Classification of Data Fiduciaries under the DPDP Act, 2023: Thresholds and Obligations
Executive Summary
The Digital Personal Data Protection Act, 2023 (DPDP Act) distinguishes between ordinary Data Fiduciaries and Significant Data Fiduciaries (SDFs). While all fiduciaries must comply with baseline obligations of consent, notice, retention, and rights management, entities designated as SDFs face additional compliance requirements, reflecting their greater scale, sensitivity, and potential impact.
The Central Government holds authority to classify fiduciaries as “significant” based on thresholds such as volume and sensitivity of data processed, risk of harm to individuals, impact on sovereignty or democracy, and security considerations. Once designated, SDFs must appoint a Data Protection Officer (DPO), conduct Data Protection Impact Assessments (DPIAs), undergo independent audits, and maintain enhanced accountability frameworks.
Table of Contents
Introduction: Why Classify Fiduciaries?
Not all data fiduciaries pose equal risks. A small start-up processing a few thousand records has vastly different implications than a major bank or social media platform processing millions of records daily. The DPDP Act recognises this risk disparity by establishing a tiered compliance model: all fiduciaries must meet basic obligations, but Significant Data Fiduciaries face heightened duties.
This approach reflects a proportionality principle: compliance obligations must be proportionate to the potential risks posed by an entity’s data processing activities.
Statutory Basis for Classification
The DPDP Act empowers the Central Government to classify any data fiduciary as a Significant Data Fiduciary after considering:
- The volume and sensitivity of personal data processed.
- The risk of harm to data principals.
- The potential impact on sovereignty, integrity, or democracy.
- The security of the State and public order.
- Other factors the Government may notify.
Threshold Considerations
Although thresholds have not yet been formally notified, several factors are likely to be determinative:
1. Volume of Processing
- Platforms processing data of millions of users (e.g., e-commerce giants, social media platforms).
- Banks and insurers processing large-scale financial data.
2. Sensitivity of Data
- Health-tech companies processing genetic or biometric data.
- Fintech companies handling financial histories and credit scores.
3. Risk of Harm
- Platforms vulnerable to misuse for fraud, identity theft, or discrimination.
- Services involving children or vulnerable populations.
4. Impact on Sovereignty and Democracy
- Social media companies influencing public opinion.
- Messaging platforms handling election-related communications.
5. National Security Concerns
- Telecom providers.
- Cloud providers hosting critical infrastructure data.
Obligations of Significant Data Fiduciaries
Entities classified as SDFs must meet enhanced compliance standards beyond the baseline fiduciary obligations.
- Appointment of Data Protection Officer (DPO)
- SDFs must appoint a DPO based in India.
- The DPO is the nodal point for grievance redressal and regulatory interface.
- This mirrors GDPR’s DPO requirement for large-scale processors.
- Data Protection Impact Assessments (DPIAs)
- SDFs must conduct DPIAs before undertaking high-risk processing activities.
- DPIAs assess risks, safeguards, and proportionality.
- For example, a fintech launching AI-driven credit scoring must perform a DPIA.
Independent Audits
- Periodic independent audits are mandatory to verify compliance.
- Audit reports may be required to be shared with the Data Protection Board.
Record-Keeping and Governance
- Enhanced record-keeping of processing activities.
- Demonstrable accountability frameworks.
- Training programs for staff handling data.
Distinction between Ordinary Fiduciaries and SDFs
| Obligation | Ordinary Fiduciary | Significant Data Fiduciary |
| Consent & Notice | ✔ Required | ✔ Required |
| Retention & Erasure | ✔ Required | ✔ Required |
| Rights Management | ✔ Required | ✔ Required |
| DPO Appointment | ✘ Not Required | ✔ Required |
| DPIA | ✘ Not Required | ✔ Required |
| Independent Audit | ✘ Not Required | ✔ Required |
| Record-Keeping | Minimal | Enhanced |
This distinction ensures proportional regulation while focusing compliance resources on high-risk entities.
Comparison with GDPR and Other Global Frameworks
GDPR (EU): Requires DPOs for entities engaged in large-scale processing of sensitive data or systematic monitoring. Mandates DPIAs for high-risk processing. Encourages risk-based obligations without explicit “significant controller” designation.
LGPD (Brazil): Requires DPO appointment but allows exemptions for small enterprises. Risk-based approach similar to GDPR.
PDPA (Singapore): Every organization must appoint a DPO, but risk-based obligations differ in scope.
CCPA (California): Does not create DPO/DPIA obligations, but imposes strong disclosure and opt-out rights.
India’s model is closest to GDPR but formalises the category of Significant Data Fiduciary rather than leaving obligations to general risk-based interpretation.
Sectoral Implications and Practical Examples
1. Banking and Financial Services: Large banks processing millions of customer accounts and credit histories are prime candidates for SDF classification. For instance, a national bank conducting large-scale KYC verification and AI-based fraud monitoring will almost certainly be designated.
2. E-Commerce Platforms: A nationwide marketplace processing vast consumer purchase histories and payment data would likely fall under SDF classification. For example, a platform with 100 million active users cannot be treated on par with a small regional e-commerce start-up.
3. Social Media and Online Platforms: Global and Indian social media platforms with significant influence on public discourse are strong candidates for classification, particularly under the “impact on democracy” criterion.
4. Healthcare and Health-Tech: Large hospital chains, health insurers, or genetic testing platforms handling sensitive health data at scale may be designated as SDFs. For instance, a genomics start-up with data from millions of patients would face elevated obligations.
5. Government Contractors: Private companies managing public databases (such as welfare distribution or smart city initiatives) may also be classified, given the potential implications for sovereignty and national security.
Compliance Strategies for Entities Likely to be SDFs
1. Early DPO Appointment
- Identify and designate a senior officer as DPO before classification.
- Build internal reporting lines to ensure independence.
2. DPIA Frameworks
- Develop internal processes to conduct DPIAs for new projects.
- Document risks, safeguards, and mitigation measures.
3. Audit Preparedness
- Engage third-party auditors proactively to assess compliance gaps.
- Build remediation roadmaps.
4. Governance Structures
- Create data governance committees.
- Train employees across business units.
5. Documentation and Accountability
- Maintain detailed records of processing.
- Demonstrate proportionality in data collection and usage.
Risks of Misclassification or Non-Compliance
- Regulatory Penalties: Failure to meet SDF obligations may attract penalties up to ₹250 crore.
- Reputational Damage: Non-compliance by large entities is likely to attract media scrutiny.
- Operational Risk: Absence of DPIAs or audits may result in suspension of data processing activities.
- Contractual Liability: Global partners may require assurance of compliance, particularly for MNCs operating in multiple jurisdictions.
Conclusion & Key Takeaways
The DPDP Act’s classification of Significant Data Fiduciaries reflects a proportional approach to regulation, focusing enhanced obligations on entities whose data processing carries the highest risks.
Key takeaways for businesses:
- Entities with large-scale, sensitive, or high-risk processing are likely to be designated as SDFs.
- Obligations include DPO appointment, DPIAs, independent audits, and enhanced governance.
- Early compliance planning is essential, particularly for banks, insurers, e-commerce platforms, social media companies, and health-tech providers.
- Documentation and proactive governance are critical to avoid regulatory penalties and ensure trust.
The classification regime ensures that India’s privacy law does not overburden small enterprises while holding larger, riskier entities to higher standards. For potential SDFs, the path forward is clear: build robust compliance frameworks now rather than wait for designation.
Contributed by – Aurelia Menezes
By entering the email address you agree to our Privacy Policy.