Significant Data Fiduciary Designations Are Coming in 2026 — Is Your Organisation on the List?

Introduction

The Ministry of Electronics and Information Technology (MeitY) is poised to formally designate Significant Data Fiduciaries (SDFs) under the Digital Personal Data Protection Act, 2023 in 2026, marking one of the most consequential regulatory actions in India's data protection landscape. According to analysis by Maheshwari & Co, companies processing data of 5 to 20 million or more users — particularly in e-commerce, social media, and gaming — are expected to receive SDF designation. With penalties for SDF-specific non-compliance reaching up to ₹150 crore per violation (IAPP), organisations must begin preparing immediately. Yet only 4% of Indian firms currently have proactive compliance systems in place (EY India, 2026), leaving the vast majority exposed to enforcement risk.

What Is a Significant Data Fiduciary?

A Significant Data Fiduciary is a special category under the DPDPA that carries heightened obligations beyond those imposed on regular Data Fiduciaries. The designation is made by the Central Government based on criteria outlined in Section 10 of the Act. Unlike GDPR, which applies enhanced obligations uniformly based on processing activities, India's approach creates a distinct two-tier system where SDFs face materially stricter requirements — including mandatory India-based Data Protection Officers, periodic Data Protection Impact Assessments, and independent audits.

• Volume of personal data processed — organisations handling data of millions of Data Principals cross the threshold that triggers SDF consideration
• Sensitivity of data — processing health records, financial data, biometric identifiers, or children's data elevates the risk profile
• Risk to Data Principal rights — automated decision-making, profiling, and algorithmic processing that affects individuals' opportunities or access to services
• Potential impact on sovereignty and integrity — organisations whose data processing could affect national security or public order
• Risk to electoral democracy — platforms that can influence public opinion or electoral outcomes through data-driven targeting

Why 2026 Is the Inflection Point

The DPDP Rules published in November 2025 established a phased compliance timeline, with Phase 2 obligations — including SDF-specific requirements — taking effect by November 2026. MeitY has signalled that SDF designations will be issued well in advance of this deadline to give organisations adequate preparation time. According to Chambers & Partners, MeitY has even considered compressing the compliance window, potentially making the SDF enforcement timeline tighter than originally planned. The compliance timeline leaves no room for delay.

Who Is Likely to Be Designated?

While MeitY has not published an official list, regulatory signals and expert analysis point to clear categories of organisations that are almost certain to receive SDF designation. Maheshwari & Co notes that companies with user bases of 5 to 20 million or more, especially those operating platforms with deep user engagement, are prime candidates.

• E-commerce giants — platforms like Flipkart, Amazon India, Meesho, and Myntra that process purchase histories, payment data, addresses, and behavioural profiles of tens of millions of users
• Social media and messaging platforms — WhatsApp, Instagram, Facebook, X (Twitter), ShareChat, and Koo, which process communication metadata, location data, and content preferences at massive scale
• Gaming and entertainment platforms — MPL, Dream11, JioCinema, and Hotstar, which collect behavioural data, payment information, and increasingly biometric data for age verification
• Fintech and digital payments — PhonePe, Paytm, CRED, and Razorpay, which handle sensitive financial data, KYC documents, and transaction histories subject to both RBI and DPDPA oversight
• Healthtech and edtech — Practo, 1mg, BYJU'S, and Unacademy, processing health records, student data, and children's personal data that attract the highest sensitivity classification
• Telecom operators — Jio, Airtel, and Vi, which process location data, call records, and digital footprints of hundreds of millions of subscribers

The SDF Designation Criteria in Detail

Section 10 of the DPDPA empowers the Central Government to designate any Data Fiduciary as significant based on an assessment of specific factors. Understanding these criteria is essential for organisations to self-assess whether they are likely to be designated. The PRS Legislative Research analysis confirms that the criteria are intentionally broad, giving the government substantial discretion.

• Volume and sensitivity — the aggregate volume of personal data processed, combined with the sensitivity categories involved, forms the primary quantitative threshold
• Risk of harm — the potential for processing activities to cause significant harm to Data Principals, including financial loss, reputational damage, or discrimination
• Impact on sovereignty — whether the data processing could affect India's sovereignty, integrity, or security — particularly relevant for organisations with cross-border data flows
• Electoral impact — the potential for data processing to influence or manipulate electoral outcomes, particularly through micro-targeting and algorithmic amplification
• Other factors — MeitY retains the power to consider any other factors it deems relevant, providing flexibility to address emerging risks

Data Fiduciary vs. Significant Data Fiduciary: Key Differences

The distinction between a regular Data Fiduciary and an SDF is not merely academic — it translates to materially different compliance obligations, costs, and operational requirements. While all Data Fiduciaries must comply with the DPDPA's baseline requirements around consent, security safeguards, and Data Principal rights, SDFs face a significantly expanded obligation set.

