On November 13, 2025, India’s Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025, finally operationalising the Digital Personal Data Protection Act, 2023 after more than two years of consultation. The notification triggered an 18-month phased compliance window that closes on May 13, 2027 — and within that framework sits one of the most consequential design choices in Indian privacy law: the Significant Data Fiduciary designation under Section 10, with operational obligations now spelled out in Rule 13 of the 2025 Rules.
The SDF tier is India’s answer to a problem the GDPR sidestepped. Rather than scaling controller obligations only by the riskiness of a specific processing activity, the DPDP Act lets the Central Government designate an entire entity — or a class of entities — as systemically significant, then layers on enhanced obligations that operate continuously across everything that entity does. This article walks through how the designation works, what SDFs actually owe under the now-notified Rules, where the framework departs from GDPR-shaped expectations, and what compliance teams should be building before May 2027.
What Section 10 Actually Says
Section 10 of the DPDP Act gives the Central Government discretionary power to notify any Data Fiduciary, or class of Data Fiduciaries, as an SDF. The triggering criteria are open-textured and explicitly non-quantitative: volume and sensitivity of personal data processed, risk to the rights of Data Principals, risk to the sovereignty and integrity of India, security of the State, electoral democracy, public order, and any other factor the government considers relevant.
That last clause matters. There is no user-count threshold, no revenue floor, and no published rubric. A medium-sized genetic testing startup processing genomic data could plausibly be designated; a large logistics business processing far more records but lower-sensitivity data might not. The designation is anticipatory and discretionary by design — closer to the systemically important financial institution model than to GDPR’s Article 35 risk-based DPIA trigger.
Once notified, an SDF inherits three baseline statutory obligations under Section 10(2): appoint a Data Protection Officer based in India who reports to the board of directors or equivalent governing body, appoint an independent data auditor to evaluate compliance, and undertake periodic Data Protection Impact Assessments. Rule 13 of the 2025 Rules then sharpens these into specific operational requirements.
Who Is Likely to Be Notified
As of writing, no formal SDF list has been published. Practitioner consensus across firms tracking the rollout — including Bird & Bird, Latham & Watkins, Hogan Lovells and EY India — converges on a predictable set of candidates. Large social media and user-generated content platforms sit at the top of the list, given their behavioural data volumes, exposure to minors’ data, and algorithmic amplification risks. Fintech and payments players integrated with national digital public infrastructure such as UPI, the Account Aggregator framework, and Aadhaar are immediate candidates because of data sensitivity and systemic importance. Large healthcare and health-tech platforms, telecom operators, e-commerce marketplaces with substantial user bases, and the major cloud and IT services firms operating consumer-facing products round out the expected first wave.
What this list reveals is that SDF status is not just a “big tech” tag. Sectoral regulators — RBI for banking, IRDAI for insurance, SEBI for capital markets — already impose their own data handling rules, and SDF designation will overlay rather than replace those obligations. A bank already complying with RBI’s storage of payment system data circular will still need a DPDP-compliant DPO, an independent DPDP auditor, and an annual DPDP DPIA on top of its existing audit calendar.
Rule 13 Obligations: What Compliance Actually Looks Like
Rule 13 of the DPDP Rules, 2025 — notified under G.S.R. 846(E) on November 13, 2025 — is where the abstract Section 10 obligations become operational. Five distinct duty streams sit inside it.
Annual DPIA and audit. Every SDF must, once every twelve months from the date of notification, undertake a Data Protection Impact Assessment and an audit covering the Act and Rules. The DPIA examines what personal data is processed, why, what risks the processing creates for Data Principals, and how those risks are mitigated. The audit is an external evaluation of compliance.
Reporting to the Data Protection Board. The person carrying out the DPIA and audit must furnish the Data Protection Board of India with a report containing significant observations. This is a new pattern — most privacy regulators ask controllers to retain DPIAs internally and produce them on request. The DPDP design forces affirmative, periodic submission of audit findings to the regulator. Internal-only DPIAs of the GDPR variety will not satisfy the obligation.
