What makes a company likely to be designated as a Significant Data Fiduciary?

The Central Government considers several factors under Section 10: the volume and sensitivity of personal data processed; the potential risk to the rights of data principals; the potential impact on the sovereignty and integrity of India; the risk to electoral democracy; the risk to security of the State; and the potential impact on public order. Companies processing large volumes of sensitive data (financial, health, biometric) or operating critical digital infrastructure are at higher designation risk. Social media platforms, large e-commerce platforms, telecom operators, banking aggregators, and healthcare data platforms are widely expected to be among the first designated.

Do mid-stage startups qualify as Significant Data Fiduciaries?

Most mid-stage startups are unlikely to meet the volume and impact thresholds that would trigger SDF designation in the near term. SDF designation is expected to target large-scale operators — the Act's language focuses on significant societal or national-level impact. However, startups in sensitive sectors (fintech with payment data, healthtech with medical records, HR-tech with workforce data) should monitor the designated SDF list once published, as volume thresholds may be lower than anticipated for high-sensitivity data categories. Preparing governance structures ahead of potential designation is prudent for growth-stage companies in these sectors.

What changes operationally after SDF designation?

Four additional obligations activate upon designation: (1) Appointment of a Data Protection Officer (DPO) — must be India-based, reports to the Board of Directors, cannot be outsourced below a senior-management level. (2) Periodic Data Protection Impact Assessments (DPIAs) — systematic review of processing activities, risk identification, and mitigation documentation. (3) Periodic audits — conducted by an independent auditor from a panel the Board may maintain; audit reports submitted to the DPB. (4) Compliance with any additional Government measures notified specifically for SDFs — which may include algorithmic audits, source-code reviews, or specific localisation requirements.

Can an SDF designation be challenged?

The Act does not include an explicit pre-designation consultation requirement, though the Government is expected to follow its standard rule-making procedures. Once designated, an entity can approach the Data Protection Board or courts if the designation is believed to be ultra vires or procedurally defective. Practically, industry bodies representing at-risk sectors are expected to engage with MeitY during the designation process to provide volume and impact data. Pre-designation engagement through industry associations is the most effective mitigation before a formal challenge becomes necessary.

What records does the Data Protection Board look for in SDF audits?

Based on comparable regulatory audits and the Act's framework, SDF audits are expected to examine: documented processing activity records; the lawful basis for each material processing activity; evidence of consent mechanism compliance; breach notification history and response documentation; the DPIA register with completed impact assessments for high-risk processing; DPO appointment documentation and evidence of the DPO's organisational independence; contractual records for all processors and sub-processors; data retention and deletion schedules; and training records demonstrating staff awareness. The audit report is submitted to the Board and may be made public.

DPDP Significant Data Fiduciary — Section 10 Criteria + Obligations

Not just large companies

SDF designation depends on the sensitivity and societal impact of data processing — a mid-size healthtech or fintech platform may qualify on sensitivity alone, regardless of revenue or headcount.

The Government has not published designated SDF lists yet — now is the time to self-assess and prepare.

Section 10designation trigger

DPO + DPIA + Auditadditional obligations

Self-assesslikelihood now

FreeSDF assessment

Are you likely to be designated an SDF?Data Protection Officer — when required

Section 10 SDF likelihood assessmentDPO readiness gap analysisDPIA framework setup

Section 10 — the six factors the Government considers

Section 10 of DPDP gives the Central Government broad discretion to designate data fiduciaries as Significant Data Fiduciaries. The statute sets out six factors to be considered, though it does not prescribe weights or thresholds. Designation is by notification in the Official Gazette and may apply to individual organisations or classes of organisations.