• Data Protection Officer (DPO) — SDFs must appoint a DPO who is based in India and serves as the primary point of contact for the Data Protection Board. Regular fiduciaries have no such requirement. See our guide on hiring a DPO in India
• Data Protection Impact Assessments — SDFs must conduct periodic DPIAs to evaluate risks arising from their processing activities. Regular fiduciaries are not required to perform DPIAs
• Independent audits — SDFs must engage independent data auditors to conduct regular compliance audits and submit reports to the DPBI. Regular fiduciaries face no mandatory audit requirement
• Cross-border restrictions — SDFs may face additional restrictions on transferring personal data outside India, beyond the general negative-list approach applicable to all fiduciaries
• Enhanced breach reporting — while all fiduciaries must report breaches, SDFs face stricter timelines and more detailed reporting requirements to the DPBI

Obligations Unique to Significant Data Fiduciaries

The enhanced obligation set for SDFs is designed to ensure that organisations processing data at scale maintain the highest standards of data protection. These obligations create significant operational and financial commitments that require advance planning. According to PwC, full compliance is expected by May 2027, but SDF-specific obligations under Phase 2 will be enforceable by November 2026.

• India-based DPO appointment — the DPO must be a senior executive residing in India, with direct reporting lines to the board of directors, and must be publicly accessible to Data Principals and the DPBI
• Periodic DPIA execution — DPIAs must evaluate the necessity and proportionality of processing, risks to Data Principal rights, and safeguards in place. Results must be submitted to the DPBI
• Regular independent audits — annual or more frequent audits by independent auditors registered with the DPBI, covering technical controls, organisational measures, and policy compliance
• Algorithmic transparency — SDFs using automated decision-making must ensure transparency about the logic involved and provide mechanisms for human review of significant decisions
• Enhanced record-keeping — detailed logs of all processing activities, consent records, DPIA results, audit reports, and breach incidents must be maintained and available for inspection

Penalties for SDF Non-Compliance

The penalty framework under the DPDPA applies with particular force to SDFs, as their enhanced obligations create additional violation categories. As the IAPP has documented, penalties can reach up to ₹150 crore for failure to meet SDF-specific obligations, and these penalties stack with general DPDPA penalties for overlapping violations.

• ₹150 crore — for failure to appoint an India-based DPO, failure to conduct required DPIAs, or failure to complete independent audits as specified under Section 33
• ₹250 crore — for failure to implement reasonable security safeguards, applicable to all fiduciaries but with heightened scrutiny for SDFs given their data volumes
• ₹150 crore — for breach notification failures, with SDFs facing stricter timeline expectations under both DPDPA and CERT-In requirements
• Cumulative exposure — a single data breach incident could trigger multiple penalty categories simultaneously, with total exposure exceeding ₹500 crore for an SDF that failed on security, notification, and SDF-specific obligations

SDF Compliance Checklist for 2026

Organisations that believe they may be designated as SDFs should begin preparing now. The compliance journey for SDFs is substantially more complex than for regular Data Fiduciaries, and the operational changes required — from appointing an India-based DPO to establishing independent audit processes — take months to implement properly.

• Self-assessment — evaluate your data processing volumes, sensitivity categories, and risk factors against the Section 10 criteria to determine your likelihood of designation
• DPO recruitment — begin the search for a qualified, India-based Data Protection Officer with the seniority and expertise required under the Act. See our DPO hiring guide
• DPIA framework — establish a DPIA methodology and conduct an initial assessment across all major processing activities
• Audit readiness — engage with independent auditors, establish audit scopes, and conduct a gap assessment to identify remediation priorities
• Data mapping — complete a comprehensive inventory of all personal data processing activities, including data discovery and mapping across all systems
• Breach response automation — implement automated breach detection and notification workflows that meet both DPDPA and CERT-In timelines
• Board-level governance — establish data protection governance at the board level, including regular reporting from the DPO and oversight of DPIA results
• Cross-border review — audit all cross-border data transfers and prepare for potential additional restrictions that may apply specifically to SDFs

How Kraver.ai Helps With SDF Compliance

Kraver.ai's AI-native platform is purpose-built to handle the enhanced compliance demands that Significant Data Fiduciaries face. Our automated data discovery engine maps personal data across hundreds of systems in weeks rather than months, giving your DPO immediate visibility into processing activities. The platform's built-in DPIA and audit modules generate assessment-ready reports that satisfy DPBI submission requirements, while our breach notification automation ensures you meet the strictest timelines under both DPDPA and CERT-In. With Kraver.ai, organisations can reduce SDF compliance preparation from 12+ months to under 90 days — transforming what would otherwise be a massive operational burden into a streamlined, auditable process.