Algorithmic due diligence. Rule 13(3) requires SDFs to verify that technical measures, including algorithmic software used for hosting, displaying, uploading, modifying, publishing, transmitting, storing, updating or sharing personal data, are not likely to pose a risk to the rights of Data Principals. This is one of the most expansive algorithmic accountability mandates in any current data protection regime — broader than the GDPR’s Article 22 automated decision-making provisions, and more enforceable than most AI-specific frameworks because it sits inside an active data protection statute with its own penalty schedule.
Conditional data localisation. Rule 13(4) empowers the Central Government, on the recommendation of a committee chaired from within MeitY, to specify categories of personal data that — together with the traffic data pertaining to its flow — must not be transferred outside India. This is selective, not blanket: the DPDP Act’s baseline under Section 16 is permissive transfer subject only to a country-level negative list. Rule 13(4) sits on top of that, targeting specific data categories at SDF level. The inclusion of “traffic data” — metadata about the flows themselves, not just the underlying personal data — is a notable expansion that has drawn critique from policy researchers including the team at the Vidhi Centre for Legal Policy.
DPO appointment. Section 10(2)(a) requires the DPO to be based in India and represent the SDF for DPDP purposes. Rule 13 reinforces the DPO’s role as the contact point for the grievance redressal mechanism every Data Fiduciary must operate under Rule 14. The DPO must be answerable to the board of directors or equivalent governing body — meaning the role cannot be buried inside legal or IT and must have direct senior-management line of sight.
How the SDF Tier Departs from GDPR
Compliance teams working from a GDPR baseline often assume the SDF designation is roughly equivalent to being a controller subject to mandatory DPIAs under Article 35. That assumption underestimates how different the regimes are.
The GDPR scales obligations to processing activities. A controller designates a DPO, conducts DPIAs for high-risk processing, and consults the supervisory authority where residual risk remains. The DPDP Act scales obligations to the entity. Once notified as an SDF, every processing activity that entity conducts is covered by the annual DPIA and audit cycle. There is no carve-out for low-risk processing within an SDF’s operations.
The GDPR’s audit posture is essentially internal. Records of processing, DPIAs, and Article 30 documentation are produced on demand. The DPDP design is externalised: independent auditor, mandatory reporting of significant observations to the Data Protection Board, and a digital-by-default Board with an online complaints portal that prioritises documented evidence over interview-driven inquiry. Rule 19(9) sets a maximum inquiry period of six months from the date of complaint receipt, extensible by three-month increments only with written justification — meaning SDFs need their evidence files in order before an inquiry begins, not after.
Algorithmic accountability is where the divergence is sharpest. GDPR Article 22 only addresses solely automated decisions producing legal or similarly significant effects. Rule 13(3) sweeps in any algorithmic software touching hosting, displaying, uploading, modifying, publishing, transmitting, storing, updating or sharing personal data — recommendation systems, content ranking, ad targeting, fraud scoring, and routine ML pipelines all fall inside scope.
And on cross-border transfer, the GDPR’s adequacy-and-SCC architecture is replaced by a sovereign discretion model. Section 16 of the DPDP Act permits transfers except to countries on a forthcoming negative list. Rule 13(4) layers a category-specific lockdown on top of that, targeted at SDFs and including traffic metadata.
Penalty Exposure and the Phased Timeline
The DPDP penalty schedule attaches to the Act’s substantive duties, not specifically to SDF status — but SDFs absorb every category of exposure. The headline penalties: up to ₹250 crore for failure to maintain reasonable security safeguards under Section 8, up to ₹200 crore for failure to notify the Data Protection Board and affected Data Principals of a personal data breach, up to ₹200 crore for breaches of children’s data obligations, and up to ₹50 crore for any other violation of the Act or Rules. Cumulative penalties across multiple failures can exceed the highest individual cap.
The phased timeline matters for sequencing compliance work. Phase I provisions, including those establishing the Data Protection Board, took effect on November 13, 2025. Phase II, which opens consent manager registration with the Board, takes effect November 13, 2026. Phase III — including Rules 3, 5 to 16, 22 and 23, which contain the substantive consent, notice, breach, security, and SDF obligations — comes into force on May 13, 2027.
