Introduction
The Indian Digital Data Protection Act, 2023 (‘DPDPA Act’ or ‘DPDPA’) has been enacted with a view to better protect and manage the use of personal data in our increasingly digital world. This is in keeping with the wider global context of an increased understanding by governments of the requirement for data protection and heightened awareness from citizens of its value. Over recent decades, many jurisdictions have passed data protection laws that seek to regulate and monitor the use of peoples’ personal data with varying levels of success.
Amongst these, certain data protection regimes come with their own unique eccentricities. The Indian one is no different. In an effort to provide practical support and guidance to businesses looking to navigate the requirements of the DPDP Act, it is important to single out one specific eccentricity within the legislation and that is the matter of ‘Significant Data Fiduciaries’ (or ‘SDFs’).
It should be noted that the Indian regime currently exists in bewildering purgatory where the regulatory framework exists, but the infrastructure does not; a bit like enacting criminal laws, without establishing a police force or a judiciary. Clarity will no doubt be forthcoming in the future. If recent rumours are to be believed, then maybe even before the end of this year. However, until further details emerge, organisations should act on two fronts:
What is a significant data fiduciary?
The concept of a data fiduciary is a well-established one and is like that of a ‘data controller’ as defined in Article 25 of the European GDPR. However, the concept of an SDF does not seem to have an analogous concept in other data protection regimes. The DPDP Act defines the concept of an SDF as any organisation that “the central government may notify” as “a Data Fiduciary or class of Data Fiduciaries, Significant Data Fiduciary on the basis of an assessment of such relevant factors as it may determine”. In terms of relevant factors, these include the following:
In practice this means that the Central Government has the right to create a special class of data fiduciaries which will be subject to enhanced regulation due to the quantity or quality of the data they control.
The practice of dividing data fiduciaries into classes is new and untested. Such an approach is not without its merits. At first glance, it ensures that certain data fiduciaries will be subjected to enhanced regulatory requirements without burdening all data fiduciaries unnecessarily. It is worth stating however, the benefits of this are entirely dependent on how the Indian government decides to exercise its power to determine the enhanced responsibilities of an SDF.
If, for example the government chooses to exercise this power by classifying SDFs into various classes based on the type and volume of data processed (and hence the level of risk) and stipulating the auditing and reporting processes needed as a result, there is the potential for the regime to be less cumbersome to enforce.
Should the government simply divide data fiduciaries into classes based on only a handful of factors (e.g. number of data principles), then we risk being left with a regulatory system that seeks to apply the same rules to every data fiduciary without considering the type of data they process.
Which sectors are most at risk of being impacted?
As it currently stands, the definition of what constitutes a significant data fiduciary is vague and leaves a lot of room for interpretation. While it can be assumed that some organisations such as global search engines, major banks, social media providers, etc. will be categorised as SDFs, it is not clear what this will be based on.
While it is highly probable that banks will be defined/classified as SDFs given that the data they process is large in volume, high in sensitivity, and in many cases vital to the security of the state, many unanswered questions remain. No clarification has been provided yet on whether all banks will be SDFs, or whether only certain banks will be categorised as SDFs, based on their net worth, value of data or number of customers.
There is an equal lack of clarity surrounding organisations that process ‘sensitive’ data. Let’s for a moment look at some examples. Let’s consider a defence contractor that controls the data of armed forces personnel - it may not control a significant volume of data, but plainly it is data that is sensitive meaning more rigorous controls need to be in place to ensure the safe stewardship of the data. A similar sense of ambiguity surrounds organisations that handle the personal data that an ordinary citizen would consider sensitive such as their health data – it is important to note that the rules are not yet clear for hospitals or indeed any business that operates across the health sector and handles sensitive data as a result.
What SDF responsibilities have been clarified to date?
What is emerging from the little information we can glean from the DPDP Act and from the draft Digital Personal Data Protection Rules, 2025 is that being designated as a data fiduciary will have serious ramifications for an organisation as it will come with a series of enhanced obligations.
Specifically, the rules require that an organisation designated as an SDF:
What should organisations do?
Whilst there is still a degree of uncertainty around the specifics, there are actions organisations should be taking now to prepare. This is especially relevant for those organisations where there is every likelihood that they will be classified as an SDF.
Therefore, it is important to get ahead and to start your preparations sooner rather than later. There is every reason to believe that significantly greater levels of scrutiny will be directed towards SDFs and those best prepared will be better placed to respond.
Perhaps top of the to-do list is the requirements for SDFs to appoint a data protection officer to oversee how personal data is managed. An organisation can meet the challenge by hiring someone who understands data privacy laws and has expertise in managing data related risks.
Importantly, there is also a requirement for SDFs to engage an independent auditor to review their compliance. The auditor must be a privacy specialist who is qualified to undertake such an in-depth review. By kick starting the process now, organisations can make the most of the grace period, using this time to identify and appoint their preferred supplier, to secure an objective perspective on current privacy practices and to start to address identified weaknesses.
The DPDPA focuses on the protection of personal data. Given the size and impact of the SDFs, it is no surprise that the requirements these organisations will face will be more onerous. It is anticipated that these organisations will be under the spotlight once the data fiduciary classifications are clarified and are likely to be the first in the firing line for regulatory action. We believe privacy matters because people matter. Acting now will not only help organisations meet their statutory obligations but will build trust in their brand.
If you would value understanding more about the requirements under the DPDPA and the obligations facing SDFs, please get in touch. We would be pleased to help.