What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Quick Answer•4 min read

What Is a Significant Data Fiduciary Under DPDP?

Understand what makes a business a Significant Data Fiduciary under DPDP, the additional obligations, and compliance costs in India.

Sushant Pasumarty5 June 2026

What Is a Significant Data Fiduciary Under DPDP?

A Significant Data Fiduciary (SDF) under India's Digital Personal Data Protection (DPDP) Act, 2023, is a Data Fiduciary designated by the Central Government based on specific risk factors. This designation carries additional, stricter compliance obligations beyond those for regular Data Fiduciaries.

The government considers the volume and sensitivity of personal data processed, the risk of harm to Data Principals, potential impact on India's sovereignty and public order, and other relevant factors when making this determination. Being an SDF means facing a higher regulatory burden and scrutiny.

What This Means Right Now

While the DPDP Act is in force, the specific criteria for designating SDFs and the full extent of their enhanced obligations are yet to be notified by the Central Government. This means that while the concept exists, the immediate practical steps for identifying yourself as an SDF are pending detailed rules.

However, businesses that handle large volumes of sensitive personal data or engage in activities with a high potential for harm (e.g., financial services, healthcare, social media platforms, large e-commerce players) should anticipate a high likelihood of being designated an SDF. Proactive readiness is crucial.

💡 Key Insight: Even without formal notification, if your business processes high volumes of sensitive personal data, planning for SDF obligations now can save significant costs and avoid penalties later.

What You Actually Need To Do (Anticipated SDF Obligations)

If your business is designated as a Significant Data Fiduciary, you will likely face these enhanced obligations:

Appoint a Data Protection Officer (DPO): This individual must be based in India, a key managerial personnel, and responsible for overseeing DPDP compliance, acting as a point of contact for Data Principals and the Board.
Appoint an Independent Data Auditor: This auditor will be responsible for periodically auditing the SDF's compliance with DPDP provisions.
Undertake Data Protection Impact Assessments (DPIAs): For certain processing activities, SDFs will need to conduct DPIAs to identify and mitigate risks to Data Principals' rights.
Undertake Periodic Audits: Regular, comprehensive audits of their systems and processes to ensure ongoing compliance with DPDP.

What DPDP Readiness Costs for Potential Significant Data Fiduciaries

Preparing for SDF designation involves more comprehensive and ongoing compliance efforts. Sushant Pasamarty, founder of Meridian Bridge Strategy, recommends starting with a full understanding of your data landscape and then building robust compliance frameworks.

Tier	What it includes	Price range	Duration
Data Mapping	Map every personal data flow: who collects it, where it goes, which vendors touch it. Essential foundation for any SDF readiness.	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Gap Analysis (consent, DPAs, grievance, breach, deletion). Identifies where your current practices fall short of DPDP and anticipated SDF requirements.	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Data Mapping + Gap Analysis + Prioritized Recommendations with a 90-day roadmap. Develops a clear, actionable plan to address compliance gaps, including initial DPO role scoping.	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation Support + DPO Training + Final Readiness Opinion. This tier is crucial for potential SDFs, providing end-to-end support, DPO training, and assistance in meeting audit requirements.	₹7L – ₹12L	3-6 months

Businesses likely to be designated SDFs will almost certainly require the Full DPDP Consulting service due to the need for sustained implementation support, DPO training, and preparation for independent audits.

✅ Pro Tip: Even if you are not yet formally designated an SDF, adopting best practices for data governance, like conducting regular DPIAs and appointing an internal compliance lead (precursor to a DPO), will significantly ease the transition.

When to Start Your SDF Readiness

The time to start is now. Waiting for the specific SDF rules to be notified will put your business at a disadvantage. Proactive engagement ensures you understand your data landscape, identify gaps, and implement necessary changes before penalties become a concern. Sushant Pasamarty emphasizes that early preparation leads to more robust and cost-effective compliance.

Next Step: Understand Your Risk and Roadmap

Understanding whether your operations might fall under the SDF category is the first step. Use our free calculator to get an initial estimate of your compliance needs. For a detailed assessment and a tailored roadmap, consider an MBS DPDP Readiness Audit or DPDP Workshop.

Frequently Asked Questions

What is the primary difference between a Data Fiduciary and a Significant Data Fiduciary?

A Significant Data Fiduciary (SDF) is a special category of Data Fiduciary with enhanced obligations, such as appointing a DPO and an Independent Data Auditor, and conducting DPIAs and periodic audits. These extra requirements apply due to the volume, sensitivity, and potential impact of the data they process.

Will all large companies be designated as Significant Data Fiduciaries?

Not necessarily all large companies. The designation depends on specific criteria to be notified by the Central Government, focusing on factors like the volume and sensitivity of personal data processed, the risk of harm to Data Principals, and the potential impact on public order and national security.

What happens if my business is designated an SDF but is not prepared?

Non-compliance with SDF obligations can lead to significant penalties under the DPDP Act, which can reach up to ₹250 crores for certain violations. It also poses reputational risks and operational disruptions. Being unprepared means reacting under pressure, which is often less efficient and more costly.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →

What Is a Significant Data Fiduciary Under DPDP?

What Is a Significant Data Fiduciary Under DPDP?

What This Means Right Now

What You Actually Need To Do (Anticipated SDF Obligations)

What DPDP Readiness Costs for Potential Significant Data Fiduciaries

When to Start Your SDF Readiness

Next Step: Understand Your Risk and Roadmap

Frequently Asked Questions

Related Guides

DPDP Compliance: Mandatory for Indian Startups?

DPDP Fines for Small Businesses: What You Need to Know

DPDP Act: Foreign Companies in India – Guide by MBS

Check Your DPDP Cost