standards
- Protecting Data Principals from systemic risks
- Central Government notifies SDFs based on 6 statutory factors
- Volume, sensitivity, and risk to rights are primary considerations
- SDFs include large tech platforms, telecoms, major e-commerce, banks
- Enhanced obligations: DPO, DPIA, audits, algorithmic due diligence
- Penalties up to ā¹250 crores + ā¹150 crores for SDF violations
- Proportionate regulation: Bigger organizations = stricter compliance
2. Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is a systematic evaluation of data processing activities to identify and mitigate risks to Data Principals' rights. Under Section 10(2)(c)(i) and Rule 13, SDFs must conduct periodic DPIAs.
DPIA is a structured process comprising:
- Description of Rights: Identify Data Principals' rights that may be affected
- Purpose of Processing: Document why personal data is being processed
- Risk Assessment: Evaluate risks to Data Principals (privacy breaches, discrimination, etc.)
- Risk Management: Identify measures to mitigate identified risks
- Other Prescribed Matters: As per DPDP Rules
Frequency: At least once every 12 months from SDF notification date
Scenario: A social media platform (SDF) introduces a new AI-powered "friend recommendation" feature that analyzes user behavior, location, and interests.
DPIA Process:
1. Describe Rights Affected:
- Right to access (users may not know what data is analyzed)
- Right to correction (algorithm may use outdated preferences)
- Right to object to profiling
2. Purpose: Improve user experience by suggesting relevant connections
3. Risk Assessment:
- š“ High Risk: Sensitive inferences (religion, political views) may be derived
- š” Medium Risk: Location tracking may reveal home/work addresses
- š¢ Low Risk: Basic interest matching (e.g., both like cricket)
4. Mitigation Measures:
- Implement consent mechanism specifically for this feature
- Allow users to opt-out of behavioral analysis
- Provide transparency report showing what data is used
- Regular algorithm audits to detect bias
- Data minimization: Use only necessary attributes
5. Submit Report: Significant findings submitted to Data Protection Board
- āļø Conduct DPIA within 12 months of SDF notification
- āļø Document all processing activities comprehensively
- āļø Identify high-risk processing (profiling, children's data, sensitive data)
- āļø Assess risks: likelihood and severity
- āļø Design mitigation strategies for each identified risk
- āļø Engage independent assessor (external consultant/auditor)
- āļø Submit DPIA report with significant observations to Board
- āļø Review and update DPIA annually
- āļø Implement recommended safeguards
- āļø Maintain DPIA records for audit
- DPIA is mandatory for SDFs, conducted annually
- Systematic process: Describe rights, purpose, assess risks, manage risks
- Must be conducted by independent assessor
- Significant findings reported to Data Protection Board
- DPIA is proactive risk management, not reactive compliance
- Helps organizations identify privacy issues before they become violations
3. Data Protection Officer (DPO)
The Data Protection Officer (DPO) is the linchpin of an SDF's compliance program. Under Section 10(2)(a), every SDF must appoint a DPO.
Legal Requirements (Section 10(2)(a)):
- Represent the SDF: Acts as official representative under DPDPA
- Based in India: Must be resident in India (not remote from another country)
- Report to Board: Responsible to Board of Directors or similar governing body
- Point of Contact: Interface for grievance redressal with Data Principals
- Liaison with Data Protection Board: Primary contact for regulatory interactions
- Compliance Oversight: Monitor SDF's adherence to DPDPA and DPDP Rules
- Training & Awareness: Educate employees on data protection obligations
- Policy Development: Develop and update data protection policies
- Grievance Handling: Manage Data Principal complaints and grievances
- DPIA Coordination: Oversee Data Protection Impact Assessments
- Audit Facilitation: Coordinate independent data audits
- Breach Response: Lead data breach notification and remediation
- Board Reporting: Regular compliance updates to leadership
- Regulatory Liaison: Interface with Data Protection Board
- Record-Keeping: Maintain comprehensive compliance documentation
Morning (9 AM - 12 PM):
- Review overnight data breach alerts (none today, thankfully)
- Meeting with engineering team about new feature launch - conduct quick DPIA review
- Approve updated privacy notice for mobile app
- Respond to 3 Data Principal access requests
Afternoon (2 PM - 5 PM):
- Training session for customer support team on handling data requests
- Review quarterly DPIA report prepared by external consultant
- Call with legal team about cross-border data transfer agreement
- Update Board presentation on compliance status
Evening (5 PM - 6 PM):
- Review Data Protection Board circular on consent management
- Email to CEO: Recommend additional budget for security upgrades
DPDPA does NOT prescribe specific qualifications, but effective DPOs typically have:
- Legal Knowledge: Understanding of DPDPA, IT Act, relevant laws
- Technical Expertise: Familiarity with data systems, security, encryption
- Business Acumen: Balance compliance with business objectives
- Communication Skills: Interface with Board, employees, regulators, Data Principals
- Independence: Ability to report concerns without fear
Emerging certifications: CIPP/E (Certified Information Privacy Professional), CIPM (Certified Information Privacy Manager)
- DPO mandatory only for SDFs (not all Data Fiduciaries)
- Must be based in India and report to Board of Directors
- Represents SDF in all DPDPA matters
- Primary responsibilities: compliance oversight, training, DPIA, grievances
- No specific qualifications prescribed, but legal + technical knowledge essential
- DPO ensures accountability at highest organizational level
4. Cross-Border Data Transfer Rules
Section 16 grants the Central Government power to restrict cross-border transfer of personal data to specific countries or territories. This is one of the most debated provisions of DPDPA.
