# What Is a Significant Data Fiduciary Under India's DPDP Rules? | Attri Edge

Home Articles What Is a Significant Data Fiduciary Under India's DPDP Rules? Vocabulary What Is a Significant Data Fiduciary Under India's DPDP Rules? Significant Data Fiduciary (SDF) is India's elevated designation under the DPDP Act. The criteria, the obligations and what US SaaS companies should expect. By Hemant Attri , Founder, Attri Edge · July 1, 2026 · Updated July 1, 2026 · 1 min read A Significant Data Fiduciary (SDF) is a Data Fiduciary that India’s Central Government has designated for elevated obligations under the Digital Personal Data Protection Act, 2023 and the DPDP Rules 2025. It’s the term US SaaS founders will increasingly hear from Indian regulators in 2026. Definition under the DPDP Act 2023 Under the DPDP Act, all entities deciding the purpose and means of processing personal data are Data Fiduciaries. The Act empowers the Central Government to designate some of them as Significant based on risk, triggering additional, stricter duties. Designation criteria (as of mid-2026) Designation is case-by-case, weighing the volume and sensitivity of personal data processed, the risk to data principals and the impact on national security and public order. No fixed numeric threshold has been published; large-scale processors of sensitive data should assume candidacy. The obligations of an SDF SDFs must appoint an India-resident DPO accountable to the board, commission an annual independent data audit, conduct Data Protection Impact Assessments for high-risk processing and make periodic disclosures to the Data Protection Board. Non-compliance penalties under DPDPA reach ₹250 crore. The India-resident DPO requirement The DPO must be based in India, serve as the contact for data principals and report to the board. For a US SaaS, this is a real hire or a contracted India-based privacy lead, not a US role with an India title. Independent annual data audit An independent auditor assesses the SDF’s compliance each year. Auditors with SDF experience are scarce in this early period, so scoping and booking ahead matters. DPIA requirements DPIAs are required for processing involving large-scale or sensitive data. See the DPIA template and walkthrough for how to run one. Board-level accountability The ₹250 crore penalty regime, plus DPO board reporting, pulls SDF compliance to the board level, a shift covered in the DPDPA cross-mapping playbook . Related reading: DPDPA Meets SOC 2: The Cross-Mapping Playbook The GCC Compliance Encyclopedia What Is the SARAL Approach to Privacy Notices? Frequently asked questions Who designates SDFs? The Central Government of India designates Data Fiduciaries as Significant on a case-by-case basis, based on factors set out in the DPDP Act and Rules. There is no automatic or self-applied designation. What's the volume threshold for designation? No fixed quantitative threshold has been published as of mid-2026. Designation considers the volume and sensitivity of data processed, risk to data principals and impact on national security and public order. Can we self-designate as SDF? No, designation is the government's call. But companies processing large volumes of Indian residents' data (especially fintech, healthtech, AI training) should prepare as if designation is likely. What's the DPO's reporting line? An SDF's Data Protection Officer must be India-resident and accountable to the board. The DPO is the contact point for data principals and the Data Protection Board, and is responsible for the SDF's compliance. What does an independent data audit cost? SDFs must undergo an annual independent data audit. Pricing isn't standardized yet and qualified auditors are scarce; budget for a dedicated annual engagement and book early. Talk to the operator This article is one slice of the work Attri Edge does for US SaaS companies with India GCCs. If your situation needs the full operational layer, start with a 90-minute diagnostic. Book your $999 diagnostic