DPDP Sections7 min read

Section 10 Explained: Significant Data Fiduciary Duties

A definitive guide for BFSI compliance leaders on Section 10 of the DPDP Act and the DPDP Rules, 2025, detailing Significant Data Fiduciary thresholds, Data Protection Officer appointments, and independent audit mandates.

Written bySanket Sharma· Former Advocate, Supreme Court of India · ComplyDP Co-Founder

Last updated:

Section 10 In A Single Paragraph

Section 10 of the Digital Personal Data Protection Act 2023 grants the Central Government the authority to explicitly classify certain organizations as Significant Data Fiduciaries. Once designated, these entities face intensely heightened regulatory scrutiny and must fulfill additional, rigorous compliance duties far beyond standard fiduciary requirements under the Act and the DPDP Rules, 2025. For large enterprise organizations, particularly those operating within the banking, financial services, and insurance (BFSI) sector, this tier of classification mandates profound structural and operational changes. It explicitly requires appointing an India-based Data Protection Officer, conducting regular Data Protection Impact Assessments, and engaging an independent data auditor to deeply evaluate overarching compliance. The core legislative objective of Section 10 is to fiercely enforce strict accountability and mandate direct board-level oversight over high-risk data processing operations that could substantially impact the rights of Data Principals in India or national interests.

Exact Statutory Text Anchors

Section 10(1) carefully outlines the exact assessment factors the Central Government will utilize for a Significant Data Fiduciary designation. The government will critically evaluate these fiduciaries based on a distinct set of parameters: the volume and sensitivity of personal data processed, the overarching risk to the fundamental rights of the Data Principal, and the potential impact on the sovereignty and integrity of India. Furthermore, the mandatory assessment framework incorporates massive macro-level considerations, explicitly including any risk to electoral democracy, the overall security of the State, and general public order.

Section 10(2) clearly details the binding operational requirements triggered immediately upon designation. A Significant Data Fiduciary shall appoint a Data Protection Officer who must formally represent the entity under the provisions of this Act and be permanently based in India. Crucially, this officer must be an individual directly responsible to the Board of Directors or an equivalent governing body, acting as the primary point of contact for grievance redressal. The Significant Data Fiduciary must also appoint an independent data auditor to rigorously evaluate compliance and proactively conduct periodic Data Protection Impact Assessments as dictated by the evolving regulatory landscape.

Who This Binds And When

The Significant Data Fiduciary designation applies directly and exclusively to Data Fiduciaries that meet the Central Government's stipulated risk criteria. Data Processors do not receive this designation directly, though they automatically inherit strict operational controls through necessary contract flow-downs mandated by other sections of the Act. Large banks, non-banking financial companies, immense insurance companies, and major telecommunications operators must operate on the assumption that their processing volumes, automated decision-making algorithms, and heavily regulated compliance operations will inevitably trigger this highest tier of classification.

The DPDP Rules, 2025 provide detailed operational specifics on exactly how independent audits and Data Protection Impact Assessments must be executed, documented, and officially submitted. Organizations simply cannot afford to wait for a formal, entity-specific notification from the government to start building the underlying, mandatory evidence pack. Preparing the sprawling enterprise control environment, conducting comprehensive data discovery, and precisely mapping complex data flows takes significant time across highly entrenched legacy financial systems. Proactive architectural changes are required to ensure robust readiness well before the government finalizes its initial list of designated entities.

How To Comply Step By Step

1. Appoint an India-based Data Protection Officer. The DPO must not be a superficial or heavily diluted title; Section 10(2) dictates they must represent the Significant Data Fiduciary and report directly to the Board of Directors. The primary control owner is the Board or the Chief Compliance Officer. The exact evidence artifact requires a formal, recorded board resolution and a fully updated corporate governance charter explicitly documenting this direct reporting line. 2. Contract an independent data auditor. The primary control owner is the internal Audit Committee or the Risk Committee. The statutorily required evidence includes the external auditor engagement letter, a detailed execution plan explicitly mapped to the DPDP Act and the DPDP Rules, 2025, and the finalized, independent audit reports. Internal corporate audit teams absolutely cannot fulfill this specific statutory mandate. 3. Execute periodic Data Protection Impact Assessments. The primary control owner is the internal compliance team working very closely alongside frontline business process owners. The core required evidence artifact is a formally completed DPIA report linked directly and undeniably to your comprehensive Record of Processing Activities (RoPA). This evaluation must closely assess the volume and sensitivity of personal data processed to proactively mitigate risks to Data Principals. 4. Overhaul processor oversight and compliance tracking. Under Section 8(2), the Significant Data Fiduciary may only involve a Data Processor for any activity related to offering goods or services under a highly valid, robust contract. The control owner is the vendor risk management team working intricately with legal counsel. Evidence artifacts must include thoroughly updated, legally binding vendor contracts, ongoing compliance attestation logs, and robust audit trails proving that processors fully support your overarching duty to comply with the Act.

