Significant Data Fiduciary Under India’s DPDP Act: Boardroom Duties, DPO Role, DPIAs and AI Risk Governance
On most days, the platform measured itself in carts, orders, and delivery times. If the graphs on the dashboard were moving up and to the right, everyone slept well. One quarterly review, the Compliance Head walked into the boardroom with a different set of slides. Not GMV, not conversions, not time‑to‑delivery.
“It’s the profiles,” she said. “Addresses, phone numbers, saved cards, purchase histories, returns, complaints, chat transcripts. We now hold detailed personal data on more than ten million people across India.”
The room went quiet in a way that had nothing to do with revenue.
A few weeks later, a short notification from the Government arrived. The platform had been classified as a Significant Data Fiduciary (“SDF”) under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), a designation the Central Government is empowered to confer under Section 10.
Nothing visible changed that day. The app still opened, orders still shipped, the home page carousel still spun. But the centre of gravity inside the company shifted.
For the first time, the Board had to look at the business not only as a marketplace, but as a system that could quietly shape–or damage–the lives of the people behind all that data.
Significance Is a Measure of Risk, Not Size
The DPDP Act does not merely regulate how personal data is collected or processed. It observes. It weighs. And, in certain cases, it decides that a company’s relationship with personal data carries consequences that extend beyond private enterprise. That decision is expressed in a single designation: Significant Data Fiduciary.
It is not a title a company claims for itself. It is a status conferred by the State, after assessing the scale, sensitivity, and potential impact of the data involved. The law, in effect, acknowledges that some organisations do not merely process personal data. They shape environments in which rights, choices, and vulnerabilities are exposed.
The DPDP Act is careful in what it counts. Revenue, valuation, and market share are irrelevant. What matters instead is the volume of personal data, its nature, and the degree of harm that could follow from its misuse. The focus is not on what the organisation earns, but on what it could affect, including factors like individual autonomy and public trust.
In classifying an entity as an SDF, the Government is not imposing a penalty. It is acknowledging influence. And influence, in law, invites restraint.
The Entry of the Data Protection Officer
Among the most telling of these obligations is the requirement to appoint a Data Protection Officer. Under Section 10(2) of the DPDP Act, read with Rule 13 of the DPDP Rules, an SDF must appoint a Data Protection Officer based in India, responsible to the Board, whose contact details are published as the primary point of contact for the Data Protection Board of India and for Data Principals’ grievances.
The DPDP Act does not treat this role as a compliance buffer. The Data Protection Officer is not meant to absorb regulatory friction so that leadership can remain insulated. The officer is in fact positioned deliberately closer to power, answerable to the Board, located within India, and authorised to represent the organisation before the Data Protection Board.
This design is neither accidental nor symbolic. It reflects an insistence that responsibility for personal data must sit where decisions are made. When questions are raised, the law does not seek explanations through layers. It seeks accountability through presence.
Annual Reckonings: DPIAs and Audits
Under Section 10(2) and Rule 13 of the DPDP Rules, 2025, SDFs must also periodically undertake a Data Protection Impact Assessment and a data audit by an independent auditor once every twelve months. These exercises compel organisations to examine not just what they are doing, but what their systems might do to those whose data they hold. Risks must be identified, not after harm occurs, but while decisions are still malleable.
This rhythm signals toward a deeper shift. The law is no longer content with intention. It demands foresight.
When Technology Loses Its Neutrality
Perhaps the most consequential move lies in the treatment of algorithms. The Rules require SDFs to observe due diligence so that the technologies and algorithmic software they deploy are not likely to pose a risk to Data Principals’ rights. In doing so, the law acknowledges what has long been tacit: technological systems are not neutral actors. They encode priorities, assumptions, and exclusions.
For the data protection law in India, this is a quiet but decisive step. It recognises that harm need not be deliberate to be real, and that governance must extend to systems as much as to policies.
What This Means for Leadership
To be designated an SDF is a test of institutional maturity. Leadership is required to engage not just with outcomes, but with processes–not merely with growth, but with restraint. Accountability becomes continuous, not event-driven. Leadership should:
- Anchor accountability at Board level: Put data protection and SDF obligations on the Board/committee agenda, assign a named Board champion for data protection, and ensure regular reporting on DPIAs, audits, and breach/complaint trends.
- Back the DPO with authority and resources: Appoint a qualified DPO who reports to the Board, give them independent access to leadership and formalise escalation pathways for red flags.
- Institutionalise DPIAs and annual data audits: Approve a yearly DPIA and data‑audit calendar, insist on written remediation plans, and track closure of high‑risk items.
- Build a living data‑governance framework: Mandate an organisation‑wide data‑mapping exercise, define clear roles (data owners, stewards, processors), and align controls with requirements under the DPDP Act.
- Integrate DPDP into strategy and culture: Mandate regular trainings across the organisation that are specific to different teams.
SDF Readiness Checklist – What to do now?
- Confirm likely SDF status: Assess volume and sensitivity of personal data, high‑risk use cases (profiling, AI/ML, children, financial/health data, etc.), and reliance on large‑scale platforms or critical infrastructure that match Section 10 and Rule 13 risk factors.
- Pre‑identify your DPO and auditor: Shortlist a DPO based in India who can report to the Board, and an independent data auditor, and define their mandates, escalation paths, and Board‑reporting cadence in advance.
- Design your first DPIA and audit cycle: Define a DPIA framework and annual audit plan focused on highest‑risk products, models, and data flows, with clear timelines, outputs, and remediation tracking.
- Map high‑risk technologies and vendors: Catalogue algorithms, AI models, and third‑party tools that process personal data, ensure they are covered in DPIAs and audits, and build due‑diligence controls and contractual obligations around them.
Wrapping Up
Most regulations can be managed from a distance. However, under the DPDP Act and Rules, once an organization is notified as a SDF, compliance moves inside the frame. It stops sitting at the perimeter and starts shaping decision-making, boardroom conversations, and the way systems are designed.
That weight comes with a possibility as well as a burden. In an economy built on invisible data flows, trust has become the most visible competitive advantage. Organisations that treat the SDF regime not as an overhead but as a governance philosophy will be read very differently by regulators, customers, and partners.
The question, then, is no longer whether the law will influence behaviour. It is whether leadership chooses to do the minimum required to avoid penalties, or to exercise deliberate stewardship and turn compliance into a long‑term trust asset.
