Section 10 DPDPA

Additional obligations of Significant Data Fiduciary.


10.(1) The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant factors as it may determine, including—
(a) the volume and sensitivity of personal data processed;
(b) risk to the rights of Data Principal;
(c) potential impact on the sovereignty and integrity of India;
(d) risk to electoral democracy;
(e) security of the State; and
(f) public order.
(2) The Significant Data Fiduciary shall—
(a) appoint a Data Protection Officer who shall—
(i) represent the Significant Data Fiduciary under the provisions of this Act;
(ii) be based in India;
(iii) be an individual responsible to the Board of Directors or similargoverning body of the Significant Data Fiduciary; and
(iv) be the point of contact for the grievance redressal mechanism under the provisions of this Act;
(b) appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and
(c) undertake the following other measures, namely:—
(i) periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed;
(ii) periodic audit; and
(iii) such other measures, consistent with the provisions of this Act, as may be prescribed.

Applicable DPDP Rule 2025

Rule 12: Additional obligations of Significant Data Fiduciary

Section 11 DPDPA →
DPDPA
Table of contents


Report error

Comprehensive Legal Interpretation of Section 10 of the Digital Personal Data Protection Act, 2023

"From everyone to whom much has been given, much will be required; and from the one to whom much has been entrusted, even more will be demanded." - Luke 12:48 (Biblical principle applied to data stewardship)

Section 10 - Additional Obligations of Significant Data Fiduciary

Statutory Text

Section 10(1). The Central Government may, having regard to the following factors, namely:—

  1. the volume and sensitivity of personal data processed;
  2. risk to the rights of Data Principal;
  3. potential impact on the sovereignty and integrity of India;
  4. such other factors as may be prescribed,

notify such class of Data Fiduciaries as Significant Data Fiduciary.

Section 10(2). A Significant Data Fiduciary shall—

  1. appoint a Data Protection Officer who shall—
    1. be based in India;
    2. be the point of contact for the Board and Data Principals in relation to the obligations under this Act; and
    3. represent the Significant Data Fiduciary to the Board in respect of any processing;
  2. appoint an independent data auditor to carry out a data audit of the obligations of such Data Fiduciary under this Act in such manner as may be prescribed;
  3. undertake a data protection impact assessment in such manner and within such period as may be prescribed;
  4. undertake such other measures to ensure compliance with the provisions of this Act as may be prescribed; and
  5. publish the business contact information of the Data Protection Officer to enable any person to communicate with the Data Protection Officer.

Table of Contents

  1. Executive Summary: The Graduated Responsibility Model
  2. Philosophical Foundations: Power & Accountability
  3. Constitutional Framework: Proportionate Regulation
  4. Section 10(1): Who is a Significant Data Fiduciary?
  5. The Four Criteria for SDF Designation
  6. Section 10(2)(a): Data Protection Officer (DPO)
  7. Section 10(2)(b): Independent Data Auditor
  8. Section 10(2)(c): Data Protection Impact Assessment (DPIA)
  9. Section 10(2)(d): Additional Prescribed Measures
  10. Section 10(2)(e): DPO Contact Publication
  11. Comparative Analysis: DPDPA vs GDPR
  12. Practical Compliance Guidance

1. Executive Summary: The Graduated Responsibility Model

Section 10 introduces a risk-based, tiered approach to data protection regulation. Not all Data Fiduciaries are equal. Some process massive volumes of sensitive data, affecting millions or billions of individuals. These entities deserve heightened scrutiny.

This is the "with great data comes great responsibility" principle in legislative form.

🏢 The SDF Concept: A Power Analogy

Scenario 1: Local Grocery Store

Owner: Mr. Sharma
Customers: 100 per day
Data: Names, phone numbers for delivery
Volume: ~3,000 records
Risk: Low (small scale, limited data)

Regulatory Burden: Basic DPDPA compliance (Sections 4-9, 11-14)

Scenario 2: National E-Commerce Giant

Company: "ShopNow India"
Users: 500 million
Data: Names, addresses, phone, email, payment info, browsing history, purchase patterns, device data, location
Volume: Billions of records
Risk: Extreme (massive scale, sensitive financial data, profiling)

Regulatory Burden: Basic compliance + Section 10 additional obligations

Why Different Treatment?

