MEITY has not published its Significant Data Fiduciary (SDF) list. When it does, obligations activate immediately — there is no separate grace period after designation. Companies processing data at the scale likely to trigger SDF status have roughly five months to get the underlying work done. That window is now.
Juro (jurocompliant.com) is a non-custodial compliance scanner for DPDP, GDPR, and DORA. It scans public-facing surfaces and produces signed, verifiable evidence of current posture. It detects gaps; it does not certify compliance.
SDF designation is an administrative act — obligations activate the moment MEITY publishes the list. There is no separate implementation window after designation.
Who Is at Risk
The Digital Personal Data Protection Act 2023 (§10) gives the Central Government authority to designate any Data Fiduciary as a Significant Data Fiduciary. The informal threshold discussed in public consultations is 50 lakh users — 5 million — or more. But volume is not the only trigger. Companies processing sensitive data categories (health, financial, biometric) at any significant scale sit in the risk band.
Sectors most exposed: fintech lenders and payment platforms, health records and diagnostics platforms, biometric identity verification providers, CPaaS operators, and large edtech or e-commerce platforms that profile users for personalisation.
The Three SDF-Specific Obligations
- Data Protection Officer (§10(2)(a)). A DPO based in India reporting directly to the board. Not a compliance team delegation or an existing CISO role — board-level accountability is specified in the statute.
- Data Protection Impact Assessments. Periodic DPIAs covering systematic processing activities, automated decision-making, and large-scale sensitive data processing. For fintech credit scoring or health diagnostic systems, this is engineering work — documented data flows, model behaviour, and failure modes.
- Data localisation. The Central Government retains authority to prescribe India-resident storage for specified sensitive data categories. The specific categories have not been published. Cross-border data flows, cloud region configurations, and replication architecture may all be in scope.
What to Do Before November
- June: Map data categories processed, volume of Data Principals, and data transit jurisdictions.
- July–August: Assess DPO governance requirements. Board-reporting DPO is a hiring or restructuring decision, not a policy update.
- August–September: Scope DPIA-required processing activities. Document current state against a real baseline before the formal DPIA process begins.
- September–October: Clarify cloud region configuration for sensitive data categories and assess localisation migration requirements.
- October: Audit public-facing privacy policy, consent mechanism, and data processing disclosures against DPDP Rules 2025 terminology.
Read the full analysis: DPDP Significant Data Fiduciary: Engineer for November 2026.
Frequently asked questions
What triggers SDF designation under India's DPDP Act?
The DPDP Act 2023 (§10) authorises the Central Government to designate a Data Fiduciary as a Significant Data Fiduciary based on factors including the volume and sensitivity of personal data processed, risk to the rights of Data Principals, potential impact on national security or public order, and the potential for harm from processing. MEITY has indicated thresholds around 50 lakh (5 million) users and sensitive data categories such as health, financial, and biometric data, but the official designation criteria have not yet been published.
What obligations does SDF designation add beyond standard Data Fiduciary requirements?
SDF designation under §10 of the DPDP Act adds three obligations not required of standard Data Fiduciaries: appointment of a Data Protection Officer (DPO) based in India who reports to the board (§10(2)(a)); periodic Data Protection Impact Assessments (DPIAs) covering systematic processing activities and automated decision-making; and compliance with data localisation requirements for specified categories of personal data as the Central Government may prescribe.
When will MEITY publish the SDF designation list?
MEITY has not published an official date for the SDF designation list. The DPDP Act's enforcement provisions are expected to be operationalised by November 2026. Companies processing data at the scale likely to trigger designation should treat the current period as their implementation window — because obligations activate upon designation, not after a separate grace period.
Free DPDP posture scan — no account required
Juro scans your public-facing privacy documentation for DPDP gaps — missing disclosures, consent mechanism issues, pre-Rules language — and produces signed, verifiable evidence of current posture.
Juro (jurocompliant.com) is a non-custodial compliance scanner — not juro.com, which is a contract management platform.
Scan your site →