Penalties For Getting It Wrong

The tremendous financial exposure for actively failing to meet these specific, heavily heightened standards is severe and unprecedented within Indian data governance. According to the explicitly defined Schedule of the DPDP Act, any breach in the strict observance of the additional obligations for a Significant Data Fiduciary under Section 10 natively carries a massive penalty ceiling of up to 150 crore rupees. This catastrophic liability is completely distinct from, and evaluated alongside, the 250 crore rupees maximum penalty for general security safeguard failures under Section 8. The Data Protection Board of India will inevitably and heavily weigh the absence of a board-backed Data Protection Officer or missing Data Protection Impact Assessment records as uniquely critical aggravating factors during any regulatory inquiry, grievance escalation, or major breach investigation.

Interaction With Other Sections

Section 10 fundamentally and inextricably operates alongside Section 8, which clearly establishes that a Data Fiduciary is fully responsible for compliance irrespective of any external agreement to the contrary. Under Section 8(3), if personal data is actively used to make a significant decision that directly affects the Data Principal or is deliberately disclosed to another Data Fiduciary, the original fiduciary bears immense and undeniable responsibility for ensuring accuracy and completeness. For a Significant Data Fiduciary, this simply means the mandated independent data auditor will heavily and specifically scrutinize all downstream data sharing and algorithmic decision-making processes.

Furthermore, Section 10 links directly to the extensive Data Principal rights established in Section 11. Section 11(1) explicitly grants the Data Principal the powerful right to obtain a full summary of personal data being processed, along with the precise identities of all other Data Fiduciaries and Data Processors with whom the personal data has been officially shared. The India-based Data Protection Officer legally mandated by Section 10 must urgently orchestrate the complex internal pipelines required to fulfill these Section 11 requests promptly and accurately. While valid consent acts as the primary legal basis for processing, except where Section 7 legitimate uses clearly apply, the Significant Data Fiduciary must meticulously oversee the entire intricate lifecycle of those consent artifacts.

Deadline Pressure And Next Steps

With the introduction of the DPDP Rules, 2025, which establish critical procedural frameworks, the compliance clock is rapidly ticking for large financial, healthcare, and technology institutions to establish regulator-ready, thoroughly automated audit trails. Actively relying on overlapping, heavily fragmented Governance, Risk, and Compliance (GRC) tools or outdated manual spreadsheets for vital Data Protection Impact Assessments and independent audit tracking will quickly exhaust your entire team's adoption capacity and leave massive, highly penalized compliance gaps.

Large organizations must immediately and honestly evaluate whether their current enterprise compliance architecture can seamlessly handle these dense Significant Data Fiduciary obligations without suddenly triggering a multi-year, incredibly disruptive integration project. Run a targeted, heavily evidence-based gap analysis against detailed Section 10 and Section 8 requirements to see exactly where your current workflows and evidence trails fall dangerously short before ruthless regulatory enforcement begins.

Sources

Frequently asked questions

What triggers a Significant Data Fiduciary designation?

Under Section 10(1), the Central Government evaluates Data Fiduciaries based on factors such as the volume and sensitivity of personal data processed, risks to Data Principal rights, and broader impacts on the sovereignty of India, state security, electoral democracy, and public order.

Can a global compliance officer act as the DPO for a Significant Data Fiduciary?

No. Section 10(2) specifically mandates that the Data Protection Officer for a Significant Data Fiduciary must be based in India and report directly to the Board of Directors or an equivalent governing body.

Do Data Processors need to conduct Data Protection Impact Assessments?

The statutory obligation under Section 10 to conduct DPIAs and independent audits falls strictly on the Significant Data Fiduciary. However, Data Processors must support these efforts as part of their contractual obligations mandated by Section 8(2).