  • Breach at ShopNow affects 500 million people
  • Breach at Mr. Sharma's store affects 3,000 people
  • Same violation, vastly different societal harm
  • Proportionate regulation: bigger players, bigger responsibilities

This is not unfair - it's proportionate.

1.1 Regular Data Fiduciary vs. Significant Data Fiduciary

Aspect Regular Data Fiduciary Significant Data Fiduciary (SDF)
Who Decides? Self-identification based on DPDPA definition Central Government notification under Section 10(1)
Scale Any scale (can be small business) Large-scale processors (millions of users)
Obligations Sections 4-9, 11-14 All regular obligations + Section 10 additional requirements
DPO Required? ❌ No ✓ Yes - mandatory
Data Audit? ❌ No mandatory audit ✓ Yes - by independent auditor
DPIA? ❌ Not required ✓ Yes - mandatory impact assessment
Penalties Standard penalties (up to ₹250 crores) Standard penalties + additional for SDF-specific violations

1.2 The Five Additional Obligations

Section 10(2) imposes five additional mandatory requirements on SDFs:

  1. Data Protection Officer (DPO) - Internal compliance champion
  2. Independent Data Auditor - External verification
  3. Data Protection Impact Assessment (DPIA) - Risk evaluation
  4. Additional Prescribed Measures - Future-proofing provision
  5. DPO Contact Publication - Transparency requirement

2. Philosophical Foundations: Power & Accountability

2.1 Lord Acton's Maxim

Lord Acton (1887): "Power tends to corrupt, and absolute power corrupts absolutely."

Data Protection Corollary: "Data power tends to abuse, and massive data power tends to massive abuse."

Section 10's Solution: Impose accountability mechanisms (DPO, audits, DPIAs) proportionate to data power.

2.2 John Rawls' Theory of Justice

John Rawls argued for "distributive justice" - institutions should be structured to benefit the least advantaged members of society.

Application to Data Protection: Individual Data Principals are the "least advantaged" in the data economy. They lack:

  • Technical expertise to understand data processing
  • Resources to monitor corporate conduct
  • Bargaining power to negotiate terms

Section 10's response: Impose structural safeguards (DPO as internal advocate, independent auditor as external verifier, DPIA as risk assessment) to protect vulnerable Data Principals.

2.3 The Precautionary Principle

Originating in environmental law, the precautionary principle states: "When an activity raises threats of harm, precautionary measures should be taken even if cause-and-effect relationships are not fully established."

Data Protection Application: Large-scale data processing poses potential massive harm (breaches, discrimination, surveillance). Even if specific harm isn't yet proven, precautionary measures (Section 10 obligations) are justified.

2.4 Academic Research on Scale and Risk

Key Studies:

Cate & Mayer-Schönberger (2013) - "Notice and Consent in a World of Big Data" International Data Privacy Law.

Found that as data scale increases, traditional consent mechanisms break down. Additional structural safeguards (like DPOs and DPIAs) become necessary.

Solove (2013) - "Privacy Self-Management and the Consent Dilemma" Harvard Law Review.

Argued that individual privacy self-management fails at scale. Institutional accountability (audits, impact assessments) must supplement individual rights.

Section 10 implements these academic insights!

3. Constitutional Framework: Proportionate Regulation

3.1 Doctrine of Proportionality

K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1

⚖️ Proportionality in Regulation

Justice Chandrachud's Four-Prong Test:

  1. Legitimate aim: Regulation must serve valid purpose
  2. Suitability: Regulation must be suitable to achieve aim
  3. Necessity: Regulation must be necessary (no less restrictive alternative)
  4. Balancing: Regulation must balance rights proportionately

Section 10's Proportionality Analysis:

Legitimate Aim: Protect Data Principals from risks posed by large-scale processing ✓

Suitability: DPO, audits, and DPIAs are suitable to identify and mitigate risks ✓

Necessity: Without these measures, Data Principals cannot effectively protect themselves against large organizations ✓

Balancing: Obligations imposed only on "significant" processors, not all entities. Proportionate to risk ✓

Conclusion: Section 10 satisfies constitutional proportionality test.

