Skip to Content
CKonnect
  • Home
  • CourseKonnect
    • e-learning
    • Udemy
    • learning (Old LMS)
  • Career
    • Life @CKonnect
    • All Jobs
  • Knowledge Base
    • PrivacyReads
    • Community
    • Newsletters
    • Priv ToolKit
  • Stay Tuned
    • ComplyKonnect
    • E-PrivJournals
    • Priv-Books
  • Connects
    • 1:1
  • Contact Us
CKonnect
    • Home
    • CourseKonnect
      • e-learning
      • Udemy
      • learning (Old LMS)
    • Career
      • Life @CKonnect
      • All Jobs
    • Knowledge Base
      • PrivacyReads
      • Community
      • Newsletters
      • Priv ToolKit
    • Stay Tuned
      • ComplyKonnect
      • E-PrivJournals
      • Priv-Books
    • Connects
      • 1:1
  • Contact Us

Data Protection Officer and Significant Data Fiduciary Requirement.

  • All Blogs
  • Digital Personal Data Act, 2023
  • Data Protection Officer and Significant Data Fiduciary Requirement.
  • 17 July 2026 by
    Data Protection Officer and Significant Data Fiduciary Requirement.
    CKonnect

    A.      When a company become SDF, it mentioned under Section 10(1) of the DPDP Act, 2023 additional obligations of Significant Data Fiduciary.

    A company does not automatically become an SDF based on a simple number of users. Instead, the Central Government will notify specific companies or classes of companies as SDFs based on an assessment of:

    • Volume and sensitivity of personal data processed.
    • Risk to the rights of Data Principals.
    • Potential impact on the sovereignty and integrity of India.
    • Risk to electoral democracy.
    • Security of the State and public order.

    B.       Obligation imposes on SDFs, under section 10(2) of the DPDP Act and Rule 13 of the DPDP Rules, 2025.

    Once notified as an SDF, your organization must fulfil these specific "Additional Obligations"

     

    1.       Appoint a Data Protection Officer (DPO): A specific individual to handle compliance and grievances.

    2.       Appoint an Independent Data Auditor: To evaluate compliance.

    3.       Conduct Periodic DPIA: Undertake a Data Protection Impact Assessment.

    4.       Conduct Periodic Audits: Perform regular audits.

    5.       Algorithmic Due Diligence: Verify that your software/algorithms do not pose a risk to user rights.

    6.       Data Localization (Conditional): If the government specifies certain data, you must ensure that data (and its traffic logs) stays in India.

     

    C.       The Data Protection Officer (DPO): Section 10(2)(a) of the Act

    Who Can Be Appointed- The following are some details regarding DPO.

    The DPO must be based in India.

    Role: They must be an employee or individual capable of representing the SDF.

    Reporting: They must be "responsible to the Board of Directors or similar governing body".

    Qualifications- The Act does not list specific degrees

    Responsibilities- Act as the primary representative of the SDF for all provisions of the Act.

    Point of Contact: Serve as the contact point for the Data Protection Board and for Data Principals regarding grievances.

    Grievance Redressal: They are accountable for the grievance redressal mechanism.

     

    D.      Reporting Structure & Documentation

    Reporting hierarchy -The DPO cannot report to middle management. They must have a direct line to the Board of Directors or the highest governing body.

    Documentation Requirements:

    DPIA Reports: Rule 13(2) Must be documented and findings reported to the Board.

    Audit Reports: Findings must be furnished to the Board.

    Algorithmic Verification Logs: Proof that you exercised "due diligence" on your software algorithms.

    Contact Info: The DPO’s business contact information must be prominently published.

    By Naukhaiz Aftab

    in Digital Personal Data Act, 2023
    Share this post
    Our blogs
    • Where Privacy Meets Tech
    • Templates That Work: Built for Real Privacy Teams
    • The Privacy Perspective: Insights from the Real World
    • CKonnect Stories
    • e-learning from CourseKonnect
    • Privacy Team Pulse
    • Our blog
    • Digital Personal Data Act, 2023
    Data Protection Board of India
    Follow us

    Privacy Notice ​​Refund Policy

     Terms & Conditions

        ​    connect@ckonnect.co.in

    How can we help?

    konnect with us

    Website Logo

    Respecting your privacy is our priority.

    Allow the use of cookies from this website on this browser?

    We use cookies to provide improved experience on this website. You can learn more about our cookies and how we use them in our Cookie Policy.

    Allow all cookiesOnly allow essential cookies