A lot of the businesses I talk to are “tracking DPDP.” Now, everyone knows about the Digital Personal Data Protection Act, 2023 (DPDP Act). But not everyone is as scared of May 2027 as others. The real urgency is for businesses that are likely to be called a Significant Data Fiduciary (SDF). Once you enter SDF territory, you’re not just following basic DPDP hygiene rules. You are making a layer of governance.
You don’t have to apply for SDF status. The Central Government usually tells SDFs about things that are required by the DPDP Act. So, the goal here is to be ready and to do an internal assessment based on evidence. If you have a medium or high chance of getting a notification, you should act as if you will.
One page of the DPDP Act: the parts you need to know before you talk about SDFs
We need a common base layer before we can talk about SDFs. There are words that only DPDP uses:
- Data Principal: the person whose personal information is being used.
- Data Fiduciary: the person or group that decides how and why to process data.
- Data Processor: the person or organization that processes personal data for a Data Fiduciary.
This classification is important for operations because the Data Fiduciary is primarily responsible for DPDP obligations, and SDF obligations are added on top of that. DPDP applies to personal data that is digital. It doesn’t just apply to “sensitive” data. Names, phone numbers, email addresses, device IDs, and location data add up quickly.
In a practical sense, being DPDP ready usually means you can show:
- Notices and consent when needed: Giving clear, easy-to-find information about how data will be used and getting proof of consent before any processing starts.
- Limiting the use of personal data to only the reasons for which it was originally collected is called “purpose limitation.”
- Reasonable security safeguards: Using technical and organizational measures that are standard in the industry, like encryption and access controls, to keep people from getting to data they shouldn’t have.
- Breach response: Keeping a protocol ready to find, stop, and report data leaks to the right people and authorities within the required time frames.
- Handling complaints: Setting up a clear and effective way for users to voice their concerns, withdraw their consent, or exercise their rights over their data.
- Retention and deletion: Making sure that personal data isn’t kept forever and is safely deleted once its purpose has been met.
- Processor governance and contracts: Making sure that third-party vendors follow strict data protection rules by signing legally binding contracts.
What is a Significant Data Fiduciary (SDF) according to the DPDP, and who makes that decision?
The DPDP Act says that an SDF is basically a Data Fiduciary that the Central Government can call “significant.” It’s all about size, sensitivity, and risk. The government will likely look at the following:
- The quantity of personal data processed, including the number of Data Principals, records, and how often it is processed.
- The sensitivity of personal data processed: not just formal “sensitive categories,” but also data that, if misused, can cause real harm to people.
- Data Principals are at risk of harm, including financial harm, identity theft, discrimination, safety risks, loss of privacy, and harassment.
- AI, ML, profiling, facial recognition, automated decision making, the Internet of Things (IoT), and large-scale analytics are all examples of new technologies.
- Effect on India’s sovereignty and integrity, including the risk to electoral democracy and the safety of the State.
Are you probably an SDF? A self-assessment tool that lawyers like
The goal is to find out if your company should act like an SDF and build accordingly.
Factor One: Size. Start with numbers. Check how many Data Principals are affected, how many monthly active users you have, and how many customers you have whose KYC you hold. Scale plus profiling or scale plus location is starting to look like SDF territory.
Second factor: Sensitivity. Ask yourself: Could someone seriously hurt someone else by misusing this data? For example, exact location, financial information, government IDs, and information about children.
Third factor: Risk of harm. Put a number on the harm scenarios. Can this information be used for identity theft or to discriminate against people when they apply for jobs or loans?
Fourth factor: New technology. Governance expectations go up if you use AI or ML models that have been trained on personal data, make decisions on their own, or recognize faces. AI raises the level of risk, which leads to more scrutiny, which raises the chance that you will be classified as important.
