DPDP Act 2023 → enforcement live§8(6) + Rule 7(2): 72h breach reportMax penalty: ₹250 Cr22 scheduled languagesap-south-1 · MumbaiConsent Manager framework: pilotDPDP Rules: operationalisedDPDP Act 2023 → enforcement live§8(6) + Rule 7(2): 72h breach reportMax penalty: ₹250 Cr22 scheduled languagesap-south-1 · MumbaiConsent Manager framework: pilotDPDP Rules: operationalised
[01]Resource · 02

SDF readiness, end to end.

If you process large volumes of personal data, sensitive categories, or children's data, you are likely to be notified as a Significant Data Fiduciary under §10. Here is the 26-point checklist we run with every customer before the designation lands.

Items
26
Avg time to ready
11 wks
Designation trigger
Notified by Govt.
Penalty if missed
₹150 Cr
[02]Use case

Who needs SDF readiness, and why now.

The Central Government will notify SDFs based on volume of personal data, sensitivity, risk to electoral democracy, security of the State, public order, and risk to Data Principals. In practice, every consumer platform above 10M MAU, every fintech with sensitive financial data, every healthtech, and every large edtech is treating §10 as inevitable.

[03]Governance

The non-negotiables under §10.

[01]
Data Protection Officer (DPO)

Based in India, reports to the board, publicly contactable. Crawlshark provides a DPO-as-a-service option for early-stage SDFs.

[02]
Independent Data Auditor

Annual audit of DPDP compliance by a Govt-empanelled auditor. We pre-stage the evidence.

[03]
Data Protection Impact Assessment

DPIA for every high-risk processing activity, signed and versioned.

[04]
Periodic compliance audits

Quarterly internal reviews with board-grade reporting.

[04]Operational

What you ship before the designation arrives.

[01]
Consent ledger of record

A single, tamper-evident store of every consent — not a sum of cookie banners and email opt-ins.

[02]
DSR workbench

Self-serve Access, Correction, Erasure, Withdrawal, Nomination — auto-fanned out to every connected system.

[03]
Breach war room

Roles pre-assigned, drafts pre-written, drills logged quarterly.

[04]
RoPA + DPIA registry

Records of Processing Activity + DPIA in one signed registry, exportable to the DPB.

[05]
Vendor & subprocessor map

Every Data Processor with active DPA, retention policy, and breach notification SLA.

[06]
Grievance officer

Publicly listed, with a 30-day SLA per §13.

DPO required
Yes
India-based, §10(2)(a)
Annual audit
Mandatory
§10(2)(c)
DPIA cadence
Per activity
§10(2)(b)
Penalty exposure
₹150 Cr
Schedule

Get the full 26-point SDF readiness audit, free.

One call. We score you against §10, surface the top 5 gaps, and ship a 90-day plan.