Section 10 - Enhanced Obligations for High-Impact Data Fiduciaries
Section 10 of the DPDPA establishes a tiered regulatory framework by empowering the Central Government to designate certain Data Fiduciaries as 'Significant Data Fiduciaries' (SDFs). This designation triggers a set of enhanced obligations that go beyond the general obligations applicable to all Data Fiduciaries under Section 8. The rationale is straightforward: organisations that process personal data at scale, handle sensitive categories of data, or pose elevated risks to national security, public order, or individual rights require heightened oversight. The SDF framework mirrors approaches adopted in other jurisdictions - the EU's GDPR imposes additional requirements through its Data Protection Impact Assessment mandate, and China's PIPL designates 'Critical Information Infrastructure Operators' for enhanced regulation. Under DPDPA, the SDF designation is not self-assessed - it is made by the Central Government through notification, based on criteria that assess an organisation's data processing risk profile. Once designated, an SDF must comply with all general obligations under Section 8 plus the additional obligations specified in Section 10, creating a two-tier compliance structure that demands significantly greater investment in governance, personnel, and processes.
Government Notification Criteria for SDF Designation
Section 10(1) provides that the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary, having regard to several assessment factors. These factors include the volume and sensitivity of personal data processed by the Data Fiduciary, the risk to the rights of Data Principals, the potential impact on the sovereignty and integrity of India, the risk to electoral democracy, the security of the State, and public order. These criteria are deliberately broad, giving the government flexibility to designate SDFs based on evolving risk assessments rather than rigid numerical thresholds. An organisation processing millions of health records may be designated due to data sensitivity, while a social media platform may be designated due to its potential impact on electoral democracy. A fintech company processing transaction data at scale may be designated due to volume, while a cross-border data processor may be designated due to sovereignty concerns. The designation is made by notification - meaning affected organisations will be formally informed and the designation will be published in the Official Gazette. Organisations that anticipate potential SDF designation should proactively prepare by implementing enhanced governance frameworks rather than waiting for formal notification.
- SDF designation is made by Central Government notification, not self-assessment
- Assessment factors include volume, sensitivity, sovereignty risk, electoral democracy impact, and public order
- Criteria are intentionally broad to accommodate evolving risk landscapes
- Designation applies to specific Data Fiduciaries or classes of Data Fiduciaries
- Proactive preparation is advisable for organisations likely to be designated
Obligation to Appoint a Data Protection Officer (DPO)
Section 10(2)(a) requires every Significant Data Fiduciary to appoint a Data Protection Officer (DPO) who is based in India. The DPO must be an individual appointed to represent the Significant Data Fiduciary in matters related to the Act. This is a mandatory appointment - not an optional best practice. The requirement that the DPO be based in India ensures that the regulatory authority has a point of contact within Indian jurisdiction, preventing organisations from placing their data protection function in an overseas location beyond the effective reach of Indian enforcement. The DPO's role extends beyond mere compliance monitoring. They serve as the primary point of contact for the Data Protection Board, the designated person for handling Data Principal grievances under Section 8(10), the internal champion for data protection governance, and the liaison between the organisation and regulatory authorities during audits, investigations, and enforcement proceedings. The DPDPA does not prescribe specific qualifications for the DPO, but given the complexity of the role, organisations should appoint individuals with expertise in data protection law, information security, and the organisation's business operations. The DPO should have direct access to senior management and the board, and should be empowered to escalate issues without organisational interference.
- Every SDF must appoint a DPO who is based in India
- The DPO represents the SDF in all matters related to the DPDPA
- The DPO serves as the point of contact for the Data Protection Board
- The DPO should have direct access to senior management and the board
- No specific qualifications prescribed, but expertise in data protection and security is essential
Obligation to Appoint an Independent Data Auditor
Section 10(2)(b) requires every Significant Data Fiduciary to appoint an independent data auditor to evaluate its compliance with the provisions of the DPDPA. The auditor must be independent - meaning they cannot be an employee of the SDF or otherwise lack the objectivity needed to conduct a credible compliance assessment. This requirement introduces external accountability into the compliance framework. While all Data Fiduciaries must self-assess their compliance under Section 8, SDFs are subject to independent verification by a qualified third party. The independent data auditor's role is to evaluate whether the SDF's data processing activities, security safeguards, consent mechanisms, breach notification processes, Data Principal rights fulfilment, and overall governance framework comply with the Act and any applicable rules. The audit findings must be reported to the SDF's board and, presumably, made available to the Data Protection Board upon request. The rules under the DPDPA are expected to specify the qualifications, standards, and periodicity applicable to independent data audits. Organisations should anticipate requirements aligned with established audit frameworks such as ISO 27001, SOC 2, or sector-specific standards. Building audit-readiness into your compliance programme from the outset - through documented policies, systematic record-keeping, and evidence-based controls - will significantly reduce the cost and disruption of periodic audits.