Volume and sensitivity of personal data processed: higher volumes and more sensitive categories (financial, health, biometric, children's data) increase designation likelihood
Risk to the rights of data principals: if a breach or misuse would cause widespread financial, physical, reputational, or other harm at scale, the risk calculus tilts toward SDF
Potential impact on sovereignty and integrity of India: platforms processing data that, if compromised, could affect national security, border management, or critical infrastructure
Risk to electoral democracy: platforms with significant reach into voter populations or electoral communication channels
Risk to security of the State: intelligence-adjacent data, sensitive government contractor data, or platforms used by critical public-sector entities
Potential impact on public order: platforms whose disruption or data compromise could cause civil unrest, mass panic, or coordinated disinformation at scale

Which industries are likely to be designated first

The Central Government has not published a designated SDF list as of mid-2026. Based on the statutory factors and international precedents (GDPR's DPIA requirements for high-risk processors, DSA's obligations for Very Large Online Platforms in the EU), the following sectors face the highest near-term designation likelihood.

Telecom operators: process call records, location data, and identity data for hundreds of millions of subscribers — both volume and national-security risk factors are met
Banking and NBFC aggregators: financial account data at scale, with significant harm potential from breach and systemic financial-sector risk if a major aggregator is compromised
Large social media platforms: broad reach into electoral communication, behavioural data at scale, children's data, and content moderation infrastructure that intersects with public order
Large e-commerce platforms: financial transaction data, delivery address (location), purchase behaviour profiling, and third-party seller identity data at scale
Healthcare data platforms and aggregators: medical records, diagnostic data, prescription history, and insurance claims — high sensitivity, high harm potential from breach
Government-adjacent digital infrastructure (like ONDC participants at scale, ABDM-integrated platforms): intersection with public digital infrastructure elevates designation likelihood

Additional obligations that activate on SDF designation

Designation as an SDF creates four obligations beyond the baseline requirements that apply to all data fiduciaries. These obligations are not triggered by filing or registration — they activate from the date of Gazette notification of designation.

Data Protection Officer (DPO): must appoint a DPO who is based in India, reports directly to the Board of Directors, and serves as the point of contact with the Data Protection Board. The DPO cannot be a pure outsourced consultant — there must be organisational accountability at senior-management level.
Periodic Data Protection Impact Assessment (DPIA): systematic review of all significant processing activities to identify, assess, and mitigate risks to data principals' rights. The DPIA must be periodic — not a one-time exercise — and the schedule and format will be specified in SDF-specific rules.
Periodic audit: conducted by an independent data-auditor (the Board may maintain a panel of approved auditors); the audit report is submitted to the Data Protection Board and may be made public. Auditors assess whether processing complies with the Act and with the fiduciary's own privacy commitments.
Compliance with additional Government measures: the designation notification may itself impose specific requirements (algorithmic transparency, source-code review, localisation for specific data categories, incident response drills). These are organisation- or sector-specific and cannot be anticipated entirely in advance.

How to self-assess your SDF designation likelihood

While the Government has not published threshold data, a structured self-assessment against the six statutory factors provides a reasonable risk estimate. Use this framework as a starting point — revisit quarterly as the regulatory landscape develops.

Data volume proxy: if you process personal data of more than 1 million distinct data principals, or more than 100,000 in high-sensitivity categories (financial, health, biometric, children), you are in potential range
Sensitivity score: assign each data category a sensitivity weight (biometric > health > financial > behavioural > identity > contact). A high aggregate sensitivity score elevates likelihood even at lower volumes.
Societal reach test: would a breach of your platform affect national systems, elections, or public order? Does your platform interact with critical infrastructure or government digital services?
Sector proxy: if you are in telecom, banking, large-scale e-commerce, healthcare aggregation, or social media — treat your likelihood as high regardless of volume calculations
Regulatory intersection: if you are already subject to RBI, SEBI, or IRDAI oversight, the data you hold is likely to meet the sensitivity threshold for SDF consideration

Governance structures to build before designation

The worst time to build SDF-ready governance is after the designation notification arrives. Organisations in high-likelihood sectors should treat SDF preparation as a strategic priority now, with the same urgency as a regulatory change with a 12-month runway.

