Skip to main content

Q1 - What criteria are used by the government to notify an organization as a Significant Data Fiduciary (SDF)?

Answer

Under Section 10(1) of the Digital Personal Data Protection Act, 2023 (DPDPA), the Central Government may classify or “notify” certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on a risk-based assessment of their data-processing activities.

This classification depends on multiple factors that determine the scale, sensitivity, and potential impact of the organization’s data processing on individuals and society.

Section 10(1)
“The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary, having regard to the volume and sensitivity of personal data processed, risk of harm to the Data Principal, potential impact on sovereignty and integrity of India, risk to electoral democracy, security of the State, public order, and such other factors as it may consider necessary.”

2. Core Criteria for Classification

The Central Government evaluates several measurable factors before designating an organization as an SDF:

  1. Volume of Personal Data Processed

    • Large-scale or high-frequency processing involving millions of Data Principals.
    • Continuous data collection through digital platforms, financial systems, or social networks.

  2. Sensitivity of Personal Data

    • Involvement of sensitive categories such as financial, biometric, health, or location data.
    • Processing activities that could cause significant harm if breached.

  3. Risk of Harm to Data Principals

    • Probability and severity of harm (e.g., identity theft, discrimination, reputational loss).
    • Use of profiling, automated decision-making, or large-scale analytics.

  4. Impact on Sovereignty and Integrity of India

    • Organizations whose data processing could affect national security, critical infrastructure, or public services.

  5. Risk to Electoral Democracy and Public Order

    • Entities processing data that could influence political, civic, or public-opinion systems (e.g., advertising networks or social platforms).

  6. Other Factors Considered Necessary

    • The government may add further parameters through rules, such as cross-border transfers, reliance on AI systems, or data interlinkages across sectors.

3. Additional Obligations Once Classified

Once notified as an SDF, the organization must comply with additional requirements under Section 10(2), including:

  • Appointment of a Data Protection Officer (DPO) based in India.
  • Engagement of an independent Data Auditor to evaluate compliance.
  • Conducting periodic Data Protection Impact Assessments (DPIAs).
  • Performing regular data-protection audits and risk reviews.
Example

A nationwide fintech platform collects and processes financial, biometric, and behavioral data from millions of users for digital lending. Due to the large volume, high sensitivity, and potential risk to financial security, the Central Government may notify it as a Significant Data Fiduciary (SDF). Once notified, it must appoint a DPO, undergo independent audits, and conduct DPIAs to assess privacy risks.

Referenced Provisions:

  • Section 10(1) – Criteria for notifying a Data Fiduciary as a Significant Data Fiduciary.
  • Section 10(2) – Additional obligations applicable to SDFs.
  • Section 40(2) – Government’s rule-making powers to prescribe further criteria or procedural details.