Under the Digital Personal Data Protection (DPDP) Act, 2023, not all organisations are treated equally.
Some organisations that handle large volumes of personal data – or sensitive, high-risk data – can be classified as Significant Data Fiduciaries (SDFs).This classification brings additional compliance obligations beyond standard DPDP requirements.
This guide explains:
- What an SDF is
- Who can be classified as an SDF
- What extra rules apply
- What HR and leadership teams should prepare for
What Is a Significant Data Fiduciary (SDF)?
A Significant Data Fiduciary is an organisation that the Government of India notifies as significant, based on the risk its data processing poses to individuals.
This is not a voluntary label.
You become an SDF only when notified.
Who Can Be Classified as an SDF?
The government may designate an organisation as an SDF based on factors such as:
- Volume of personal data processed
- Sensitivity of the data (health, financial, identity data)
- Risk of harm to individuals
- Use of new or emerging technologies
- Impact on electoral democracy or public order
Important:
Revenue, company size or headcount alone do not decide SDF status.
SDF vs Non-SDF: Key Differences at a Glance
| Area | Non-SDF | Significant Data Fiduciary (SDF) |
| DPO appointment | Not mandatory | Mandatory (India-based) |
| DPIA | Not mandatory | Mandatory for high-risk processing |
| Compliance audits | Recommended | Mandatory & periodic |
| Regulatory scrutiny | Standard | Higher & ongoing |
| Governance expectations | Basic DPDP compliance | Enhanced accountability & documentation |
| Vendor oversight | Required | Stricter, continuous monitoring |
Examples of Organisations Likely to Qualify
While no blanket list exists organisations more likely to be notified include:
- Large employers processing extensive employee data
- HRMS, payroll, BGV and benefits platforms
- Healthcare and wellness providers
- Fintech and insurance companies
- Edtech platforms handling student data
- Platforms using AI for profiling or decision-making
What Extra Rules Apply to SDFs?
Once notified as an SDF, additional obligations apply.
1. Appointment of a Data Protection Officer (DPO)
- Must appoint a Data Protection Officer
- DPO must be India-based
- DPO acts as the primary contact for:
- Data Principals (individuals)
- The Data Protection Board of India
- Data Principals (individuals)
2. Mandatory Data Protection Impact Assessments (DPIA)
- Must conduct DPIAs for high-risk processing activities
- DPIAs assess:
- Risk to individuals
- Necessity and proportionality
- Safeguards in place
- Risk to individuals
3. Regular Compliance Audits
- Periodic DPDP compliance audits are mandatory
- Audits must assess:
- Security safeguards
- Vendor controls
- Data lifecycle management
- Security safeguards
4. Enhanced Governance & Accountability
SDFs are expected to:
- Maintain stronger internal documentation
- Implement advanced security measures
- Closely monitor processors and vendors
- Demonstrate compliance proactively
HR Readiness Checklist for SDFs
If your organisation is (or may become) an SDF, HR should confirm:
☐ A clear data inventory of employee & candidate data
☐ Documented retention and deletion timelines
☐ Formal access control and role-based permissions
☐ Vendor DPDP due diligence and DPA clauses in place
☐ Breach response and escalation SOP defined
☐ Ability to support data principal rights (access, correction, deletion)
☐ Regular HR data audits and documentation
☐ Alignment with Legal, IT and Security teams
What This Means for HR Teams
If your organisation is an SDF (or likely to become one):
- HR processes will face greater scrutiny
- Vendor due diligence becomes non-negotiable
- Data retention, access control and deletion must be formalised
- HR will need to work closely with Legal, IT and Security
- Informal or manual processes become high-risk
Are You Likely to Be Classified as an SDF? (Quick Self-Assessment)
Ask yourself:
- Do we process large volumes of employee or candidate data?
- Do we handle sensitive data (health, financial, identity)?
- Do we use AI, automation or profiling in HR decisions?
- Could a data breach cause serious harm to individuals?
- Do we operate platforms or services impacting many users?
If you answer “yes” to multiple questions, you should prepare for SDF-level obligations, even before notification.
What If You’re Not an SDF?
Even if you are not classified as an SDF:
- Core DPDP obligations still apply
- Breach response, vendor governance and purpose limitation remain mandatory
- Being “small” does not exempt you from compliance
Key HR Takeaway
SDF status is about risk, not reputation.
Organisations that process:
- Large volumes of people data
- Sensitive or high-impact data
- Technology-driven decision-making
should build SDF-level readiness early, not wait for formal notification.
Final Thought
Significant Data Fiduciaries are held to a higher standard of care under DPDP.
The best-prepared organisations:
- Build SDF-level governance early
- Fix HR data practices now
- Avoid last-minute compliance firefighting later