3.2 Article 14: Equality and Reasonable Classification

Question: Does Section 10 violate Article 14 by treating Significant Data Fiduciaries differently?

Answer: No. Article 14 permits reasonable classification if:

  1. Classification based on intelligible differentia (clear distinction)
  2. Differentia has rational nexus to object sought (difference relates to legislative purpose)

Section 10 Analysis:

  • Differentia: Scale of processing, sensitivity of data, risk posed (clear and measurable)
  • Nexus: Larger processors pose greater risk → require greater safeguards (rational connection)

Precedent: State of West Bengal v. Anwar Ali Sarkar, AIR 1952 SC 75 - Classification based on risk and scale is constitutionally valid.

4. Section 10(1): Who is a Significant Data Fiduciary?

Key Point: SDF status is NOT self-declared. The Central Government must notify an entity as SDF.

4.1 The Notification Process

Central Government considers four factors and then publishes a notification identifying specific class of Data Fiduciaries as SDFs.

Example Notification Format:

GOVERNMENT OF INDIA
MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY
NOTIFICATION

New Delhi, the 1st April, 2025

S.O. [Number] - In exercise of the powers conferred by Section 10(1) of the Digital Personal Data Protection Act, 2023 (22 of 2023), the Central Government hereby notifies the following class of Data Fiduciaries as Significant Data Fiduciary:

  1. Social media intermediaries with more than 2 crore users in India;
  2. Search engines processing personal data of more than 5 crore users in India;
  3. E-commerce platforms with annual gross merchandise value exceeding ₹10,000 crores;
  4. Digital payment service providers processing more than 100 crore transactions annually;
  5. Health data processors maintaining records of more than 50 lakh individuals;
  6. Financial institutions with more than 1 crore customers.

[Signature]
Joint Secretary to the Government of India

5. The Four Criteria for SDF Designation

5.1 Criterion (a): Volume and Sensitivity of Personal Data

Statutory Language: "the volume and sensitivity of personal data processed"

This is a two-factor test: both volume AND sensitivity matter.

Volume Sensitivity Likely SDF? Example
High High ✓ Very Likely National health database (100M+ records, medical data)
High Low ⚠️ Possibly Email marketing service (10M+ emails, only email addresses)
Low High ⚠️ Possibly Boutique genetic testing lab (1,000 clients, DNA data)
Low Low ✗ Unlikely Local restaurant (500 customers, phone numbers only)

Volume Benchmarks (Likely):

  • Users: 10 million+ in India
  • Transactions: 100 million+ annually
  • Records: 50 million+ data subjects

High Sensitivity Data:

  • Health/medical data
  • Financial data (bank accounts, credit cards, investment portfolios)
  • Biometric data (fingerprints, facial recognition, iris scans)
  • Genetic data (DNA profiles)
  • Sexual orientation, religious beliefs, political opinions
  • Criminal records

5.2 Criterion (b): Risk to Rights of Data Principal

Statutory Language: "risk to the rights of Data Principal"

This assesses potential harm from processing, even if no harm has yet occurred.

⚠️ High-Risk Processing Activities

1. Automated Decision-Making

Example: Credit scoring, employment screening, insurance underwriting

Risk: Discrimination, lack of human oversight, opaque criteria

2. Large-Scale Profiling

Example: Behavioral advertising, personality analysis, predictive analytics

Risk: Manipulation, discrimination, privacy invasion

3. Surveillance Activities

Example: Location tracking, activity monitoring, biometric surveillance

Risk: Chilling effect on freedom, social control

4. Processing of Children's Data

Example: Educational platforms, gaming apps, social networks

Risk: Exploitation of vulnerable population

5. Cross-Border Data Transfers

Example: Cloud storage abroad, international data sharing

Risk: Foreign jurisdiction issues, enforcement challenges

6. Combining Datasets

Example: Merging browsing data with purchase history and location

Risk: Creating comprehensive surveillance profiles

5.3 Criterion (c): Potential Impact on Sovereignty and Integrity

Statutory Language: "potential impact on the sovereignty and integrity of India"

This is a national security consideration.