Deadline for DPDP compliance in May 2027: what to do now and what to do later
The DPDP Act compliance process will lead to full enforcement by May 2027. As shown in the table below, organizations prepare in stages to meet their baseline and SDF obligations:
Timeline for DPDP Compliance
| Step | Timeframe | Important steps | Area of focus |
| 1.Bases | Now–3 months (Apr–Jul 2026)
|
Choose a DPDP owner, put together a cross-functional group (legal, security, product, HR), map the top 10 systems, find processors, and run a basic incident table top. | Setting up the team, mapping the data, and making the first contracts
|
| 2. Basic DPDP Controls | 3–6 months (Jul–Oct 2026) | Add DPDP clauses to vendors, review access controls, implement deletion in 2–3 systems, build a grievance workflow with SLAs, and update notices and consent | Notices, basic security, retention, and processors.
. |
| 3.Proof and putting into action | 6–12 months (Oct 2026–Apr 2027) | Make or update the processing register, collect proof (logs, approvals), add secure SDLC checks, train teams, and improve incident playbooks. | Writing things down, training, and operational tests.
|
| 4.Layer ready for SDF | 12–18 months (Apr–Oct 2027) | Write a draft DPO charter, do DPIAs on high-risk flows, set up audits, and keep an eye on high-risk flows. | DPO, DPIAs, and audits for likely SDFs.
|
| 5. Making Implementation Stronger | Final to May 2027 | Close remediations, vendor reviews, mock audits, live board reporting, and test deletion/incidents. | Ready for anything with no gaps |
The most common mistakes we’ve seen with DPDP/SDF so far
- Treating DPDP as just a privacy policy update instead of fixing access control, retention, and real processes.
- Handling complaints through a simple inbox without keeping track of who did what and when.
- Focusing too much on the wording of the consent forms and not enough bigger risks like collecting too much data, poor access control, bad deletion, and vendors who aren’t managed.
What to write down to show that you are following the rules
Enforcement will want to know what controls you have and how you can show that they work. You must have:
- A clear data map and processing register showing what data you hold, why you hold it, who can access it, and when it will be deleted.
- Security policies that are written down and backed up by things like access logs, patch reports, and vulnerability scans.
- A useful incident response plan with steps for escalating issues and records of practice drills to prove that your team can handle breaches in the time allowed by law.
- Records of a structured system for dealing with complaints that includes set response times and tracking of complaints.
- Proper vendor management documents, including a list of processors, risk assessments, and signed data protection agreements.
A Case Study to demonstrate how the law applies in a real-world Board room struggle
The “M-Health” Tipping Point: A Case Study
The Entity: M-Health Solutions is a mid-sized Indian start-up that gives 2 million people AI-driven health advice and digital health lockers.
The Trigger: M-Health isn’t a tech giant, but it does handle “Sensitive Personal Data,” which includes blood markers, mental health logs, and genomic trends. It uses an automated “Health-Score” algorithm to push users toward insurance products.
The SDF Dilemma: M-Health’s internal team said that under the 2025 Rules, they weren’t “Significant” because they didn’t have as many users as social media giants. But a Data Protection Impact Assessment (DPIA) showed that there was a “High Risk of Harm” because of Algorithmic Bias and Volume of Sensitivity.
The Result: M-Health’s Board chose “Pre-emptive SDF Alignment” instead of waiting for a government notice. They hired a Data Protection Officer and changed the way their “Health-Score” model worked so that it made sense. The Data Protection Board (DPB) did its first check of the whole industry in May 2027. M-Health didn’t have to pay any fine because they already had a “Paper Trail of Fairness” in place.
Finish up
SDF status is a title. Being ready is a choice. Build the SDF layer early if your scale and risk profile put you in the medium or high-risk range. Don’t wait for a notice to start acting like you will be held to a higher standard. By May 2027, “good” means having tested incident response, handling operational complaints, and mature DPO functions. Do an SDF likelihood assessment today. May 2027 will come as a deadline no matter what.
*****
Author’s Bio: Sarvesh Kanakgiri is an LL.M (Corporate Laws) graduate based in Mumbai and has gained practical exposure to commercial drafting, regulatory research, and due diligence while working with a boutique law firm in Mumbai. His interests lie in corporate transactions and business law.
