BACK TO DPDP RULES INDEX
DPDP Rules 2025 Phase 3 (13 May 2027 (for SDFs designated before that date; new designations — 6 months from designation)) SDF

Rule 10

Additional Obligations of Significant Data Fiduciaries

Practical Note

Rule 10 only applies to entities formally designated as Significant Data Fiduciaries (SDFs) by the Central Government — designation has not yet occurred as of the Rules' commencement. The SDF designation criteria include: volume and sensitivity of data processed, national security risk, potential impact on sovereignty, risk to electoral democracy, and scale of processing. Large tech platforms, major financial institutions, healthcare databases, and telecom companies are likely SDF candidates.

THE STATUTE

Original Text

(1) Every Significant Data Fiduciary shall — (a) appoint a Data Protection Officer who shall be based in India, and who shall represent the Significant Data Fiduciary before the Board; (b) appoint an independent Data Auditor to conduct a data audit; (c) undertake such other measures, including Data Protection Impact Assessment, as may be specified. (2) The Data Protection Officer — (a) shall be an individual having knowledge of relevant laws and practices relating to data protection; (b) shall be appointed by and be responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; (c) shall be the point of contact for grievance redressal.

Analysis & Details

Rule 10 establishes the enhanced compliance obligations applicable exclusively to entities designated as Significant Data Fiduciaries (SDFs) by the Central Government. This two-tier regulatory architecture — standard obligations for all Data Fiduciaries, enhanced obligations for SDFs — mirrors aspects of the EU AI Act's risk-tiering and GDPR's DPO requirement (which applies only to certain categories of processors). KEY SDF OBLIGATIONS: (1) INDIA-BASED DPO: An SDF must appoint a Data Protection Officer who is physically based in India. The DPO must have knowledge of relevant data protection laws, report to the Board of Directors (not just IT or legal teams), and be the primary contact for the DPBI and for Data Principals' grievances. The India-based requirement means multinational SDFs cannot rely on a global DPO based abroad — they need a dedicated India role. (2) INDEPENDENT DATA AUDITOR: SDFs must appoint an independent Data Auditor (not an employee) to conduct periodic audits of data governance practices. The frequency, scope, and standards for audits will be specified by the DPBI. This creates a new professional services market for qualified data protection auditors in India. (3) DATA PROTECTION IMPACT ASSESSMENT (DPIA): SDFs must conduct DPIAs for processing activities involving high risk to Data Principals. DPIA methodology and triggering criteria will be specified by the DPBI. (4) ALGORITHMIC PROCESSING ASSESSMENT: SDFs processing data through automated decision-making systems may be required to conduct algorithm assessments — this is a potential AI governance provision with significant implications for tech platforms using recommendation algorithms, credit scoring, and other algorithmic systems.

GDPR Parallel

Articles 35–37 (DPIA + DPO) + Article 30 (Records of Processing)

IT Act Impact

Rule 10's algorithm assessment requirement for SDF automated decision-making systems is potentially India's first regulatory AI governance requirement, going beyond the purely voluntary India AI Governance Guidelines (November 2025). For SDFs using AI/ML in credit scoring, content recommendation, or HR decisions, this may constitute binding algorithmic accountability obligations.

Common Queries

A Significant Data Fiduciary is a Data Fiduciary formally designated by the Central Government as processing data at a scale or sensitivity that warrants enhanced obligations. Designation criteria include: volume and sensitivity of data processed, national security and sovereignty risk, electoral democracy risk, and scale of processing. No SDFs have been designated yet — designation will happen through separate Central Government notification. Likely candidates include major tech platforms (Google, Meta, Amazon), large financial institutions, telecom companies, and government data processors.
Yes. Rule 10 explicitly requires that the DPO of a Significant Data Fiduciary be 'based in India'. A global DPO located outside India is not sufficient compliance. Multinational companies designated as SDFs will need to appoint a dedicated India-based DPO — either a senior India employee or an external specialist.
No — only Significant Data Fiduciaries (SDFs) are required to appoint a Data Protection Officer under Rule 10. Non-SDF Data Fiduciaries must designate a contact person for grievance redressal under Act Section 13, but this is not required to be a formally appointed DPO. The DPO requirement in DPDP is narrower than GDPR (where public authorities, large-scale sensitive data processors, and large-scale monitoring entities must appoint DPOs).

Key Rules & Provisions

India-based DPO mandatory — foreign or remote DPO insufficient for SDFs.

Independent Data Auditor required — not an internal employee.

DPIA scope and triggers to be specified by DPBI.

Algorithm assessment for automated decision-making systems — potential AI governance implication.

No SDFs designated yet — designation criteria to be notified separately.