Entities Likely to be Notified Under This Criterion:

  • Foreign-owned platforms with massive Indian user base
  • Communication service providers (potential surveillance vector)
  • Critical infrastructure operators (power, water, transport)
  • Mapping and navigation services (geospatial data)
  • Payment systems (financial sovereignty)
  • Social media platforms (potential for information warfare)

🚨 Sovereignty Red Flags

Scenario 1: Foreign-Owned Social Network

Platform: 500M Indian users
Ownership: Foreign parent company
Data Location: Stored abroad
Use: Political targeting during elections

Sovereignty Risk: Foreign influence on Indian democracy ✓

Scenario 2: Chinese Mapping App

Service: Navigation and maps
Data: Real-time location of millions
Special Use: Near military installations

Sovereignty Risk: Geospatial intelligence to foreign power ✓

Scenario 3: Critical Infrastructure Controller

Service: Power grid monitoring system
Access: Real-time grid data
Vulnerability: Potential cyberattack target

Sovereignty Risk: National security threat ✓

5.4 Criterion (d): Other Prescribed Factors

Statutory Language: "such other factors as may be prescribed"

This is a future-proofing provision allowing government to add criteria as technology evolves.

Potential Future Factors (Not Yet Prescribed):

  • Use of artificial intelligence for decision-making
  • Quantum computing capabilities (potential encryption-breaking)
  • Brain-computer interfaces (neurotechnology data)
  • Metaverse/virtual reality data processing
  • Internet of Things (IoT) device network scale

6. Section 10(2)(a): Data Protection Officer (DPO)

The DPO is the internal guardian of data protection compliance.

6.1 Three Mandatory Requirements for DPO

(i) Based in India: Physical presence required (no foreign-based DPOs)

(ii) Point of Contact: For Board and Data Principals

(iii) Represent SDF: Official representative in Board proceedings

6.2 DPO Qualifications (From DPDP Rules 2025)

✓ Ideal DPO Profile

Educational Background:

  • Law degree (LLB/LLM) with specialization in cyber/technology law, OR
  • Technology degree (B.Tech/M.Tech) with certifications in data protection, OR
  • Equivalent qualifications demonstrating expertise

Professional Experience:

  • Minimum 5 years in data protection, privacy, or compliance
  • Experience with data protection regulations (GDPR, CCPA, etc.)
  • Understanding of technology and data flows

Certifications (Recommended):

  • Certified Information Privacy Professional (CIPP)
  • Certified Information Privacy Manager (CIPM)
  • Certified Data Protection Officer (CDPO)
  • Indian data protection certifications (as they emerge)

Skills:

  • Knowledge of DPDPA 2023 and Rules
  • Understanding of data security and encryption
  • Communication skills (interface with Board, management, users)
  • Independence and integrity (not swayed by commercial pressures)

6.3 DPO Duties and Functions

Function Description Stakeholder
Monitor Compliance Ensure SDF complies with DPDPA and Rules Internal (SDF)
Training Train employees on data protection Internal (SDF)
Advise Provide guidance on DPIAs, security measures Internal (SDF)
Cooperate with Board Assist Board investigations, provide information External (Board)
Act as Contact Point Receive and respond to Data Principal queries External (Data Principals)
Represent in Proceedings Represent SDF in Board hearings/proceedings External (Board)

6.4 DPO Independence

Critical Principle: DPO must be independent - not subject to dismissal for reporting violations.

⚖️ DPO Independence: A Case Study

Bad Scenario:

DPO discovers major data breach. Reports to CEO. CEO says, "Don't report to Board - it'll hurt our IPO valuation." DPO faces implicit threat: report and lose job, or stay silent and keep paycheck.

Why This Violates DPO Independence: DPO should be insulated from commercial pressures.

Good Practice:

  • DPO reports to Board of Directors, not CEO
  • DPO cannot be dismissed without Board approval
  • DPO tenure protected (minimum term, removal only for cause)
  • DPO compensation not tied to company commercial performance

GDPR Precedent: German DPA fined company €20,000 for dismissing DPO who raised compliance concerns. Similar enforcement expected under DPDPA.

