Skip to main content

Special Duties of Significant Data Fiduciaries

The Digital Personal Data Protection Act (DPDPA), 2023 recognizes that certain organizations handle much larger volumes of personal data or process data that is highly sensitive. Because misuse or mishandling of such data can have severe consequences for individuals and even for national security, the government can classify such entities as Significant Data Fiduciaries (SDFs). Banks, healthcare providers, social media platforms, telecom companies, and large technology firms are examples of organizations that are likely to fall under this category.

Being designated as an SDF comes with greater accountability. In addition to the general duties that apply to all Data Fiduciaries, SDFs must fulfill stricter and more detailed obligations:

  • Duty to Conduct Data Protection Impact Assessments (DPIAs)
    An SDF must carry out regular assessments to identify risks to the privacy of individuals arising from the way it processes personal data. These reports help the organization understand whether its practices could harm users and what measures are needed to reduce risks.

    Example

    A major social media company must assess how its targeted advertising system uses user profiles and whether such profiling could unfairly impact individuals.

  • Duty to Undergo Independent Data Audits
    SDFs are required to arrange for regular audits conducted by qualified, independent auditors. These audits evaluate whether the organization is complying with the Act and whether its data protection measures are effective in practice.

  • Duty to Appoint a Data Protection Officer (DPO)
    Every SDF must appoint a senior officer, based in India, as a Data Protection Officer. The DPO is responsible for ensuring compliance with the Act, acting as the point of contact for the Data Protection Board, and coordinating with grievance officers to resolve user complaints.

    Example

    A large payment service provider must designate a DPO who can be contacted directly by users and regulators for any concerns about misuse of financial data.

  • Duty to Review Automated Decision-Making and Algorithms
    If an SDF uses artificial intelligence, machine learning, or other automated systems that make decisions about individuals, it must ensure these systems do not cause harm to users or infringe on their rights. Reviews must be carried out to detect risks of bias, discrimination, or unfair outcomes.

  • Duty to Maintain Higher Standards of Security and Governance
    While all Data Fiduciaries must implement reasonable security measures, SDFs are expected to maintain advanced safeguards, detailed governance policies, and stronger monitoring systems to protect against misuse or breaches.

The classification of an organization as an SDF is not meant to punish large companies but to ensure that entities with greater influence over citizens’ data also bear greater responsibility. By enforcing these enhanced duties, the law seeks to create a balance between innovation and accountability, ensuring that large-scale digital services remain safe, reliable, and trustworthy for the people who use them.