- SDFs must appoint an independent data auditor to evaluate DPDPA compliance
- The auditor must be independent and free from conflicts of interest
- Audit scope covers all aspects of DPDPA compliance including security, consent, and rights fulfilment
- Audit findings must be reported to the SDF's board
- Expected alignment with frameworks like ISO 27001 and SOC 2
Data Protection Impact Assessment (DPIA)
Section 10(2)(c) requires Significant Data Fiduciaries to undertake Data Protection Impact Assessments (DPIAs) in such manner as may be prescribed. A DPIA is a systematic process for evaluating the potential impact of a data processing activity on the privacy and rights of Data Principals. It is a proactive risk management tool that identifies risks before they materialise, enabling organisations to implement mitigations at the design stage rather than retrospectively. The DPIA process typically involves describing the proposed processing activity in detail, assessing its necessity and proportionality, identifying the risks to Data Principals' rights and freedoms, evaluating existing safeguards and their adequacy, proposing additional measures to mitigate identified risks, and documenting the assessment and its outcomes. While the specific methodology will be prescribed by the rules, organisations should anticipate requirements to conduct DPIAs for any new processing activity that involves large-scale processing of sensitive data, automated decision-making with significant effects, systematic monitoring of public areas, innovative uses of technology such as AI or biometric systems, or cross-border data transfers. DPIAs are not one-time exercises - they should be reviewed and updated whenever there is a material change in the processing activity, the technology used, or the risk landscape. The DPIA documentation serves as critical evidence of compliance in the event of regulatory scrutiny or enforcement action.
- SDFs must conduct DPIAs for prescribed processing activities
- DPIAs are proactive risk assessments conducted before processing begins
- The assessment covers necessity, proportionality, risks, safeguards, and mitigations
- DPIAs must be reviewed and updated when processing activities change materially
- DPIA documentation is critical evidence of compliance for regulatory defence
Periodic Audit and Compliance Verification
Beyond the initial appointment of an independent data auditor, the DPDPA framework contemplates periodic audits to ensure ongoing compliance. The rules under the Act are expected to specify the frequency of audits - whether annual, biennial, or triggered by specific events such as significant changes in processing activities, data breaches, or regulatory orders. Periodic audits serve multiple functions: they provide assurance to the Data Protection Board that the SDF is maintaining compliance, they identify compliance drift before it results in violations, they keep the organisation's data protection practices aligned with evolving regulatory expectations and technological changes, and they create a documented compliance history that demonstrates good faith in the event of enforcement proceedings. The audit process should cover all aspects of the SDF's data processing activities, including consent management, Data Principal rights fulfilment, security safeguards, breach notification readiness, data retention and erasure practices, cross-border transfer compliance, vendor and Data Processor management, and the effectiveness of the grievance redressal mechanism. Organisations should view periodic audits not as a regulatory burden but as a valuable governance tool that drives continuous improvement in their data protection practices.
- Audit periodicity will be specified by the rules under the DPDPA
- Audits may be annual, biennial, or event-triggered
- Scope includes all DPDPA compliance obligations across the organisation
- Audit findings drive continuous improvement and identify compliance drift
- A documented audit trail demonstrates good faith to regulators
Algorithmic Fairness and Automated Decision-Making
While the DPDPA does not explicitly mandate algorithmic fairness assessments, the SDF framework creates a natural nexus between data protection obligations and responsible AI governance. Significant Data Fiduciaries - by virtue of the scale and impact of their data processing - are most likely to deploy automated decision-making systems, including AI and machine learning models, that affect Data Principals in significant ways: credit scoring, insurance underwriting, hiring decisions, content moderation, and law enforcement. The DPIA requirement under Section 10(2)(c) provides the mechanism for assessing the fairness, transparency, and accountability of these algorithmic systems. A well-conducted DPIA for an automated decision-making system should evaluate whether the training data is representative and free from discriminatory bias, whether the model's outputs are explainable and auditable, whether there are mechanisms for human review of consequential decisions, whether affected Data Principals are informed about the use of automated processing, and whether there are feedback loops to identify and correct unfair outcomes. As India develops its AI governance framework - likely through a combination of DPDPA rules, sector-specific regulations, and voluntary standards - SDFs should anticipate increasing scrutiny of their algorithmic practices. Building fairness, transparency, and accountability into AI systems from the design stage is both a regulatory imperative and a competitive advantage.