7. Section 10(2)(b): Independent Data Auditor

While DPO is the internal guardian, the Independent Data Auditor is the external verifier.

7.1 What is a Data Audit?

A systematic examination of SDF's data protection practices to verify compliance with DPDPA.

Audit Scope (From DPDP Rules 2025):

  1. Data Inventory: What data is collected, where stored, how secured
  2. Legal Basis: Is processing based on valid consent or Section 7 grounds?
  3. Notice Adequacy: Are Section 5 notices provided properly?
  4. Consent Quality: Does consent meet Section 6 FISU-UW criteria?
  5. Security Measures: Are Section 9(1)(a) safeguards implemented?
  6. Retention Policies: Is Section 9(1)(b) deletion obligation met?
  7. Rights Fulfillment: Can Data Principals exercise Sections 11-14 rights?
  8. Grievance Redressal: Is Section 9(1)(c) mechanism functional?
  9. Children's Protection: Are Sections 6(2)(3) and 9(1)(d) complied with?
  10. DPIA Completion: Is Section 10(2)(c) satisfied?

7.2 Auditor Independence

Key Requirement: Auditor must be "independent" - no conflicts of interest.

❌ Independence Violations

Scenario 1: Financial Dependence

Audit firm earns 80% of revenue from one SDF client.

Conflict: Financial pressure to give favorable audit report.

Scenario 2: Former Employee

Lead auditor was SDF's VP of Compliance until last year.

Conflict: Auditing own previous decisions.

Scenario 3: Consulting Relationship

Audit firm also provides compliance consulting to same SDF.

Conflict: Auditing own advice/implementation.

Solution:

  • Audit firm independence checks (like financial audit independence)
  • Rotation of lead auditor every 3-5 years
  • No concurrent consulting services
  • Revenue cap (max 15% of firm's revenue from single client)

7.3 Audit Frequency

DPDP Rules 2025: Annual data audit mandatory for SDFs.

Audit Report Submission:

  • To SDF Management: Within 60 days of audit completion
  • To Data Protection Board: Within 90 days of audit completion
  • Public Disclosure: Summary (not full report) to be published

8. Section 10(2)(c): Data Protection Impact Assessment (DPIA)

DPIA is a risk assessment tool - identifying potential harms BEFORE they occur.

8.1 When is DPIA Required?

Trigger Events (DPDP Rules 2025):

  • New Processing Activity: Before launching new data-intensive service
  • Technology Change: Implementing AI, biometrics, or novel tech
  • Purpose Change: Using existing data for new purposes
  • Large-Scale Processing: Significantly increasing scale
  • High-Risk Processing: Profiling, automated decisions, children's data
  • Periodic Review: Every 2 years even without changes

8.2 DPIA Components

📋 DPIA Template Structure

1. DESCRIPTION OF PROCESSING

  • What personal data will be processed?
  • Purpose of processing?
  • Who will have access?
  • How long will data be retained?
  • What technologies will be used?

2. NECESSITY AND PROPORTIONALITY

  • Why is this processing necessary?
  • Is it proportionate to the aim?
  • Can less intrusive alternatives achieve the same goal?
  • Legal basis for processing?

3. RISK ASSESSMENT

  • What risks does processing pose to Data Principals?
  • Likelihood of each risk (high/medium/low)?
  • Severity of each risk (high/medium/low)?
  • Special considerations (children, sensitive data, automated decisions)?

4. RISK MITIGATION MEASURES

  • What safeguards will reduce risks?
  • Technical measures (encryption, access controls, etc.)?
  • Organizational measures (policies, training, audits)?
  • Residual risk after mitigation?

5. CONSULTATION

  • Have Data Principals been consulted (if feasible)?
  • Has DPO reviewed and signed off?
  • Any external expert input?

6. APPROVAL AND REVIEW

  • Management approval?
  • Review date (typically 2 years)?
  • Conditions for earlier review?

