Section 10 of the Digital Personal Data Protection Act, 2023
DPDP Act, Significant Data Fiduciary, Sensitive Data, Personal Data
Introduction
The Digital Personal Data Protection Act 2023 (DPDP Act) of India strengthens data privacy protections for individuals, mandating organizations to adhere to stringent regulatory requirements and imposing significant penalties for non-compliance.
Entities that process sensitive personal data at a substantial scale may be designated as Significant Data Fiduciaries by the government under the DPDP Act.
For instance, technological companies that manage extensive user personal data, financial institutions handling critical banking information, and healthcare providers storing sensitive medical records are significant data fiduciaries as per the DPDP Act.
Who is a Significant Data Fiduciary?
Under Section 2(z) of the DPDP Act, a Significant Data Fiduciary can be a group of Data Fiduciaries or a Data Fiduciary that the Central Government of India notifies based on certain conditions laid down in Section 10 of the DPDP Act. The following relevant factors are evaluated for determining whether a Data Fiduciary is a Significant Data Fiduciary or not:
The Central Government assesses the quantum of data processed by the Data Fiduciary. If the data processed is of a vast quantity, then the entity processing the same will be qualified as a Significant Data Fiduciary.
If the personal data being processed by the entity falls within the category of sensitive personal data, the entity processing such a category of data shall be classified as a Significant Data Fiduciary.
When there is a possibility of higher risk, jeopardizing the rights of the Data Principal, the entity will be categorised as a Significant Data Fiduciary. For example, the processing activity involves the processing of health records of a Data Principal.
Processing classified government data can impact national security, as data breaches in this context could threaten India's sovereignty and integrity. Therefore, the entities processing such data will be classified as a Significant Data Fiduciary.
When the processing of personal data would cause a significant risk to the functioning of electoral democracy in India, the entity processing the same will be classified as a Significant Data Fiduciary.
Entities that handle sensitive financial data, like Bank details, Net Banking details, and ATM PINs, are classified as Significant Data Fiduciaries due to the potential for data breaches to disrupt public order.
Obligations of Significant Data Fiduciaries
Under Section 10(2) of the DPDP Act, the Significant Data Fiduciary is required to appoint a Data Protection Officer (DPO) who will act as a point of contact for any grievance redressal under the DPDP Act.
A Significant Data Fiduciary must also appoint an independent data auditor to ensure compliance with the Act.
Other measures to be taken by a Significant Data Fiduciary includes periodic data protection impact assessment (DPIA). It is a documentation process which involves the description of the rights of Data Principal, purpose of processing of their personal data, identification of risk and its management.
- Rule 12(1) of the Draft Digital Personal Data Protection Rules, 2025 (DPDP Rules) specifies that Significant Data Fiduciaries are obligated to conduct a Data Protection Impact Assessment (DPIA) and an audit to ensure effective adherence to the provisions of the DPDP Act.
- As per Rule 12(2) of the DPDP Rules, the Significant Data Fiduciary is required to ask the person conducting the DPIA and audit to submit a report containing clear and significant observations to the Data Protection Board of India.
Rule 12(3) of DPDP Rules, 2025 specifies that any algorithmic software that a Significant Data Fiduciary applies for processing personal data shall undergo a thorough review and verification process. This shall be done to identify potential risks to the rights of the Data Principal.
Rule 12(4) of the DPDP Rules, 2025 mandates that Significant Data Fiduciaries ensure that specific personal data and its traffic data, as identified by the Central Government, are not transferred outside India.
Conclusion
The Digital Personal Data Protection Act 2023 of India establishes stringent regulations for data privacy, with a particular focus on Significant Data Fiduciaries. These entities, processing sensitive personal data at a substantial scale, face increased obligations to safeguard data and ensure compliance. Appointing a Data Protection Officer, conducting annual audits, and reviewing algorithmic software are among the key responsibilities. This framework aims to mitigate privacy risks, protect individual rights, and uphold national security and democratic processes in the digital age.
Get Started with Data>Nuance
Reach out to Data>Nuance to ensure compliance with the provisions of the DPDPA and ensure your practices meet legal standards while safeguarding your business from regulatory penalties. Let's make compliance effortless—before regulators make it expensive!
Need Expert DPDPA Implementation Support?
Get personalized guidance on implementing Section 10 compliance requirements for your organization.