Quick Answer
In every classroom there is a moment when the teacher says, “Most of you can hand in the short version of the assignment, but you five, I need the full project.” India’s data protection law works the same way. Most businesses get the standard set of obligations under the Digital Personal Data Protection Act, 2023. A select group gets tapped on the shoulder for the full project. That group is called Significant Data Fiduciaries, and if your company is one of them, or might become one, your compliance burden roughly doubles. This article explains, in plain language, how the government decides who gets tapped, what the extra obligations are, when they kick in, and how to run an honest self assessment today, before the official list makes the decision for you.
- SDF status is the difference between the standard DPDPA homework and the full project: DPO, auditor, impact assessments, possible data localisation, and algorithm accountability. The government holds the pen on designation, the criteria are risk based rather than mechanical, and one factor alone can be enough. The official list is not out yet, and that is precisely why the smart move is a self assessment now, while you can still build calmly instead of scrambling after a Gazette notification.

The basic vocabulary, quickly
A Data Fiduciary is anyone who decides why and how personal data is processed. The bakery with a WhatsApp ordering list, the hospital chain, the gaming app, all Data Fiduciaries. A Data Principal is the individual the data is about. A Significant Data Fiduciary, or SDF, is a Data Fiduciary that the Central Government notifies as significant under Section 10 of the Act, either individually or as a class. That last part deserves emphasis. You do not self certify into or out of SDF status. The government designates you, and it can designate entire classes of companies at once, for example all fiduciaries processing health records above a threshold. As of early 2026 the formal list has not yet been published, and the SDF obligations become enforceable on 13 May 2027 under the phased timeline of the DPDP Rules, 2025. That gap between now and then is your assessment window.
The Section 10 criteria, decoded
Section 10(1) tells the government what to weigh when deciding whether a fiduciary is significant. There are six named factors, and understanding them tells you a great deal about your own risk. The volume and sensitivity of personal data processed. This is the workhorse factor. Volume is intuitive: a platform with fifty million users processes more risk than a boutique with five hundred customers. Sensitivity is about the nature of the data. The DPDP Act does not carve out a formal “sensitive data” category the way the GDPR does, but health information, financial details, biometric data, and data about children plainly weigh heavier on this scale. The risk to the rights of Data Principals. If your processing can affect someone’s access to credit, insurance, employment, or essential services, the harm from a mistake is bigger, and so is your significance. A lending app that scores creditworthiness carries more risk per user than a recipe blog with a newsletter. The potential impact on the sovereignty and integrity of India, the risk to electoral democracy, the security of the State, and public order. These four factors travel together and target platforms whose data could be misused at a societal scale: social media networks, large messaging platforms, companies holding location trails of millions of people. Most ordinary businesses will never trip these factors, but they explain why the biggest consumer platforms should simply assume designation. Two features of this test matter enormously in practice. First, the factors are not cumulative. The government can designate you on the strength of one factor alone if the risk is serious enough. Second, the government retains discretion to consider other relevant factors, so the list is a floor, not a ceiling.
What SDF status actually triggers
Being designated an SDF switches on a package of enhanced obligations, layered on top of everything an ordinary Data Fiduciary must already do. You must appoint a Data Protection Officer. Not a mailbox, an individual, based in India, who represents the company under the Act and is responsible to the board of directors or equivalent governing body. The DPO also becomes the published point of contact for grievances. If you are weighing how to staff this, our guide to virtual DPO arrangements in India covers the in house versus outsourced decision in detail. You must appoint an independent data auditor. This is an external check, someone who evaluates your compliance and reports on it, similar in spirit to a statutory auditor but for data protection. You must conduct periodic Data Protection Impact Assessments and audits. A DPIA is a structured exercise where you examine a processing activity, say a new recommendation engine, and document the rights at stake, the risks, and the mitigations. Under the Rules, the results get reported to the Data Protection Board, which means these are not internal paperwork, they are regulator facing documents. You may face restrictions on cross border data flows. The government can require that specified categories of data processed by SDFs stay in India, and the Rules create machinery for such conditions. If your architecture assumes free movement of data to servers abroad, SDF status is the point where that assumption needs legal review. You must verify algorithmic safety. SDFs are expected to ensure that the algorithmic software they deploy does not pose a risk to the rights of Data Principals, an obligation that quietly imports algorithm governance into Indian law. The stakes for getting this wrong are concrete: breach of the additional SDF obligations carries a penalty of up to 150 crore rupees under the Act’s schedule, separate from the larger penalties for security failures.
A self assessment you can run this week
Since the official list is pending, run this exercise honestly. Count your data principals: how many identifiable individuals does your business hold data about, including inactive accounts? Grade your sensitivity: do you hold health, financial, biometric, location, or children’s data? Trace your decisions: does your processing influence outcomes that matter, like loans, jobs, insurance pricing, or access to services? Measure your reach: could misuse of your data affect public discourse or safety at any scale? If you answered high on volume plus any one other dimension, plan as if designation is coming. Consider a fintech we will call PaisaQuick with eight million users, credit scores, and bank linked data. It trips volume, sensitivity, and rights impact simultaneously. PaisaQuick should not wait for the notification; it should be interviewing DPO candidates now, because by the time the list is out, every qualified privacy professional in India will have three offers.
Can AI help with SDF compliance?
Yes, and for SDFs it is close to essential. The obligations that make SDF status expensive, data inventories, impact assessments, algorithmic audits, continuous monitoring, are exactly the tasks AI handles well. Machine learning tools can map data flows across hundreds of systems, flag when a new processing activity looks like it needs a DPIA, and monitor algorithms for biased or unlawful outcomes at a scale no human team can match. But notice the irony: the law also requires SDFs to verify that their algorithms do not endanger user rights, which means the AI you deploy to help with compliance is itself subject to compliance. Every AI output in this domain needs human review by someone qualified to catch its mistakes, because the Data Protection Board will address its notices to your DPO, not to your software vendor. AI is the microscope; a human still has to look through it and sign the report.
When to Review This
- SDF status is the difference between the standard DPDPA homework and the full project: DPO, auditor, impact assessments, possible data localisation, and algorithm accountability. The government holds the pen on designation, the criteria are risk based rather than mechanical, and one factor alone can be enough. The official list is not out yet, and that is precisely why the smart move is a self assessment now, while you can still build calmly instead of scrambling after a Gazette notification.
Disclaimer
This article is for general information only and is not legal advice. Whether and how these provisions apply depends on your specific facts, so take professional advice before acting.

