Significant Data Fiduciary (SDF)

Who gets designated, the extra DPDP obligations that follow, and the ₹150 Cr penalty tier for getting it wrong
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

What Is a Significant Data Fiduciary?

Under the DPDP Act, 2023, every business that decides how and why personal data is processed is a Data Fiduciary. But some businesses handle so much data, or such risky data, that the law puts them in a special category: the Significant Data Fiduciary (SDF).

An SDF is not something you choose to become. It is a government designation, made on the basis of factors such as the volume of personal data you process, the sensitivity of that data, and the risk your processing poses to individuals. Once designated, a set of extra obligations kicks in on top of everything every Data Fiduciary must already do, and failing those extra duties carries its own penalty tier of up to ₹150 crore per violation.

High-volume, high-risk sectors such as finance, NBFCs, and insurance are considered likely SDF candidates. If that sounds like your business, the time to prepare is before the designation arrives, not after.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

How SDF Designation Works

The government designates Significant Data Fiduciaries based on a mix of factors.

  • Volume of data: how much personal data your business processes, and about how many people
  • Sensitivity of data: financial records, health data, and other high-impact categories raise the stakes
  • Risk of harm: what a misuse or breach of your data could do to the individuals behind it
  • Government designation: the label is applied by the government, so you cannot opt out once selected

The Four Extra SDF Obligations

These duties apply in addition to the standard DPDP obligations: consent, notices, security safeguards, breach reporting, and user rights handling.

India-Based DPO

Appoint a Data Protection Officer based in India, at a senior level, reporting directly to the board, with published contact details.

Annual Independent Audits

Get your data protection practices audited every year by an independent auditor, not just an internal review.

Periodic DPIAs

Run Data Protection Impact Assessments periodically to identify and document the risks your processing creates, and how you mitigate them.

Algorithmic Due Diligence

Verify that the algorithms and automated systems you use to process personal data do not create risks of harm to data principals.

What SDF Failures Cost

ViolationMaximum Penalty
Significant Data Fiduciary duty failures₹150 Crore
No reasonable security safeguards₹250 Crore
Failure to report a data breach₹200 Crore
Other violations₹50 Crore

Penalties apply per violation, with no discount for business size, and a single incident can stack multiple violations at once. An SDF that suffers a breach could face SDF duty failures, security safeguard failures, and breach reporting failures in the same case.

SDF Preparation Cannot Start Late

Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup takes 2-6 months, and SDF duties like DPO appointment and audits take planning on top of that.

Assess My SDF Exposure Free

Want the Complete DPDP Picture?

SDF duties are one layer of the law. Get the full view of deadlines, penalties, obligations, and the compliance roadmap on our main DPDP guide.

Learn Everything About DPDP Compliance

Significant Data Fiduciary: Frequently Asked Questions

What is a Significant Data Fiduciary under the DPDP Act?

An SDF is a Data Fiduciary that the government specifically designates based on the volume of personal data it processes, the sensitivity of that data, and the risk the processing poses. The designation brings extra obligations on top of the normal DPDP duties.

Could Your Business Be Designated an SDF?

Find out where you stand, and what an SDF designation would mean for you, with a free DPDP gap audit.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.