Section 16(1): Central Government may, by notification, restrict transfer of personal data to specific countries/territories outside India.
Default Position: Until government issues restrictions, cross-border transfers are generally permitted (subject to consent and other obligations).
Rule 13(4) - SDF Data Localization: SDFs must ensure that certain personal data categories (as notified by government) are processed only in India with restrictions on cross-border flow.
As of December 2025, the Central Government has NOT YET NOTIFIED:
- Which countries/territories are restricted for data transfers
- Which personal data categories must be localized for SDFs
- Criteria for "safe" vs. "unsafe" countries
Until notifications are issued, organizations should:
- ā Continue existing cross-border transfers (with valid consent)
- ā Monitor MeitY website for notifications
- ā Prepare contingency plans for potential restrictions
- ā Document all cross-border data flows
Scenario 1: Cloud Storage
Indian startup uses AWS servers in Singapore for customer data storage.
Current Status: ā
Permitted (no restrictions notified yet)
Requirements: Valid consent, security safeguards, data processing agreement with AWS
Future Risk: If government restricts transfers to Singapore, must migrate to Indian servers
Scenario 2: SDF Healthcare Platform
Major health-tech platform (SDF) processes patient data.
Current Status: ā
Can use global cloud providers
Likely Future: If "health data" is notified under Rule 13(4), must localize in India
Preparation: Architect systems to enable rapid localization if needed
Scenario 3: Multinational HR System
Global company with Indian employees uses centralized HR system in USA.
Current Status: ā
Permitted with employee consent
Compliance: Data processing agreement, security measures, employee informed consent
| Aspect | DPDPA (India) | GDPR (EU) |
|---|---|---|
| Default | Permitted until restricted | Restricted unless adequate safeguards |
| Mechanism | Government notification (blacklist) | Adequacy decisions, SCCs, BCRs (whitelist) |
| Localization | Possible for SDFs (Rule 13(4)) | No mandatory localization |
| Current Status | No restrictions notified yet | 100+ adequacy decisions in place |
- Section 16: Government can restrict transfers to specific countries
- No restrictions notified yet - transfers currently permitted (with consent)
- SDFs may face data localization for certain sensitive categories (Rule 13(4))
- Organizations should map and document all cross-border data flows
- Monitor MeitY notifications for updates
- DPDPA uses "restriction" model vs. GDPR's "adequacy" model
5. Record-Keeping & Audit Obligations
Effective compliance requires meticulous documentation. DPDPA imposes record-keeping obligations to ensure accountability and enable audits.
Record-Keeping Requirements
- Consent Logs:
- When consent was obtained
- How consent was obtained (method)
- What consent was for (purpose)
- Consent withdrawal records
- Processing Records:
- Data inventory (what personal data is held)
- Processing activities log
- Purpose and legal basis for each processing activity
- Data retention periods
- Data Sharing Records:
- List of third parties with whom data is shared
- Data processing agreements with processors
- Cross-border transfer documentation
- Data Principal Requests:
- Access requests and responses
- Correction/erasure requests and actions taken
- Grievances filed and resolutions
- Breach Register:
- Details of all data breaches (even minor ones)
- Actions taken to remediate
- Notifications sent (to Board and Data Principals)
- Security Measures:
- Documentation of security safeguards implemented
- Vulnerability assessment reports
- Employee training records
Independent Data Audits (SDFs Only)
Who Must Conduct: All Significant Data Fiduciaries
Frequency: At least once every 12 months
Auditor: Must be independent (external auditor, not internal team)
Scope: Evaluate compliance with ALL DPDPA provisions and DPDP Rules
Reporting: Submit audit report with significant observations to Data Protection Board
- āļø Appoint independent auditor (external firm)
- āļø Define audit scope and timeline
- āļø Gather all compliance documentation
- āļø Prepare data flow maps and inventories
- āļø Review consent mechanisms and logs
- āļø Test security safeguards (technical + organizational)
- āļø Verify Data Principal rights exercise processes
- āļø Assess DPIA quality and implementation
- āļø Review third-party processor agreements
- āļø Check compliance with children's data protections
- āļø Evaluate breach response procedures
- āļø Receive audit report with findings
- āļø Address identified gaps
- āļø Submit significant observations to Board
- āļø Implement remediation measures
- āļø Plan next annual audit
- Maintain Real-Time Records: Don't scramble before audit; maintain records continuously
- Use Technology: Implement consent management platforms, data mapping tools
- Assign Ownership: Clear responsibility for each compliance area (e.g., DPO owns DPIA, CISO owns security)
- Regular Internal Audits: Don't wait for annual external audit; conduct quarterly internal reviews
- Training: Ensure all employees understand their data protection responsibilities
- Third-Party Management: Audit processors and vendors periodically
- Documentation Culture: "If it's not documented, it didn't happen"
- All Data Fiduciaries must maintain comprehensive records (consent, processing, sharing, breaches)
- SDFs must conduct independent data audits annually
- Audit reports with significant findings submitted to Data Protection Board
- Records enable accountability and facilitate compliance verification
- Best practice: Real-time documentation, not pre-audit scramble
- Technology tools (consent management, data mapping) are essential at scale