A. When a company become SDF, it mentioned under Section 10(1) of the DPDP Act, 2023 additional obligations of Significant Data Fiduciary.
A company does not automatically become an SDF based on a simple number of users. Instead, the Central Government will notify specific companies or classes of companies as SDFs based on an assessment of:
- Volume and sensitivity of personal data processed.
- Risk to the rights of Data Principals.
- Potential impact on the sovereignty and integrity of India.
- Risk to electoral democracy.
- Security of the State and public order.
B. Obligation imposes on SDFs, under section 10(2) of the DPDP Act and Rule 13 of the DPDP Rules, 2025.
Once notified as an SDF, your organization must fulfil these specific "Additional Obligations"
1. Appoint a Data Protection Officer (DPO): A specific individual to handle compliance and grievances.
2. Appoint an Independent Data Auditor: To evaluate compliance.
3. Conduct Periodic DPIA: Undertake a Data Protection Impact Assessment.
4. Conduct Periodic Audits: Perform regular audits.
5. Algorithmic Due Diligence: Verify that your software/algorithms do not pose a risk to user rights.
6. Data Localization (Conditional): If the government specifies certain data, you must ensure that data (and its traffic logs) stays in India.
C. The Data Protection Officer (DPO): Section 10(2)(a) of the Act
Who Can Be Appointed- The following are some details regarding DPO.
The DPO must be based in India.
Role: They must be an employee or individual capable of representing the SDF.
Reporting: They must be "responsible to the Board of Directors or similar governing body".
Qualifications- The Act does not list specific degrees
Responsibilities- Act as the primary representative of the SDF for all provisions of the Act.
Point of Contact: Serve as the contact point for the Data Protection Board and for Data Principals regarding grievances.
Grievance Redressal: They are accountable for the grievance redressal mechanism.
D. Reporting Structure & Documentation
Reporting hierarchy -The DPO cannot report to middle management. They must have a direct line to the Board of Directors or the highest governing body.
Documentation Requirements:
DPIA Reports: Rule 13(2) Must be documented and findings reported to the Board.
Audit Reports: Findings must be furnished to the Board.
Algorithmic Verification Logs: Proof that you exercised "due diligence" on your software algorithms.
Contact Info: The DPO’s business contact information must be prominently published.