Step 08 - Special Duties for Significant Data Fiduciaries
Step 8: Special Duties for Significant Data Fiduciaries (SDFs)
Under the Digital Personal Data Protection Act (DPDPA), 2023, some organizations are classified as Significant Data Fiduciaries (SDFs). These are entities that process large volumes of personal data, handle highly sensitive categories of information, or whose operations may impact national security, public order, or the rights of millions of individuals.
Examples of likely SDFs include banks, stock broking firms, telecom operators, large e-commerce companies, social media platforms, major insurance providers, and healthcare/pharma companies running large trials.
Being an SDF brings additional obligations beyond what regular Data Fiduciaries must follow. Below is both the requirement and a HOW TO guide for compliance.
1. Appointment of a Data Protection Officer (DPO)
Requirement:
Every SDF must appoint a Data Protection Officer, who must be based in India and act as the single point of contact for the Data Protection Board as well as Data Principals.
How to Comply:
- Appoint a senior-level officer with expertise in data protection and IT security.
- Publish their name, email ID, and phone number on the company’s website and privacy notice.
- Ensure the DPO reports directly to the Board of Directors or senior management (not just IT).
- Provide adequate resources (staff, budget, tools) to the DPO to discharge duties.
A social media platform designates its Chief Privacy Officer in India as the DPO, publishing an email address like dpo@securze.com and ensuring users can reach them directly.
2. Conducting Data Protection Impact Assessments (DPIAs)
Requirement:
Before starting any high-risk data processing activity (AI-driven profiling, biometric processing, cross-border transfers of sensitive data), an SDF must conduct a Data Protection Impact Assessment.
How to Comply:
- Map out the proposed data processing activity.
- Identify potential risks to individuals (e.g., profiling leading to bias, misuse of health data).
- Document measures to mitigate those risks (encryption, anonymisation, access control).
- Submit the DPIA to the Data Protection Board if required.
A health insurance company launching an AI-based claims approval system conducts a DPIA to check if the algorithm may unfairly deny claims. Risks are documented and safeguards added before rollout.
3. Independent Data Audits
Requirement:
SDFs must undergo regular, independent audits by qualified auditors to verify compliance with the DPDPA.
How to Comply:
- Engage an external certified auditor (cybersecurity or data privacy specialist).
- Audit scope should cover privacy notices, consent management, breach response, retention practices, and vendor agreements.
- Maintain audit reports for submission to the Data Protection Board if demanded.
A stock broking firm with millions of investors engages an external auditor to review whether customer PAN, Aadhaar, and trading records are properly protected and deleted after retention periods.
4. Governance Measures and Algorithm Reviews
Requirement:
SDFs using automated decision-making (AI/ML algorithms) must ensure they do not cause harm or unfair treatment.
How to Comply:
- Review algorithms for bias, discrimination, or unfair outcomes.
- Document testing and corrective measures.
- Provide transparency in user-facing policies.
A large e-commerce platform using recommendation engines must test whether its algorithm disproportionately favors certain sellers or manipulates consumer choice unfairly.
5. Maintaining Records and Accountability
Requirement:
SDFs must maintain comprehensive internal records of processing activities, including data flows, consent records, security safeguards, DPIAs, and breach responses.
How to Comply:
- Use compliance software or in-house systems to document all data activities.
- Keep audit trails that can be shared with the Board if requested.
- Regularly review records for accuracy and completeness.
A telecom operator stores a centralized compliance dashboard that records when consent was taken from each subscriber, how call records are stored, and when retention periods expire.
Being classified as an SDF comes with higher responsibility. The law expects such organizations to operate with transparency, accountability, and advanced safeguards. Failure to comply not only risks fines (up to ₹250 crore) but also reputational damage that can impact customer trust, investor confidence, and business continuity.