- SDFs deploying AI and automated decision-making face heightened scrutiny
- DPIAs provide the framework for assessing algorithmic fairness
- Assessments should cover bias, explainability, human oversight, and transparency
- India's AI governance framework is expected to evolve through DPDPA rules and sector-specific regulation
- Proactive algorithmic governance is a regulatory imperative and competitive advantage
Interaction with Section 8 General Obligations
Section 10's enhanced obligations operate in addition to - not instead of - the general obligations under Section 8. Every Significant Data Fiduciary must comply with all Section 8 requirements, including data accuracy (Section 8(1)), reasonable security safeguards (Section 8(3)), breach notification to the Board and affected Data Principals (Section 8(6)), data erasure upon purpose fulfilment or consent withdrawal (Section 8(7)), publication of DPO or grievance officer contact information (Section 8(10)), and grievance redressal. The SDF obligations under Section 10 add layers on top of this foundation. The DPO appointment ensures dedicated, senior-level attention to data protection. The independent audit provides external verification. The DPIA introduces systematic risk assessment. Together, Sections 8 and 10 create a comprehensive governance framework where general obligations set the floor and SDF obligations raise the bar for high-impact organisations. Compliance planning must address both layers - organisations that focus exclusively on Section 10's enhanced obligations while neglecting Section 8's foundational requirements will still face enforcement exposure. An integrated compliance programme that maps all obligations, assigns ownership, sets timelines, and tracks implementation across both sections is essential for SDFs.
- Section 10 obligations are additional to, not replacements for, Section 8 obligations
- SDFs must comply with all general obligations plus enhanced SDF-specific requirements
- Integrated compliance programmes must address both Section 8 and Section 10
- Neglecting foundational Section 8 obligations creates enforcement exposure even for SDFs
- Map all obligations across both sections and assign clear ownership and timelines
Preparing for SDF Designation - Practical Steps
Organisations that process personal data at significant scale, handle sensitive categories of data, or operate in sectors with national security or public interest implications should proactively prepare for potential SDF designation rather than waiting for formal notification. Proactive preparation involves several workstreams. First, conduct a self-assessment against the likely designation criteria - evaluate your data processing volume, the sensitivity of data categories you process, your potential impact on sovereignty or electoral democracy, and your overall risk profile. Second, begin the process of identifying and appointing a suitable DPO based in India, even if the appointment is not yet mandatory. Third, evaluate and engage potential independent data auditors, ensuring they have the qualifications and independence needed to conduct credible compliance audits. Fourth, develop DPIA templates and processes aligned with international best practices such as the GDPR's DPIA framework and ISO 29134. Fifth, establish a board-level data protection governance committee that provides oversight, resources, and strategic direction for data protection compliance. Sixth, build comprehensive documentation and record-keeping systems that will support audit readiness and regulatory reporting. By the time formal SDF designation is received, organisations that have followed this preparation roadmap will be positioned to comply efficiently rather than scrambling to build governance structures from scratch under regulatory pressure.
- Conduct self-assessment against likely SDF designation criteria
- Identify and prepare to appoint a DPO based in India
- Evaluate and engage potential independent data auditors
- Develop DPIA templates aligned with GDPR and ISO 29134 best practices
- Establish board-level data protection governance committee
- Build comprehensive documentation and record-keeping systems for audit readiness
How Kraver.ai Helps
Kraver.ai's platform is purpose-built to help organisations meet the enhanced obligations imposed on Significant Data Fiduciaries under Section 10. Our SDF readiness assessment module evaluates your organisation against the likely designation criteria - data volume, sensitivity, sovereignty risk, and electoral impact - providing a clear picture of your SDF exposure before formal notification. The DPO management module supports the appointed Data Protection Officer with a centralised dashboard for regulatory correspondence, grievance tracking, incident management, and compliance reporting, enabling the DPO to fulfil their statutory role effectively. Our independent audit facilitation module creates structured audit workspaces where your appointed auditor can access policies, controls evidence, processing records, and compliance documentation - streamlining the audit process and reducing disruption to business operations. The DPIA module provides structured templates aligned with ISO 29134 and GDPR DPIA guidance, guiding your teams through systematic risk assessments with automated risk scoring, mitigation tracking, and documentation. For algorithmic fairness, Kraver.ai's AI governance module evaluates automated decision-making systems for bias, explainability, and transparency, integrating directly with your DPIA workflows. Our compliance dashboard provides board-level reporting on SDF obligation fulfilment, audit findings, DPIA outcomes, and regulatory interactions. Begin your Significant Data Fiduciary compliance journey with Kraver.ai today.