That gives organisations an operational window of just over a year from now to stand up the governance, tooling, and vendor architecture needed to satisfy Rule 13 on day one of enforcement. Practitioners writing in the IAPP and at firms including KPMG India and EY have been consistent: organisations that wait for a formal SDF notification to begin building will find themselves significantly behind, because the DPO-plus-auditor-plus-DPIA cycle takes months to mature even before factoring in algorithmic verification.
Pitfalls and Open Questions
The Rule 13 framework has real ambiguities, and pretending otherwise sets compliance teams up to fail.
No published criteria for designation. Practitioners cannot give a clean “are we an SDF” answer because the government has reserved that determination for itself. Risk-based scenario planning — assume designation, build to it — is the only defensible posture for any organisation processing personal data at scale.
“Traffic data” is undefined. Rule 13(4) restricts cross-border transfer of specified personal data and the traffic data pertaining to its flow, but the Act and Rules do not define traffic data. Whether this includes routing metadata, network telemetry, application logs, or only narrower flow records is unsettled. The Vidhi Centre for Legal Policy and other commentators have flagged this as a major source of uncertainty for organisations relying on global cloud and CDN infrastructure.
Algorithmic verification has no methodology. Rule 13(3) requires SDFs to verify that algorithmic software is “not likely to pose a risk” to Data Principal rights. There is no specified standard, no reference framework, and no guidance on auditor competency. ISO 42001, NIST AI RMF, or in-house red-teaming may all become acceptable evidence — or none of them.
Auditor independence is undefined. The Rules do not specify auditor accreditation, conflict-of-interest rules, or whether group-affiliated auditors are acceptable. The Big Four can clearly do the work; whether they can do it for clients to whom they also provide consulting is unclear.
Sectoral overlap. RBI, IRDAI and SEBI rules will continue to apply alongside the DPDP Act. Where they conflict — for example, RBI’s payment data localisation circular, which is stricter for some data than Rule 13(4) would impose — the stricter standard governs, but resolving operational tensions will require legal opinion case by case.
Frequently Asked Questions
Does the SDF designation apply to processors or only to fiduciaries? Section 10 applies only to Data Fiduciaries — the equivalent of GDPR controllers. Data processors are not directly designated, though they will be contractually flowed down by SDF clients under Rule 6 obligations.
Can a foreign company be designated an SDF? Yes. The DPDP Act has extraterritorial reach under Section 3, applying to processing of personal data outside India where it relates to offering goods or services to Data Principals in India. A non-Indian entity meeting the Section 10 criteria can be notified, and its DPO must be based in India.
Is one DPO enough, or does each SDF subsidiary need its own? Rule 13 does not address group structures. Practitioner reading is that each notified entity needs its own DPO answerable to its board, though shared services models may be viable if reporting lines remain entity-specific.
What happens if an organisation is notified mid-year? Rule 13(1) anchors the annual DPIA and audit cycle to the date of notification, not to the calendar or fiscal year — so the first DPIA must be completed within twelve months of the notification date.
What to Build Now
Three steps separate organisations that will absorb SDF designation cleanly from those that will not. First, build the DPIA-and-audit muscle now, even before notification — running an internal DPIA against Rule 13’s contours surfaces the gaps that will otherwise emerge under regulatory scrutiny. Second, identify a board-credible candidate for the India-based DPO role; the seniority requirement under Section 10(2)(a) makes this a recruitment decision that takes quarters, not weeks. Third, map cross-border data flows by category, not just by destination, because Rule 13(4) will operate on what data is being moved, not only where it is going.
The SDF tier is the most demanding part of India’s new privacy regime, and it is also the part most likely to set the tone for global expectations of algorithmic accountability and continuous external audit. Organisations that treat May 13, 2027 as a soft deadline are misreading the architecture. The Data Protection Board has been live since November 2025; the inquiry machinery is digital-by-default; and the penalty schedule is large enough to matter to even the largest balance sheets. Build for designation, not against it.