DPO candidate pipeline: identify whether the role will be internal or hybrid (senior internal accountable person + specialist external support). Begin the job description and recruitment process — qualified DPOs are scarce.
DPIA framework: build or adopt a DPIA template aligned to the Act's risk-factors and your sector's specific data types. Run a pilot DPIA on your three highest-risk processing activities.
Processing activity register: mandatory for all fiduciaries but essential for SDF audit readiness — document every material processing activity, legal basis, data categories, retention period, and processor relationships.
Audit-readiness file: assemble the documentation an independent auditor would request — consent mechanism evidence, breach notification history, training records, processor contracts, DPIA register.
Board-level privacy governance: SDF designation requires DPO reporting to the Board. If your Board does not currently have a privacy agenda item, add one. Board minutes should evidence privacy oversight.

Audit firm selection and independent auditor considerations

The Act's audit mechanism requires an independent data auditor, and the Board may publish an approved auditor panel. Choosing the right audit partner before designation removes a critical bottleneck. Audit firms with DPDP capability are currently limited in India — demand is expected to outpace supply significantly in the post-designation period.

Capability requirements: the auditor should have practitioners who understand both data protection law and IT security — a pure legal audit or a pure technical audit does not satisfy the requirement
Independence requirements: the auditor cannot have a significant commercial relationship with the auditee that would impair independence — check for conflict in any firm where advisory work is ongoing
Scope clarity: negotiate the audit scope before engagement — processing activity register review, consent mechanism testing, breach notification process assessment, and processor contract review are minimum scope items
Relationship-building: establish the relationship before designation, ideally through a pre-audit readiness assessment — this gives you a baseline gap report and a working relationship with the auditor
Cross-links: see /dpdp-data-protection-officer-when-required for the DPO appointment framework, and /dpdp-schedule-i-technical-safeguards for the technical controls the auditor will assess

Are you likely to be designated an SDF?

Get a structured SDF designation likelihood assessment, a gap analysis against post-designation obligations, and a preparation roadmap — free first engagement.

Book a free SDF assessment Data Protection Officer — when required

Explore more products

Bachao.AI covers your entire security surface — from code to cloud to compliance.

AI VAPT Scanner

Automated penetration testing for web apps and APIs. Results in under 2 hours.

Learn more →

API Security Testing

OWASP API Top 10 coverage for REST and GraphQL endpoints.

Learn more →

Cloud Security Audit

AWS, Azure & GCP misconfiguration detection with DPDP mapping.

Learn more →

Section 10 — the six factors the Government considers

Volume and sensitivity of personal data processed: higher volumes and more sensitive categories (financial, health, biometric, children's data) increase designation likelihood

Risk to the rights of data principals: if a breach or misuse would cause widespread financial, physical, reputational, or other harm at scale, the risk calculus tilts toward SDF

Potential impact on sovereignty and integrity of India: platforms processing data that, if compromised, could affect national security, border management, or critical infrastructure

Risk to electoral democracy: platforms with significant reach into voter populations or electoral communication channels

Risk to security of the State: intelligence-adjacent data, sensitive government contractor data, or platforms used by critical public-sector entities

Potential impact on public order: platforms whose disruption or data compromise could cause civil unrest, mass panic, or coordinated disinformation at scale

Which industries are likely to be designated first

Telecom operators: process call records, location data, and identity data for hundreds of millions of subscribers — both volume and national-security risk factors are met

Banking and NBFC aggregators: financial account data at scale, with significant harm potential from breach and systemic financial-sector risk if a major aggregator is compromised

Large social media platforms: broad reach into electoral communication, behavioural data at scale, children's data, and content moderation infrastructure that intersects with public order

Large e-commerce platforms: financial transaction data, delivery address (location), purchase behaviour profiling, and third-party seller identity data at scale

Healthcare data platforms and aggregators: medical records, diagnostic data, prescription history, and insurance claims — high sensitivity, high harm potential from breach

Government-adjacent digital infrastructure (like ONDC participants at scale, ABDM-integrated platforms): intersection with public digital infrastructure elevates designation likelihood

Additional obligations that activate on SDF designation

Data Protection Officer (DPO): must appoint a DPO who is based in India, reports directly to the Board of Directors, and serves as the point of contact with the Data Protection Board. The DPO cannot be a pure outsourced consultant — there must be organisational accountability at senior-management level.

