If you process large volumes of personal data, sensitive categories, or children's data, you are likely to be notified as a Significant Data Fiduciary under §10. Here is the 26-point checklist we run with every customer before the designation lands.
The Central Government will notify SDFs based on volume of personal data, sensitivity, risk to electoral democracy, security of the State, public order, and risk to Data Principals. In practice, every consumer platform above 10M MAU, every fintech with sensitive financial data, every healthtech, and every large edtech is treating §10 as inevitable.
Based in India, reports to the board, publicly contactable. Crawlshark provides a DPO-as-a-service option for early-stage SDFs.
Annual audit of DPDP compliance by a Govt-empanelled auditor. We pre-stage the evidence.
DPIA for every high-risk processing activity, signed and versioned.
Quarterly internal reviews with board-grade reporting.
A single, tamper-evident store of every consent — not a sum of cookie banners and email opt-ins.
Self-serve Access, Correction, Erasure, Withdrawal, Nomination — auto-fanned out to every connected system.
Roles pre-assigned, drafts pre-written, drills logged quarterly.
Records of Processing Activity + DPIA in one signed registry, exportable to the DPB.
Every Data Processor with active DPA, retention policy, and breach notification SLA.
Publicly listed, with a 30-day SLA per §13.
One call. We score you against §10, surface the top 5 gaps, and ship a 90-day plan.