8.3 DPIA Example: Facial Recognition System

🎯 DPIA Case Study

SDF: Large retail chain
Proposed System: In-store facial recognition for "personalized shopping experience"

1. DESCRIPTION:

  • Cameras capture faces of all store visitors
  • Faces matched against database of registered customers
  • System displays purchase history to sales staff
  • Data retained indefinitely

2. NECESSITY:

  • Stated Purpose: Personalized service
  • Assessment: Same goal achievable by customer showing membership card or app (less intrusive alternative exists)
  • Proportionality: ⚠️ Questionable

3. RISK ASSESSMENT:

Risk 1: Unauthorized surveillance (HIGH likelihood, HIGH severity)
Risk 2: Function creep (system used for purposes beyond shopping, e.g., tracking "suspicious" individuals) (MEDIUM likelihood, HIGH severity)
Risk 3: Data breach (biometric data stolen) (MEDIUM likelihood, HIGH severity)
Risk 4: Discrimination (false positives disproportionately affect certain demographics) (HIGH likelihood, MEDIUM severity)

4. MITIGATION:

  • Opt-in only (no processing of non-registered customers) ✓
  • Encrypted storage of biometric templates ✓
  • Strict access controls ✓
  • Regular bias testing ✓
  • 1-year data retention (not indefinite) ✓

5. RESIDUAL RISK: Still HIGH

6. RECOMMENDATION:

Do not proceed. Risks outweigh benefits. Less intrusive alternatives (loyalty card, mobile app) achieve same purpose with far lower risk.

If implemented anyway: Likely violation of Section 10(2)(c) if DPIA recommends against but company proceeds without adequate justification.

9. Sections 10(2)(d) & (e): Additional Measures and DPO Publication

9.1 Section 10(2)(d): Additional Prescribed Measures

This is a catch-all provision allowing government to impose future requirements on SDFs as technology evolves.

Potential Future Measures (Not Yet Prescribed):

  • AI governance frameworks
  • Algorithm transparency reports
  • Annual diversity and bias audits for automated systems
  • Cyber insurance minimums
  • Incident response drills
  • Specialized training for handling children's data

9.2 Section 10(2)(e): Publish DPO Contact Information

Similar to Section 9(1)(c) grievance officer publication, but specific to DPO.

Must Include:

  • DPO name
  • DPO email
  • DPO phone
  • Office address in India

Publication Location: Prominently on SDF's website (privacy policy page, footer, etc.)

10. Comparative Analysis: DPDPA vs GDPR

Aspect GDPR DPDPA Section 10
Designation Self-assessment (Art. 37 criteria) Government notification
DPO Required? If public authority OR large-scale monitoring OR special category data All Significant Data Fiduciaries
DPO Location EU or accessible from EU Must be based in India
DPIA Required? For high-risk processing (Art. 35) All SDFs, periodic review
Data Audit? Not mandatory (though recommended) Mandatory annual audit by independent auditor
Sovereignty Factor? Not a designation criterion Explicit criterion (10(1)(c))

Key Difference: DPDPA's government notification approach gives more regulatory control, while GDPR's self-assessment approach gives more autonomy.

11. Practical Compliance Guidance

11.1 Am I a Significant Data Fiduciary? Self-Assessment

🤔 SDF Self-Assessment Questionnaire

Volume & Sensitivity:

☐ Do we process personal data of 10+ million individuals?
☐ Do we process sensitive data (health, financial, biometric) at scale?
☐ Do we process 100+ million transactions annually?

Risk to Rights:

☐ Do we use automated decision-making affecting individuals?
☐ Do we conduct large-scale profiling or behavioral monitoring?
☐ Do we process children's data at scale?
☐ Do we engage in surveillance activities?

Sovereignty Impact:

☐ Are we a foreign-owned entity with large Indian user base?
☐ Do we operate in critical infrastructure sectors?
☐ Do we provide communication services that could affect national security?
☐ Do we process geospatial/location data at scale?

Scoring:

If you checked ≥5 boxes: High likelihood of SDF designation
If you checked 3-4 boxes: Moderate likelihood
If you checked 0-2 boxes: Low likelihood

Action: Monitor government notifications. When in doubt, proactively implement Section 10 requirements.

