DPDP Significant Data Fiduciary Rules: What Indian Businesses Must Prepare For

Last updated: June 22, 2026

India’s Ministry of Electronics and Information Technology (MeitY) has been expected to finalise the rules under the Digital Personal Data Protection (DPDP) Act 2023 — and the draft provisions around Significant Data Fiduciaries (SDFs) are the most consequential for mid-to-large businesses. If your organisation processes personal data at scale, the SDF designation carries obligations that dwarf those of ordinary Data Fiduciaries.

What makes a Significant Data Fiduciary?

The central government can designate any Data Fiduciary as an SDF based on volume and sensitivity of data processed, potential national security and public order risk, risk to electoral democracy, and the impact processing has on sovereignty. The criteria are deliberately broad — which means even B2B SaaS platforms, HR-tech companies, and healthcare aggregators can find themselves in scope.

SDF-specific obligations

• Data Protection Impact Assessments (DPIAs) — mandatory before deploying new high-risk processing activities, not optional.
• Periodic data audits — conducted by independent auditors registered with the Data Protection Board.
• Algorithmic accountability — SDFs must deploy safeguards against algorithmic bias and document the logic of automated decision-making systems.
• Data Localisation — certain categories of personal data may be restricted from cross-border transfer to specific jurisdictions.
• Appointment of a DPO — a Data Protection Officer resident in India, with direct board access.

Preparing now, before designation

Organisations should not wait for a formal SDF designation notice. The compliance groundwork — data mapping, consent architecture, grievance mechanisms, and DPA agreements with processors — takes 6–18 months to implement properly. Boards should ask their legal and security teams for a current DPDP gap assessment, not reassurance that it’s “in progress.”

Penalties under the DPDP Act reach ₹250 crore per instance of non-compliance. The first enforcement actions from the Data Protection Board will set precedent — and being caught unprepared will be expensive in more ways than one.