A Significant Data Fiduciary (SDF) is a Data Fiduciary that India’s Central Government has designated for elevated obligations under the Digital Personal Data Protection Act, 2023 and the DPDP Rules 2025. It’s the term US SaaS founders will increasingly hear from Indian regulators in 2026.
Definition under the DPDP Act 2023
Under the DPDP Act, all entities deciding the purpose and means of processing personal data are Data Fiduciaries. The Act empowers the Central Government to designate some of them as Significant based on risk — triggering additional, stricter duties.
Designation criteria (as of mid-2026)
Designation is case-by-case, weighing the volume and sensitivity of personal data processed, the risk to data principals, and the impact on national security and public order. No fixed numeric threshold has been published; large-scale processors of sensitive data should assume candidacy.
The obligations of an SDF
SDFs must appoint an India-resident DPO accountable to the board, commission an annual independent data audit, conduct Data Protection Impact Assessments for high-risk processing, and make periodic disclosures to the Data Protection Board. Non-compliance penalties under DPDPA reach ₹250 crore.
The India-resident DPO requirement
The DPO must be based in India, serve as the contact for data principals, and report to the board. For a US SaaS, this is a real hire or a contracted India-based privacy lead — not a US role with an India title.
Independent annual data audit
An independent auditor assesses the SDF’s compliance each year. Auditors with SDF experience are scarce in this early period, so scoping and booking ahead matters.
DPIA requirements
DPIAs are required for processing involving large-scale or sensitive data. See the DPIA template and walkthrough for how to run one.
Board-level accountability
The ₹250 crore penalty regime, plus DPO board reporting, pulls SDF compliance to the board level — a shift covered in the DPDPA cross-mapping playbook.
Related reading: