There is a tier of DPDP compliance where the standard obligation set is not enough. For organizations designated as Significant Data Fiduciaries (SDFs) under Section 10 of the DPDP Act, the rules are different — harder, more specific, and enforced with a separate penalty tier of up to ₹150 crore on top of the standard schedule.
Most large Indian enterprises in BFSI, healthtech, and e-commerce will face SDF designation. Most of them have not yet assessed what that designation technically demands from their Databricks estate.
This guide closes that gap.
What you will master in this guide:
- The 5 criteria that trigger SDF designation
- The 5 additional obligations SDFs must fulfill beyond the standard tier
- The specific Databricks configuration changes each SDF obligation requires
- The penalty structure that applies exclusively to SDF violations
For the full DPDP compliance architecture, return to the DPDP readiness on Databricks: complete guide 2026.
What Is a Significant Data Fiduciary Under DPDP — and How Is It Designated?
A Significant Data Fiduciary (SDF) is a Data Fiduciary designated by the Central Government under Section 10 of the DPDP Act, 2023 and Rule 13 of the DPDP Rules, 2025.
Designation is triggered by an assessment of 5 criteria. Any one criterion is sufficient for designation — organizations do not need to meet all 5:
- Volume of personal data processed — no specific threshold has been published, but large consumer platforms processing millions of Indian users are the primary target → BFSI, e-commerce, and telecom enterprises with 10M+ users are at elevated designation risk
- Sensitivity of personal data — organizations processing financial, health, or children’s data are at elevated risk → A healthtech processing 1 million patient records faces the same designation pressure as a platform 10x its size
- Potential risk to rights of data principals — processing that enables discrimination, identity theft, or financial harm at scale → Credit scoring, insurance underwriting, and behavioral ad targeting models qualify
- Potential impact on sovereignty and integrity of India — cross-border data flows involving sensitive national datasets → Any organization transferring large-scale Indian data to foreign jurisdictions
- Risk to electoral democracy — organizations with access to voter-linked data or political behavioral profiles → Social platforms and political analytics firms face heightened scrutiny under this criterion
SDF designation is not a question of “if” for large Indian enterprises — it is a question of “when.”
What Are the 5 Additional Obligations for Significant Data Fiduciaries?
SDFs must fulfill all standard Data Fiduciary obligations plus 5 additional requirements specific to their designation:
1. India-Resident Data Protection Officer (DPO) The DPO must be based in India, report to the highest management level (board or CEO), and be the primary point of contact for data principals and the DPBI. This is not a part-time CISO responsibility. The DPO must have direct authority over data processing decisions and the ability to halt non-compliant processing activities.
On Databricks: the DPO must have query access to Unity Catalog audit logs, the consent store, rights request logs, and erasure certificates — without depending on engineering tickets. A DPO who cannot independently verify compliance cannot fulfill their SDF obligation.
2. Annual Data Protection Impact Assessment (DPIA) SDFs must conduct an annual DPIA covering all significant processing activities, identifying risks to data principals’ rights, and documenting controls in place. The DPIA must assess both existing and new processing activities.
On Databricks: the DPIA requires a complete inventory of all tables containing personal data, the processing pipelines that access them, and the consent records linked to each. Sinki.ai’s Audit Gap Finder provides this inventory automatically — running PII classification across 30+ sources within your Unity Catalog without moving data outside your workspace.
3. Annual Independent Data Audit SDFs must engage an independent auditor to audit their data processing activities, consent architecture, rights fulfillment records, and security controls annually. The auditor’s report is submitted to the DPBI.
On Databricks: the audit requires exportable, immutable evidence of every compliance-relevant event — consent capture, rights fulfillment, erasure completion, breach detection and notification. Passive audit logs are not sufficient. The estate must generate audit-ready reports on demand.
4. Data Localization (If Notified) The Central Government may notify specific categories of personal data that SDFs must store and process within India. No such notification has been issued as of May 2026, but the architecture for data localization — India-region Databricks workspace deployment, restricted data egress controls — must be ready to activate on short notice.
5. Algorithmic Accountability SDFs that use automated decision-making systems — ML models, recommendation engines, fraud detection algorithms — must document the logic, assess the impact on data principals, and ensure the ability to explain decisions to individuals who request it.
On Databricks: this requires MLflow model documentation, lineage tracking between training data and model outputs, and a process for explaining individual predictions in response to data principal requests.
Significant Data Fiduciary Obligations and Databricks Configuration Requirements
| SDF Obligation | Standard Databricks | SDF-Compliant Databricks Configuration |
|---|---|---|
| India-resident DPO | No specific configuration | DPO dashboard with direct Unity Catalog audit query access; self-service rights request verification |
| Annual DPIA | No specific configuration | Automated PII inventory from Audit Gap Finder; processing activity register in Unity Catalog |
| Independent data audit | Passive audit log storage | Exportable immutable audit trail; compliance report generation on demand |
| Data localization | No specific configuration | India-region workspace deployment; data egress restrictions in Unity Catalog |
| Algorithmic accountability | Standard MLflow logging | Extended MLflow documentation; decision explanation pipeline; training data lineage |
What Are the Penalties for SDF Non-Compliance?
The SDF penalty tier is separate from and cumulative with the standard penalty schedule:
- Violation of SDF-specific obligations: up to ₹150 crore
- This stacks on top of any standard violation — an SDF that also fails on security safeguards faces ₹250 crore + ₹150 crore = ₹400 crore combined exposure
The SDF penalty is not the largest in the schedule — but it is the most avoidable. Unlike a breach (which is an operational event), SDF non-compliance results from not appointing a DPO, not conducting a DPIA, or not engaging an auditor. These are organizational decisions, not system failures.
An SDF designation with no DPO appointed is a ₹150 crore liability that requires a single hiring decision to remove.
Final Verdict
Significant Data Fiduciary designation is coming for the largest data processors in India. The obligations it triggers — DPO, annual DPIA, independent audit, algorithmic accountability — are not incremental additions to a standard compliance program. They require dedicated organizational infrastructure and Databricks configurations that standard deployments do not have.
The enterprises that conduct their SDF self-assessment now, build the DPO access infrastructure, and configure audit-ready reporting before designation are the ones that will absorb the additional obligations without operational disruption. The enterprises that receive designation notices without those systems in place face ₹150 crore in additional exposure on top of their existing standard obligation gaps.
FAQ: Significant Data Fiduciary Under DPDP
An organization designated by the Central Government under Section 10 of the DPDP Act based on the volume and sensitivity of data processed, risk to data principals’ rights, and potential national security or electoral implications. SDFs face 5 additional obligations beyond the standard Data Fiduciary tier.
The Central Government issues a notification designating specific entities or classes of entities as SDFs based on the Rule 13 criteria. Organizations cannot self-designate or self-exempt. Large BFSI, healthtech, and consumer platform enterprises are the most likely candidates for early designation.
Appointment of an India-resident DPO with board-level reporting, annual Data Protection Impact Assessments, annual independent data audits, potential data localization requirements upon notification, and algorithmic accountability documentation for automated decision-making systems.
Up to ₹150 crore for violation of SDF-specific obligations under Section 10. This penalty is cumulative with standard DPDP penalties — an SDF that also has a security safeguard failure faces ₹250 crore + ₹150 crore in combined exposure.
Data localization requirements for SDFs are subject to Central Government notification. No such notification has been issued as of May 2026. However, SDF-designated organizations should architect their Databricks deployment to support India-region data residency as a precautionary measure.
SDFs need a DPO-accessible audit query interface, automated PII inventory for annual DPIAs, exportable compliance audit reports for independent auditors, India-region deployment readiness, and MLflow-based algorithmic accountability documentation. None of these exist in a standard Databricks deployment without deliberate configuration.
Sinki.ai’s Audit Gap Finder delivers the SDF-required PII inventory and audit trail
Natively inside your Databricks workspace – no data egress, no manual classification, enforcement-ready.
