MEITY has not published its Significant Data Fiduciary (SDF) list. When it does, obligations activate immediately — there is no separate grace period after designation. Companies processing data at the scale likely to trigger SDF status have roughly five months to get the underlying work done. That window is now.
Juro (jurocompliant.com) is a non-custodial compliance scanner for DPDP, GDPR, and DORA. It scans public-facing surfaces — privacy policies, consent flows, data disclosures — and produces signed, verifiable evidence of a company's current posture. It detects gaps; it does not certify compliance.
What SDF Designation Actually Means
The Digital Personal Data Protection Act 2023 (§10) gives the Central Government authority to designate any Data Fiduciary as a Significant Data Fiduciary based on enumerated factors. The designation is an administrative act — MEITY will publish a list, and entities on that list become SDFs the moment the notification lands.
Factors MEITY has flagged in public consultations include volume of personal data processed, sensitivity of data categories (health, financial, biometric, location), risk to the rights of Data Principals, potential impact on national security or public order, and systemic importance of the platform.
Who Is at Risk of SDF Designation?
The informal threshold discussed in public consultations is 50 lakh users — 5 million — or more. But volume alone is not the only trigger. Companies processing sensitive data categories at any significant scale sit in the risk band regardless of whether they cross the user-count threshold.
The sectors most exposed: fintech lenders and payment platforms, health records and diagnostics platforms, biometric-driven identity verification providers, CPaaS operators with access to communication data at scale, and large edtech or e-commerce platforms that profile users for personalisation. Companies that operate as intermediaries or infrastructure for these sectors may also face SDF-equivalent scrutiny through their fiduciary customers' obligations.
If your platform processes financial transaction histories, health records, or biometric data for more than a few hundred thousand users, work from the assumption that SDF designation is a live risk — do not wait for the list.
The Three Obligations That Go Beyond the Baseline
Standard Data Fiduciaries under the DPDP Act must fulfil obligations around notice, consent, data minimisation, accuracy, storage limitation, and grievance redressal. SDFs must do all of that — and three additional obligations with no equivalent in the baseline.
Data Protection Officer appointment (§10(2)(a))
An SDF must appoint a Data Protection Officer (DPO) based in India who reports directly to the board of directors. This is not a delegation to a compliance team or an existing CISO role. Board-level accountability is specified in the statute, which has structural implications for organisations where data governance currently sits below that level.
For engineering heads: the DPO will be accountable for technical decisions about data architecture — consent flows, retention logic, access controls. The appointment lands directly in the engineering decision chain.
Data Protection Impact Assessments
SDFs must conduct periodic Data Protection Impact Assessments (DPIAs) covering systematic processing activities — particularly automated decision-making, profiling, and large-scale processing of sensitive personal data. The DPDP Act's implementing rules will specify periodicity and format, but the obligation is established in §10 and activates on designation.
A DPIA requires documented analysis of what data is processed, for what purpose, under what legal basis, what risks arise, and what controls mitigate those risks. For a fintech platform with ML-driven credit decisioning or a health platform with automated diagnostic workflows, this is engineering work — it requires documented input about model behaviour, data flows, and failure modes.
Data localisation
The Central Government retains authority to prescribe data localisation requirements for specified categories of personal data applicable to SDFs. The specific categories and technical standards have not been published. The power exists, it applies only to SDFs, and it could require that certain sensitive data categories be processed exclusively within Indian borders.
Engineering implications: cross-border data flows, cloud region configurations, and replication architecture may all be in scope. Companies relying on multi-region global infrastructure without India-resident copies of sensitive data categories should assess their exposure before the rules land.
What to Do in the Next Five Months
Five-month implementation window
- By end of June — scope your exposure. Map the data categories you process, the volume of Data Principals, and the jurisdictions your data transits. If you process health, biometric, or financial data for more than a few hundred thousand users, do not wait for the list to start this work.
- July to August — DPO readiness. Assess whether your governance structure can absorb the board-reporting DPO requirement. This is a hiring or restructuring decision, not a policy update. A qualified candidate with legal and technical depth takes time to identify and onboard.
- August to September — DPIA scoping. Identify processing activities that will require DPIAs: automated decision-making systems, profiling pipelines, large-scale sensitive data processing. Document the current state — inputs, outputs, data flows, retention — so the formal DPIA can be conducted against a real baseline.
- September to October — localisation contingency planning. Get clarity on which cloud regions hold copies of your sensitive data categories. If localisation rules require India-resident storage for health or financial records, understand what that migration looks like technically and how long it takes.
- October — documentation audit. Your privacy policy, consent mechanism, and data processing disclosures are the public signals that MEITY and Data Principals can inspect first. Gaps here are easier to correct before enforcement than after.
Your Public Surface Is Already Under Scrutiny
Privacy regulators start with what is publicly available. Before you build the internal compliance stack, scan what your public surface currently says about your data practices.
Juro detects gaps in public-facing privacy documentation — inconsistencies between stated lawful basis and actual data collection, missing DPDP Act disclosures, consent mechanism issues — and produces signed, verifiable evidence of current posture.
The DPDP compliance checklist covers the baseline obligations that apply to all Data Fiduciaries. If you are at risk of SDF designation, the checklist is the floor, not the ceiling.
For teams doing DORA gap analysis alongside DPDP work, the DORA vs SOC 2 gap map covers where the frameworks diverge — relevant if you also serve EU financial entities.
Frequently asked questions
What triggers SDF designation under India's DPDP Act?
The DPDP Act 2023 (§10) authorises the Central Government to designate a Data Fiduciary as a Significant Data Fiduciary based on factors including the volume and sensitivity of personal data processed, risk to the rights of Data Principals, potential impact on national security or public order, and the potential for harm from processing. MEITY has indicated thresholds around 50 lakh (5 million) users and sensitive data categories such as health, financial, and biometric data, but the official designation criteria have not yet been published.
What obligations does SDF designation add beyond standard Data Fiduciary requirements?
SDF designation under §10 of the DPDP Act adds three obligations not required of standard Data Fiduciaries: appointment of a Data Protection Officer (DPO) based in India who reports to the board (§10(2)(a)); periodic Data Protection Impact Assessments (DPIAs) covering systematic processing activities and automated decision-making; and compliance with data localisation requirements for specified categories of personal data as the Central Government may prescribe.
When will MEITY publish the SDF designation list?
MEITY has not published an official date for the SDF designation list. The DPDP Act's enforcement provisions are expected to be operationalised by November 2026. Companies processing data at the scale likely to trigger designation should treat the current period as their implementation window — because obligations activate upon designation, not after a separate grace period.
Free DPDP posture scan — no account required
Juro scans your public-facing privacy documentation for DPDP gaps — missing disclosures, consent mechanism issues, pre-Rules language — and produces signed, verifiable evidence of current posture. It won't build your DPO governance structure, but it will show you what your public surface signals to MEITY before enforcement arrives.
Juro (jurocompliant.com) is a non-custodial compliance scanner — not juro.com, which is a contract management platform.
Scan your site →