DPDP Act 2023: Significant Data Fiduciaries and Mandatory Obligations by November 2025

India's Digital Personal Data Protection Act, 2023 introduced the concept of Significant Data Fiduciaries (SDFs), requiring them to implement enhanced compliance measures by November 13, 2025. The government will identify SDFs based on the volume and sensitivity of personal data processed, and these entities face significantly stricter obligations than ordinary data fiduciaries, including appointing independent auditors and conducting Data Protection Impact Assessments.

Definition and Identification of Significant Data Fiduciaries

The DPDP Act does not provide a fixed definition of Significant Data Fiduciaries but empowers the government to notify criteria for their identification. Based on the draft DPDP Rules 2025, SDFs are likely to include entities that process personal data of a large volume, sensitive categories of data, or both. Large technology platforms, telecommunications operators, financial institutions, and e-commerce companies with millions of users will likely be classified as SDFs. The government may also designate certain data fiduciaries as SDF based on the sensitivity of data processed even if volume is lower, such as healthcare providers handling medical records or law enforcement agencies processing identity data. SDFs must themselves determine if they fall within the criteria once the government notifies them, or await formal notification by the Data Protection Board. Many organizations operating in India are likely to be classified as SDFs given India's population and digital expansion.

Mandatory Obligations for Significant Data Fiduciaries

SDFs must appoint a Data Protection Officer (DPO) who is physically based in India and functions as the primary compliance point between the entity and the Data Protection Board. The DPO cannot hold other executive positions within the entity and must report directly to senior management. SDFs must also engage an independent data auditor, typically from an external professional firm, to conduct regular audits of data handling practices. These audits verify that the SDF's practices comply with the DPDP Act and that personal data processing follows the stated purposes. SDFs must conduct Data Protection Impact Assessments (DPIA) before implementing new data processing systems or significantly altering existing ones. DPIAs identify risks to individuals and mitigation measures. SDFs must also maintain comprehensive records of data processing activities, data breach incidents, consent records, and audit reports, and provide these to the Data Protection Board upon request. Non-compliance with these obligations can result in penalties up to INR 2.5 billion.

Timeline and Compliance Planning

The DPDP Act's implementation occurs in three phases. Phase 1, establishing the Data Protection Board, became effective November 13, 2025. Phase 2, concerning consent managers, will become effective November 13, 2026. Phase 3, with most substantive obligations including the designation of SDFs, becomes effective May 13, 2027. However, SDFs should begin compliance planning now because their enhanced obligations will take effect upon their formal notification, which could occur at any time after Phase 1 commencement. Organizations should assess whether they may be classified as SDFs and begin appointing a DPO and engaging auditors well in advance. The consent manager framework coming in Phase 2 will require SDFs to work with approved consent managers for processing personal data on consent basis. Organizations should identify potential consent managers and understand their offerings before the obligation becomes mandatory.

Practical Takeaways

Companies processing personal data at scale should prepare now to meet SDF obligations, even though formal identification may not occur until 2027. Organizations should begin recruiting or designating a Data Protection Officer who will maintain independence from operational roles. Engage an external data auditor and conduct preliminary Data Protection Impact Assessments on major data processing systems. Audit compliance requirements and develop documentation practices to maintain records of all data handling activities. Monitor notifications from the Data Protection Board for the criteria used to identify SDFs and assess your organization's likely classification. Ensure board-level awareness of DPDP compliance obligations and the potential for significant penalties. Organizations not yet classified as SDFs should establish basic compliance mechanisms now to reduce the burden when enhanced obligations commence. These steps will position organizations to achieve compliance without emergency remediation.