Introduction
The Digital Personal Data Protection Act, 2023 creates a two-tier obligation framework. All organisations processing personal data must comply with the Act's baseline requirements - consent, notice, security safeguards, and Data Principal rights. However, a subset of organisations designated as Significant Data Fiduciaries (SDFs) face substantially higher obligations that reflect the greater risk their data processing activities pose to individuals and society. Understanding whether your organisation qualifies or is likely to qualify as an SDF - and what that designation entails - is critical for compliance planning, budgeting, and organisational design. The additional obligations are not trivial; they require dedicated personnel, governance structures, and ongoing investment in compliance infrastructure.
Who Qualifies as a Significant Data Fiduciary?
The Central Government designates Significant Data Fiduciaries based on an assessment of risk factors specified in the Act and elaborated in the DPDP Rules. The designation is not automatic - it follows a formal process that includes notice to the organisation and an opportunity to make representations. However, organisations that meet certain thresholds should proactively prepare for designation rather than waiting for formal notification. The factors considered include the volume and sensitivity of personal data processed, the risk of harm to Data Principals arising from the processing, potential impact on India's sovereignty and integrity, risk to electoral democracy, security of the state, and public order. In practice, large technology platforms, telecom operators, financial institutions, healthcare networks, and e-commerce marketplaces are the most likely candidates for SDF designation.
- Volume of personal data: organisations processing data of a large number of Data Principals cross the quantitative threshold
- Sensitivity of data: processing health, financial, biometric, or children's data increases the likelihood of designation
- Nature of processing: automated decision-making, profiling, and behavioural tracking are high-risk activities
- Impact on vulnerable populations: processing data of children or persons with disabilities receives heightened scrutiny
- Sector-specific considerations: regulated industries like banking, telecom, and healthcare are prime candidates
- Scale of operations: national or multi-state operations with large customer bases are more likely to be designated
Appointing a Data Protection Officer
The most visible additional obligation for Significant Data Fiduciaries is the mandatory appointment of a Data Protection Officer (DPO). The DPO must be based in India and must be a senior individual with sufficient authority, independence, and access to resources to fulfil their role effectively. The DPO serves as the primary point of contact for the Data Protection Board of India and for Data Principals exercising their rights. They are responsible for overseeing the organisation's compliance programme, advising on Data Protection Impact Assessments, monitoring adherence to internal policies, and serving as the liaison during regulatory inquiries or investigations. The DPO must report directly to the board of directors or the highest management body, ensuring that data protection issues receive appropriate executive attention. Importantly, the DPO must not have a conflict of interest - they should not hold a position that determines the purposes and means of data processing, such as head of marketing or CTO.
Data Protection Impact Assessments
Significant Data Fiduciaries must conduct periodic Data Protection Impact Assessments (DPIAs) to evaluate the risks their data processing activities pose to Data Principals. A DPIA is a systematic analysis that identifies the nature, scope, context, and purposes of processing; assesses the necessity and proportionality of processing relative to the stated purposes; evaluates the risks to Data Principals' rights; and identifies measures to mitigate those risks. The DPDP Rules specify that DPIAs must be conducted at least annually and whenever a significant change is made to processing activities - such as adopting new technology, entering new markets, or processing new categories of personal data. The DPIA report must be submitted to the Data Protection Board and retained for a specified period. For organisations using AI and automated decision-making systems, DPIAs must specifically assess the risk of algorithmic bias, discriminatory outcomes, and lack of transparency in decision-making processes.