Periodic Data Protection Impact Assessment (DPIA): systematic review of all significant processing activities to identify, assess, and mitigate risks to data principals' rights. The DPIA must be periodic — not a one-time exercise — and the schedule and format will be specified in SDF-specific rules.

Periodic audit: conducted by an independent data-auditor (the Board may maintain a panel of approved auditors); the audit report is submitted to the Data Protection Board and may be made public. Auditors assess whether processing complies with the Act and with the fiduciary's own privacy commitments.

Compliance with additional Government measures: the designation notification may itself impose specific requirements (algorithmic transparency, source-code review, localisation for specific data categories, incident response drills). These are organisation- or sector-specific and cannot be anticipated entirely in advance.

How to self-assess your SDF designation likelihood

Data volume proxy: if you process personal data of more than 1 million distinct data principals, or more than 100,000 in high-sensitivity categories (financial, health, biometric, children), you are in potential range

Sensitivity score: assign each data category a sensitivity weight (biometric > health > financial > behavioural > identity > contact). A high aggregate sensitivity score elevates likelihood even at lower volumes.

Societal reach test: would a breach of your platform affect national systems, elections, or public order? Does your platform interact with critical infrastructure or government digital services?

Sector proxy: if you are in telecom, banking, large-scale e-commerce, healthcare aggregation, or social media — treat your likelihood as high regardless of volume calculations

Regulatory intersection: if you are already subject to RBI, SEBI, or IRDAI oversight, the data you hold is likely to meet the sensitivity threshold for SDF consideration

Governance structures to build before designation

DPO candidate pipeline: identify whether the role will be internal or hybrid (senior internal accountable person + specialist external support). Begin the job description and recruitment process — qualified DPOs are scarce.

DPIA framework: build or adopt a DPIA template aligned to the Act's risk-factors and your sector's specific data types. Run a pilot DPIA on your three highest-risk processing activities.

Processing activity register: mandatory for all fiduciaries but essential for SDF audit readiness — document every material processing activity, legal basis, data categories, retention period, and processor relationships.

Audit-readiness file: assemble the documentation an independent auditor would request — consent mechanism evidence, breach notification history, training records, processor contracts, DPIA register.

Board-level privacy governance: SDF designation requires DPO reporting to the Board. If your Board does not currently have a privacy agenda item, add one. Board minutes should evidence privacy oversight.

Audit firm selection and independent auditor considerations

Capability requirements: the auditor should have practitioners who understand both data protection law and IT security — a pure legal audit or a pure technical audit does not satisfy the requirement

Independence requirements: the auditor cannot have a significant commercial relationship with the auditee that would impair independence — check for conflict in any firm where advisory work is ongoing

Scope clarity: negotiate the audit scope before engagement — processing activity register review, consent mechanism testing, breach notification process assessment, and processor contract review are minimum scope items

Relationship-building: establish the relationship before designation, ideally through a pre-audit readiness assessment — this gives you a baseline gap report and a working relationship with the auditor

Cross-links: see /dpdp-data-protection-officer-when-required for the DPO appointment framework, and /dpdp-schedule-i-technical-safeguards for the technical controls the auditor will assess

Significant Data Fiduciary (SDF) Designation — DPDP Section 10 Criteria

Section 10 — the six factors the Government considers

Which industries are likely to be designated first

Additional obligations that activate on SDF designation

How to self-assess your SDF designation likelihood

Governance structures to build before designation

Audit firm selection and independent auditor considerations

Are you likely to be designated an SDF?

Explore more products

AI VAPT Scanner

API Security Testing

Cloud Security Audit

Significant Data Fiduciary (SDF) Designation — DPDP Section 10 Criteria

Section 10 — the six factors the Government considers

Which industries are likely to be designated first

Additional obligations that activate on SDF designation

How to self-assess your SDF designation likelihood

Governance structures to build before designation

Audit firm selection and independent auditor considerations

Are you likely to be designated an SDF?

Explore more products

AI VAPT Scanner

API Security Testing

Cloud Security Audit