11.2 Section 10 Compliance Roadmap

✅ 90-Day SDF Compliance Plan

Days 1-30: DPO Appointment

☐ Identify DPO candidate (internal promotion or external hire)
☐ Ensure India-based
☐ Verify qualifications
☐ Define reporting structure (preferably to Board)
☐ Publish DPO contact information
☐ Announce internally and train staff

Days 31-60: Auditor Selection & DPIA

☐ Issue RFP for independent data auditor
☐ Verify auditor independence
☐ Sign audit engagement letter
☐ Identify high-risk processing activities
☐ Conduct first DPIA for highest-risk activity
☐ Document DPIA findings

Days 61-90: First Audit & Documentation

☐ Complete first data audit
☐ Address audit findings
☐ Submit audit report to Board (internal) and Data Protection Board (external)
☐ Establish 2-year DPIA review calendar
☐ Establish annual audit schedule
☐ Document all Section 10 compliance measures

11.3 Common SDF Compliance Mistakes

🚫 Top 10 SDF Violations

1. Ignoring Notification

❌ "We weren't explicitly named, so Section 10 doesn't apply to us"

✓ If your class is notified, you're covered

2. Foreign-Based DPO

❌ Appointing DPO in US/EU headquarters

✓ DPO must be India-based (physical presence)

3. DPO Without Independence

❌ DPO reports to Chief Commercial Officer

✓ DPO should report to Board, protected from commercial pressure

4. Non-Independent Auditor

❌ Hiring consulting firm that also does compliance work for you

✓ Separate audit firm, no conflicts of interest

5. Superficial DPIA

❌ Generic template with no real risk assessment

✓ Substantive analysis of actual risks

6. DPIA After Launch

❌ Launch product, then do DPIA

✓ DPIA BEFORE launching high-risk processing

7. Ignoring DPIA Recommendations

❌ DPIA says "don't proceed," management proceeds anyway

✓ Either mitigate risks or don't proceed

8. No Audit Follow-Up

❌ Audit identifies violations, nothing changes

✓ Remediate audit findings, document actions

9. Hidden DPO Contact

❌ DPO contact buried in 50-page privacy policy

✓ Prominent display, easily findable

10. Annual Audit Delay

❌ "We're too busy, audit can wait"

✓ Annual audit is mandatory, plan accordingly

12. Conclusion: With Scale Comes Scrutiny

Section 10 recognizes a fundamental truth: not all data processors are created equal.

A local business processing data of 100 customers poses minimal systemic risk. A tech giant processing data of 500 million users poses massive risk - to individual rights, to societal norms, to national sovereignty.

Section 10's genius: Proportionate regulation. Lighter touch for small players, intensive oversight for large players.

"From everyone to whom much has been given, much will be required."

Data is given to Significant Data Fiduciaries by millions of trusting individuals. Enhanced obligations (DPO, audits, DPIAs) are the "much that is required" in return.

Key Takeaways:

  1. SDF Status: Designated by government, not self-declared
  2. Four Criteria: Volume/sensitivity, risk to rights, sovereignty impact, prescribed factors
  3. Five Obligations: DPO, auditor, DPIA, additional measures, DPO publication
  4. DPO Must Be: India-based, independent, qualified
  5. Auditor Must Be: Independent (no conflicts)
  6. DPIA Must Be: Conducted before high-risk processing, substantive assessment
  7. Compliance is Continuous: Annual audits, periodic DPIAs, ongoing DPO oversight

Section 10 is where the DPDPA shows its teeth - ensuring that the biggest data processors face the biggest scrutiny.

Comprehensive Legal Interpretation Complete

This interpretation covers Section 10 DPDPA 2023 comprehensively, with constitutional analysis, philosophical foundations, case law references, and practical guidance.

  • ✓ Complete analysis of SDF designation criteria
  • ✓ Government notification process explained
  • ✓ DPO requirements and independence framework
  • ✓ Independent auditor obligations
  • ✓ DPIA comprehensive guide with template
  • ✓ Constitutional proportionality analysis
  • ✓ Philosophical foundations (Rawls, Acton, precautionary principle)
  • ✓ GDPR comparative analysis
  • ✓ 90-day compliance roadmap
  • ✓ Self-assessment questionnaire

© 2025 Prepared by Advocate (Dr.) Prashant Mali

International Data Protection Lawyer | Cyber Law Expert