DPDP Roles, explained simply

India's Digital Personal Data Protection Act. Who is who.

‹ General awareness

General awareness

Significant Data Fiduciary status is not a size threshold you cross

A common reading treats Significant Data Fiduciary status as an automatic tier. Cross some user or revenue line and you become one. Stay under it and you never do.

That is not how Section 10 works.

SDF status is not something you calculate. The Central Government confers it, by notification, on a particular Data Fiduciary or a whole class.

It does not turn on a single number. The notification weighs several factors: the volume and sensitivity of the personal data, the risk to Data Principals' rights, and wider public interests such as the sovereignty and integrity of India, the security of the State, electoral democracy, and public order.

Two things follow

First, no line automatically makes you an SDF. A smaller organisation handling especially sensitive data could be notified; a much larger one handling low risk data might never be.

Second, and here most people slip: SDF gets confused with a different regime. The Third Schedule sets user count thresholds, two crore for e-commerce and social media, fifty lakh for online gaming. Those are automatic and size based, but they govern retention and erasure, not SDF status. Crossing two crore does not make you a Significant Data Fiduciary. One is an automatic duty about how long you keep data; the other is a discretionary designation on mixed factors. They are not the same trigger.

The mental model

An SDF designation is received, not calculated. Size shortens the odds. It does not pull the trigger.

When the notification lands, a distinct set of obligations switches on under Section 10 and Rule 13: a Data Protection Officer based in India answerable to your board, an independent data auditor, periodic Data Protection Impact Assessments and audits, and due diligence that your algorithms do not put Data Principals' rights at risk.

So how do you plan for it

You cannot plan SDF readiness by watching a counter, because there is none. You plan it by your risk profile: how sensitive your data is, how much you hold, and what harm a failure would cause. If you process sensitive or population scale data, treat yourself as a candidate and build that governance before a notification arrives. It is not something you assemble in a week.

Two traps to close. Appointing a DPO voluntarily does not make you an SDF. Sitting under the Third Schedule threshold does not protect you from being designated one.

Before you file SDF status under "not us yet", ask a different question.

If the trigger is sensitivity and risk, not a number, would a regulator looking at our data today treat us as a candidate, and have we built any of the Section 10 governance?

Where should the SDF line sit, on volume alone or weighted toward sensitivity and potential harm, and how would you make the factors predictable enough to plan against?

#DPDP #DPDPAct2023 #DPDPRules2025 #DataProtection #PrivacyLaw #IndiaLegal #Compliance

Significant Data Fiduciary: not a size threshold you cross. An infographic showing that SDF status is conferred by Central Government notification on multiple factors (volume and sensitivity of data, risk to rights, sovereignty, security of the State, electoral democracy, public order), that it is different from the Third Schedule user thresholds (2 crore for e-commerce and social media, 50 lakh for online gaming) which govern retention, and the Section 10 and Rule 13 obligations that follow: a DPO in India, an independent auditor, periodic DPIAs, and algorithm due diligence.
SDF status is conferred, not calculated. Tap to enlarge.

Be DPDP ready before the deadline

We are preparing more than a dozen ready to use templates, including the Privacy Notice, Consent Notice, Data Retention and Erasure Policy, Security Safeguards Policy, Breach Response Procedure, Children's Data Policy, and the Data Processing Agreement. Drop your email and we will notify you when the assessment and templates go live.