DPDP Act — What a Significant Data Fiduciary Actually Has to Do (2026)

India's Digital Personal Data Protection (DPDP) Act applies to every Data Fiduciary — but a subset of organisations carry a heavier load. If the Central Government notifies you as a Significant Data Fiduciary (SDF), you inherit three additional, audit-visible obligations on top of every baseline duty: a Data Protection Officer based in India and answerable to your Board, an independent data audit, and periodic Data Protection Impact Assessments. This is the obligation map, who gets designated, and how to be ready before the notification rather than after.

An SDF is not a category you opt into; it is one the government designates. Under the Act, the Central Government may notify a Data Fiduciary or a class of them as significant based on factors including the volume and sensitivity of personal data processed, the risk to the rights of Data Principals, the potential effect on the sovereignty and integrity of India, the risk to electoral democracy, the security of the State, and public order. Large consumer platforms, major BFSI and fintech players, big health-data and ad-tech processors, and telecoms are the obvious candidates. The framing below draws on the Act and the DPDP Rules; verify exact thresholds against the latest notified Rules, as the operational detail lives there.

The three SDF obligations

Section 10 of the Act sets out the additional duties for an SDF. Each is designed to be externally visible — a named accountable person, an independent assurance opinion, and a documented risk assessment — so the regulator can test compliance without sitting inside your systems.

1. A Data Protection Officer — in India, answerable to the Board

The DPO requirement is more specific than the EU's. The Act requires the DPO to be based in India and to be responsible to the Board of Directors or the equivalent governing body — meaning the role cannot be a distant group-privacy function or a purely advisory contractor. The DPO is also the published point of contact for grievance redressal, so the appointment has to be real, resourced, and reachable by Data Principals.

• Appoint a DPO who is genuinely based in India, with a documented reporting line to the Board or governing body.
• Resource the role — authority to influence processing decisions, access to the Board, and a grievance-handling workflow behind the published contact.
• Publish the DPO contact and wire it into your notice, privacy policy, and Data-Principal request channels.

2. An independent data audit

An SDF must appoint an independent data auditor to evaluate its compliance with the Act. 'Independent' is the operative word — the auditor must be able to render an objective opinion, which means separating the audit from the team that built and runs the processing. Treat this like a financial audit: defined scope, evidence-based testing of the baseline and SDF obligations, a report with findings, and tracked closure.

3. Periodic Data Protection Impact Assessment

A DPIA is a structured review of a processing activity: what personal data is processed, for what purpose and on what lawful basis, the risks to Data Principals, and the measures that manage those risks. For an SDF the Act expects DPIAs to be periodic — tied to new or changed high-risk processing — alongside periodic audits and any further measures the Rules prescribe.

1. Maintain a data-processing inventory — systems, purposes, lawful basis, retention, cross-border flows and processors — as the foundation every DPIA reads from.
2. Trigger a DPIA on any new or materially changed high-risk processing (new data category, new purpose, new third party, profiling, large-scale or sensitive processing).
3. Document residual risk and the controls that reduce it; route material residual risk to the DPO and Board for a decision.
4. Re-run DPIAs periodically and feed their findings into the independent data audit so the two reinforce rather than duplicate.

SDF vs the GDPR's 'high-risk' regime

The practical takeaway for multinationals: a mature GDPR programme is a strong head start but not a drop-in. The India-residency and Board-responsibility of the DPO, the standing independent data audit, and the government-designation model are DPDP-specific. Map your existing privacy controls onto the DPDP and SDF obligations rather than assuming equivalence.

Your next 30 / 60 / 90 days

1. Assess SDF likelihood honestly against the designation factors — volume and sensitivity of data, risk to principals, and the public-interest dimensions. If you are a large consumer, BFSI, fintech, health or ad-tech processor, prepare as if designation is coming.
2. Build the data-processing inventory and data-flow map — nothing downstream works without it.
3. Appoint (or formally designate) an India-based DPO with a real Board reporting line and a working grievance channel; publish the contact.
4. Stand up the DPIA process and run it against your highest-risk processing first.
5. Commission a readiness data audit so the statutory independent audit confirms control rather than finding gaps.
6. Tighten the breach-response path — detection, Board/Data-Protection-Board notification, and Data-Principal notification — and rehearse it.

How Macksofy helps

Macksofy helps Data Fiduciaries and prospective SDFs get DPDP-ready and stay ready: data-flow mapping and DPIAs, readiness data audits ahead of the statutory independent audit, DPO-function and grievance-workflow design, and the technical assurance — VAPT, breach-readiness and DFIR — that the security-safeguards duty demands. See our Significant Data Fiduciary engagement, the baseline DPDP readiness audit, VAPT for the reasonable-security-safeguards testing, DFIR for breach readiness and response, the CERT-In empanelled audit for the related incident-reporting workflow, and our SaaS & fintech practice for how we tailor this to data-heavy platforms.