DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

DPDP Act · Section 10

DPDPA Section 10: Significant Data Fiduciaries

DPDPA Section 10 explained: how the Government designates Significant Data Fiduciaries and their extra duties, a DPO in India, an independent data auditor, and periodic DPIA and audit.

In short
Section 10 of the DPDP Act lets the Central Government classify certain data fiduciaries as Significant Data Fiduciaries (SDFs) based on factors such as the volume and sensitivity of data, risk to data principals, and impact on sovereignty, electoral democracy and public order. An SDF has additional duties: appoint a Data Protection Officer based in India and reporting to its board, appoint an independent data auditor, and carry out periodic Data Protection Impact Assessments and audits.
Last updated 2026-06-03

Who is a Significant Data Fiduciary

The Government may designate an SDF based on the volume and sensitivity of personal data processed, the risk to data principals' rights, potential effects on the sovereignty and integrity of India, risk to electoral democracy, and security of the State and public order.

Large platforms, big consumer financial and health players, and high-volume data businesses should plan on the possibility of being designated, even if they are not today.

Additional obligations

An SDF must appoint a Data Protection Officer based in India who represents the fiduciary and is answerable to its board or governing body, and appoint an independent data auditor to evaluate compliance.

It must also undertake periodic Data Protection Impact Assessments and periodic audits, and observe any additional measures the Rules prescribe, such as limits on certain data transfers.

What to prepare

Even before designation, mature programs benefit from a named DPO, documented DPIAs for high-risk processing, audit-ready evidence and a clear record of processing. ConsentX provides the consent-side evidence (verifiable receipts and reports) that an audit or DPIA will ask for.

This page is a plain-English summary of the Digital Personal Data Protection Act, 2023 for general information and is not legal advice. Confirm your obligations with qualified counsel.

All DPDPA sectionsDPDP Act explainedDPDPA overviewConsentX for India

Meet this DPDPA requirement with ConsentX

DPDPA-native consent, Section 9 age-gate and verifiable receipts. Start free or take the DPDPA quiz.

Get started free Take the DPDPA quiz

DPDPA Section 10 questions

Who decides if a company is a Significant Data Fiduciary?+

The Central Government, based on factors like volume and sensitivity of data and risk to data principals, sovereignty, electoral democracy and public order.

What extra duties does an SDF have?+

A DPO based in India answerable to the board, an independent data auditor, and periodic Data Protection Impact Assessments and audits, plus any additional Rules-based measures.

More DPDPA sections

DPDPA Section 5: NoticeDPDPA Section 6: Consent and withdrawalDPDPA Section 7: Certain legitimate usesDPDPA Section 8: Duties of a data fiduciaryDPDPA Section 9: Children's dataDPDPA Sections 11-14: Data principal rightsDPDPA penalties: Section 33 and the Schedule