Back to Blog
LegalTech & IA

DPDP Act 2023: Are You a Significant Data Fiduciary? Here's What You Must Do (or Risk a Fine That Hurts)

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
June 13, 2026
10 min read
DPDP Act 2023: Are You a Significant Data Fiduciary? Here's What You Must Do (or Risk a Fine That Hurts)

Imagine you're a data fiduciary—basically, anyone who decides how and why to process personal data in India. Under the Digital Personal Data Protection Act, 2023 (DPDP Act), you already have a laundry list of duties. But if you're a Significant Data Fiduciary (SDF), the government adds a few more chores—like a surprise pop quiz on top of your final exam.

What Makes a Data Fiduciary 'Significant'?

The Central Government will notify certain data fiduciaries as 'significant' based on factors like volume of data processed, sensitivity of data, risk to rights, and potential harm. Think big tech, health platforms, or any entity handling massive amounts of personal data. If you're an SDF, you're in the spotlight.

An SDF must appoint a Data Protection Officer (DPO), conduct Data Protection Impact Assessments (DPIA), perform periodic audits, and implement additional measures like data encryption and pseudonymisation. Non-compliance can lead to penalties up to ₹250 crore.

Extra Obligations: The 'Significant' Checklist

Here's what you need to do if you're tagged as an SDF:

  • Appoint a Data Protection Officer (DPO): This person is your point of contact for data subjects and the Data Protection Board. They must be based in India.
  • Conduct Data Protection Impact Assessments (DPIA): Before processing high-risk data, assess the impact and mitigate risks. Document everything.
  • Periodic Audits: Get an independent auditor to check your compliance annually. Think of it as a dental check-up for your data practices.
  • Additional Measures: Implement data encryption, pseudonymisation, and other security safeguards. The government may prescribe specific standards.

These obligations kick in once you're notified as an SDF. The exact criteria are still being drafted, but expect them soon.

Why Should You Care? (Besides the Obvious Fine)

Non-compliance isn't just a slap on the wrist. Penalties can reach ₹250 crore (about $30 million) for serious breaches. Plus, your reputation takes a hit. Remember the Cambridge Analytica scandal? That's the kind of mess the DPDP Act aims to prevent.

But here's the silver lining: being an SDF forces you to build a robust privacy framework. It's like finally organizing that messy closet—painful at first, but you'll thank yourself later.

Practical Steps to Prepare

Even if you're not yet notified, start preparing:

  • Map your data flows and identify high-risk processing.
  • Train a DPO or designate someone to handle privacy.
  • Draft DPIA templates and audit procedures.
  • Review your security measures—encryption is your friend.

For official guidance, check the Ministry of Electronics & Information Technology website.

FAQ

Who decides if I'm a Significant Data Fiduciary?

The Central Government will notify SDFs based on criteria like volume, sensitivity, and risk. The exact thresholds are yet to be published.

Can a small company be an SDF?

Yes, if it processes large volumes of sensitive data or poses significant risk to data subjects. Size isn't the only factor.

What happens if I don't comply with SDF obligations?

You may face penalties up to ₹250 crore, plus orders to cease processing or rectify violations. Repeat offenses can lead to higher fines.

📋 SDF Compliance Checklist

  • Appoint a Data Protection Officer (DPO)
  • Conduct Data Protection Impact Assessments (DPIA)
  • Perform periodic audits (annually)
  • Implement encryption & pseudonymisation
  • Register with Data Protection Board (if required)
Tip: Start with DPIA—it's the foundation for all other obligations.
NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.