King Stubb & Kasiva Talk to KSK
HomeData PrivacySignificant Data Fiduciary (SDF) Readiness, DPIA & Audit under the DPDP Act
Insight · Data Privacy

Significant Data Fiduciary (SDF) Readiness, DPIA & Audit under the DPDP Act

RSBy Rajesh Sivaswamy, KSK Data PrivacyUpdated 16 Jun 20262 min read

The DPDP Act creates a higher tier of obligations for organisations designated Significant Data Fiduciaries (SDFs). While no entity has yet been notified as an SDF, large platforms and high-volume or high-sensitivity processors should expect to be brought within scope as the DPDP Rules, 2025 commence. Preparing early is prudent because the SDF obligations are demanding. This page explains them and how KSK helps clients get ready.

What makes a business an SDF?

Under Section 10(1), the Central Government may designate a data fiduciary or class of fiduciaries as significant, weighing the volume and sensitivity of personal data processed; the risk to data principals’ rights; the potential impact on India’s sovereignty and integrity; the risk to electoral democracy; the security of the State; and public order. Our detailed analysis is here: Significant Data Fiduciaries: enhanced compliance obligations.

Are you a Significant Data Fiduciary?

Answer 25 questions to see your DPDPA risk level and whether the DPO obligation applies to you — free, instant, with a branded PDF.

Check your compliance score →

The enhanced obligations

Under Section 10(2) and Rule 13 of the DPDP Rules, 2025, an SDF must:

  • Appoint an India-based Data Protection Officer responsible to the board.
  • Appoint an independent data auditor.
  • Conduct a Data Protection Impact Assessment and audit every 12 months and report significant observations to the Board. See our guide to DPIAs and to record-keeping and audit.
  • Carry out algorithmic due diligence — verifying that software, including algorithms, does not pose risks to data principals’ rights.
  • Observe any data-localisation directions the Government issues for specified categories of personal data.

How KSK helps

We help organisations assess their likelihood of SDF designation and build the programme an SDF needs: governance and DPO frameworks, DPIA methodology and execution, audit readiness and auditor coordination, algorithmic and AI-governance review, cross-border data-transfer mapping against sectoral localisation rules, and board-level reporting. The aim is a defensible, documented compliance posture before designation rather than after.

Related reading

See our pieces on cross-border data transfers and preparing boards and CXOs for the DPDP era. The free Compliance Scorecard flags whether SDF-style obligations may be on your horizon.

Talk to KSK about your DPDP readiness

Our data-privacy team advises Indian and global businesses on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. To understand where you stand, try our free DPDPA Compliance Scorecard or speak to our team.

This page is general information about Indian data-protection law and is not legal advice or a solicitation. Provisions of the DPDP Act and Rules are subject to phased commencement and further notification.

Explore KSK Data Privacy Hub

Free compliance tools and expert guidance covering 75+ jurisdictions.

Frequently Asked Questions

DPDP Act — quick answers

What is a Significant Data Fiduciary under the DPDP Act?
It is a data fiduciary, or class of fiduciaries, that the Central Government notifies as significant under Section 10 because of the higher risk its processing poses — typically large platforms and high-volume or high-sensitivity processors. SDFs carry enhanced obligations beyond ordinary data fiduciaries.
What extra obligations do SDFs have?
Under Section 10(2) and Rule 13, an SDF must appoint an India-based DPO and an independent data auditor, conduct a DPIA and audit every 12 months, carry out due diligence on its algorithmic software, and observe any data-localisation directions the Government issues.
Have any companies been designated SDFs yet?
As of 2026, no entity or class has been notified as a Significant Data Fiduciary, and the obligations are subject to the DPDP Rules' phased commencement expected around mid-2027. Businesses likely to qualify should prepare in advance and confirm status against the latest MeitY notifications.
Do SDFs face data-localisation requirements?
The DPDP Act does not impose general data localisation, but Rule 13 allows the Government to bar offshore transfer of specified categories of personal data for SDFs. Sector-specific localisation rules from regulators such as the RBI also continue to apply.

This FAQ is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 — not legal advice. Provisions are subject to phased commencement and further notification. Speak to the KSK data-privacy team for advice on your specific situation.

Continue reading — Latest Insights
Data Privacy

Data Breach Response & Notification Counsel under India’s DPDP Act

16 Jun 2026
Data Privacy

Data Protection Officer (DPO) Services in India under the DPDP Act

16 Jun 2026
Data Privacy

DPDP Act Compliance & Advisory: A Practical Guide for Businesses in India

16 Jun 2026