- Annual DPIAs covering all significant data processing activities
- Triggered DPIAs for new processing activities, technologies, or significant changes to existing processes
- Assessment of algorithmic risks for AI and automated decision-making systems
- Documentation of identified risks and mitigation measures
- Submission of DPIA reports to the Data Protection Board of India
Periodic Audits and Independent Assessments
SDFs must undergo periodic audits of their data processing activities by an independent data auditor. These audits verify that the organisation's actual practices align with its stated policies and DPDPA requirements. The auditor must be independent of the organisation - internal audit teams cannot fulfil this requirement. The audit scope covers the entire data processing lifecycle, from collection and consent through storage, processing, sharing, and deletion. The auditor assesses the effectiveness of security safeguards, the completeness and accuracy of the data inventory, the functioning of consent management and Data Principal rights workflows, and the organisation's breach detection and response capabilities. Audit reports must be submitted to the DPBI and any material findings must be addressed within specified remediation timelines. Organisations should select auditors with expertise in Indian data protection law and the technical capacity to assess complex data ecosystems.
Algorithmic Transparency and Fairness
The DPDPA and its rules impose specific obligations on Significant Data Fiduciaries regarding the algorithms and automated systems they use to process personal data. SDFs must ensure that their algorithms do not pose risks to Data Principals' rights, including risks of discrimination, unfair treatment, or decisions that significantly affect individuals without adequate transparency. This obligation requires SDFs to maintain documentation of the algorithms they use, the data they are trained on, and the safeguards in place to prevent harmful outcomes. For organisations deploying AI systems for credit scoring, insurance underwriting, hiring, content moderation, or similar high-stakes decisions, this obligation demands robust testing, bias detection, and explainability measures. The rules also require SDFs to provide meaningful information to Data Principals about automated decisions that significantly affect them, including the logic involved and the significance of the processing.
Cross-Border Transfer Obligations for SDFs
While the general cross-border transfer framework under Section 16 applies to all Data Fiduciaries, Significant Data Fiduciaries may face additional restrictions. The Central Government retains the power to impose data localisation requirements specifically on SDFs, requiring certain categories of personal data to be stored and processed exclusively within India. Even absent explicit localisation mandates, SDFs are expected to implement stricter safeguards for cross-border transfers, including comprehensive transfer impact assessments and enhanced contractual protections with overseas recipients. SDFs must maintain a detailed register of all cross-border data transfers, including the recipient country, the legal basis for transfer, the categories of data transferred, and the safeguards in place. This register must be made available to the DPBI upon request.
Governance and Reporting Obligations
Beyond the specific obligations outlined above, Significant Data Fiduciaries must establish a comprehensive data protection governance framework that integrates data protection into the organisation's overall corporate governance structure. This includes regular reporting to the board of directors on the organisation's data protection posture, compliance status, and any material incidents or risks. The DPO must present periodic reports covering the status of ongoing DPIAs, audit findings and remediation progress, Data Principal rights requests and their disposition, breach incidents and response actions, and changes in the regulatory landscape. SDFs must also publish a clear and accessible privacy policy that describes their data processing activities in language that Data Principals can understand, and update this policy whenever material changes occur.
- Quarterly board-level reporting on data protection compliance status
- Annual compliance certificate signed by the DPO and submitted to the DPBI
- Published privacy policy updated to reflect current processing activities
- Internal training programmes for employees handling personal data
- Documented incident response and escalation procedures
- Records of all DPIAs, audits, and remediation actions maintained for regulatory review
How Kraver.ai Supports Significant Data Fiduciary Compliance
Kraver.ai provides a purpose-built compliance suite for organisations designated or preparing for designation as Significant Data Fiduciaries. Our platform includes a DPO dashboard that provides real-time visibility into compliance posture, pending rights requests, open audit findings, and upcoming DPIA deadlines. The automated DPIA module guides your team through structured assessments with pre-built templates aligned to DPDP Rules requirements. Our audit management module tracks findings, assigns remediation tasks, and generates submission-ready reports for the DPBI. Algorithmic risk assessment tools evaluate your AI systems for bias, fairness, and transparency compliance. Cross-border transfer monitoring tracks all international data flows and maintains the detailed register the rules require. With Kraver.ai, the enhanced obligations of Significant Data Fiduciary designation become manageable, auditable, and integrated into your day-to-day operations.