DPDP / Governance

Significant Fiduciary Readiness

CA Nikhil Gupta·May 2026·3 min readDPDP / Governance

Prepare for Significant Data Fiduciary obligations through board accountability, India-based DPO readiness, independent audit, DPIA, risk ownership and evidence.

An organisation should not wait for designation before understanding whether its scale, sensitivity and risk profile could attract stronger obligations.

Quick View

Decision

Build the governance components now, while clearly distinguishing readiness from a formal legal designation.

First action

Create SDF readiness assessment.

Core evidence

Risk classification.

Main warning

Calling the company an SDF without notification.

Why It Matters

The Digital Personal Data Protection Act, 2023 and the final Rules notified in November 2025 follow phased commencement. As of 25 June 2026, organisations should separate duties already operative from consent, grievance, rights, children, Significant Data Fiduciary and other operational provisions scheduled for later commencement, while continuing to comply with the IT Act, CERT-In directions and sector-specific rules already in force.

Section 10 permits the Central Government to notify Significant Data Fiduciaries based on factors including data volume and sensitivity, risk to individuals, sovereignty, electoral democracy, State security and public order.

Designated entities must appoint an India-based DPO responsible to the board, appoint an independent data auditor, conduct periodic DPIAs and audits, and take prescribed measures when the relevant provisions commence.

Control Framework

AreaWhat to establishOperating rule
Risk profileScale, sensitivity, vulnerable users and impact.Assess annually.
GovernanceBoard sponsor, DPO mandate and reporting line.Document independence.
AssuranceAuditor, audit scope and remediation.Avoid self-certification only.
DPIAHigh-risk processing and rights impact.Review before launch.

Action Checklist

  1. Create SDF readiness assessment.
  2. Nominate executive sponsor.
  3. Draft DPO charter.
  4. Build independent audit criteria.
  5. Define DPIA trigger list.
  6. Report gaps and budget to the board.

Practical Example

A large consumer platform processes financial, location and children’s data but treats privacy as a legal-policy task with no board dashboard or independent testing.

Evidence to Keep

  • Risk classification.
  • DPO charter.
  • Board reporting pack.
  • Audit plan.
  • DPIA register.
  • Remediation tracker.

Warning Signs

  • Calling the company an SDF without notification.
  • DPO reporting only to marketing.
  • Auditor reviewing its own work.
  • No product DPIA triggers.
  • Unfunded board risks.

Detailed Review

A reliable control should connect the individual, data field, purpose, notice or sector disclosure, system, employee access, vendor access, retention rule and closure evidence. A policy statement that cannot be traced through this chain is difficult to operate.

Maintain a legal-timing matrix. Record the DPDP provision, phased commencement status, current IT Act or sectoral duty, business owner, system dependency and implementation deadline. Avoid one blanket label such as compliant or not compliant.

Build controls into technology and workflow. A written instruction cannot stop an SDK from collecting contacts, a campaign tool from re-importing suppressed users or an agent from downloading medical records unless the system enforces the decision.

Use proportionate verification. Weak checks can expose another person’s information; excessive checks create more Aadhaar, health, payroll or bank data that must be protected and deleted later.

Generate evidence during ordinary operations: versioned screens, event logs, access approvals, vendor tickets, complaint chronology, deletion reports, test recordings and management decisions.

Run a negative-path test: refusal, withdrawal, account closure, vendor breach, employee exit or child-user flow. The control should continue to protect data outside the happy path.

Management reporting should show overdue actions, repeat complaints, failed tests and residual risk rather than only the publication of policies.

Control Test

Select one real user or transaction journey and trace it from collection through sharing, access, retention, withdrawal, complaint or closure. Capture the evidence at each stage.

Test the control on production-like systems rather than screenshots alone. Review network traffic, event logs, suppression status, vendor responses, role access and deletion output.

Run an adverse scenario: the vendor is breached, the user is a child, the borrower alleges harassment, the employee leaves or the app permission is revoked. Record the response and gaps.

Compare public wording with actual behaviour. Product forms, call scripts, privacy notices, contracts, SDKs and support tools should tell the same story.

Assign a named owner, funded action and closure date to each gap. Retain the reason when management accepts residual risk or chooses a less intrusive alternative.

Escalation Route

Start with the privacy, security, product or regulated-business owner and preserve system evidence before changing configuration or deleting records. Separate current sector and CERT-In obligations from future DPDP readiness.

For serious complaints, children’s data, financial harassment, medical exposure or suspected cybercrime, involve qualified legal, privacy, cyber, banking, insurance or healthcare specialists and use the applicable official channel.

Frequently Asked Questions

Who becomes an SDF? â–¼
Only a fiduciary or class formally notified by the Central Government.
Should non-designated companies prepare? â–¼
High-risk organisations can build readiness without claiming designation.
Where must the DPO be based? â–¼
Section 10 states that the DPO of an SDF must be based in India.
What should an independent audit examine? â–¼
Governance, data flows, controls, rights, security, processors, incidents and remediation.