At Nasscom, our Public Policy team has approached the Digital Personal Data Protection Act, 2023 with a clear objective: to support a regulatory framework that is robust in principle, proportionate in application, and workable in implementation.

That objective is especially important in the context of the Significant Data Fiduciary framework, which has major implications for governance, compliance design, and business certainty across India's digital economy.

The SDF framework is among the most consequential elements of India's new data protection architecture. It creates a pathway for enhanced obligations where the scale and nature of processing, and the risks flowing from it, justify closer scrutiny. Those obligations are significant. They include enhanced governance measures such as a Data Protection Officer, an independent data auditor, periodic data protection impact assessments, audits, and other prescribed requirements. For industry, the question is therefore not merely one of legal classification, but of proportionate regulatory treatment.

This question is particularly important for the enterprise IT and ITES industry, including Global Capability Centres and globally integrated delivery organisations operating from India. These businesses often process very large volumes of data in the course of delivering services, but in their core business model they do so largely on behalf of clients, as a data processor in the DPDPA context. Their own fiduciary role is typically concentrated in narrower activities such as employment, vendors, recruitment, skilling, CSR, outreach, marketing, and certain talent or platform based functions. That distinction matters because the legal and policy rationale for SDF designation should turn on the nature of the entity's role and the risk profile of the activity, and not on scale viewed in the abstract.

It is in this context that Nasscom has published a new paper on Significant Data Fiduciary designation and its implications for the enterprise IT and ITES industry. The paper is intended to contribute to a constructive and evidence based discussion at a timely stage, before the SDF framework becomes operational.

The paper makes three central points.

• First, in its core business, enterprise IT and ITES is predominantly processor led, while its fiduciary role is concentrated in a narrower set of incidental activities.
• Secondly, the SDF framework under the Act is not a scale only framework. It is a multi factor framework. For enterprise IT and ITES, the relevant inquiry cannot be limited to overall enterprise wide data volumes. It must consider the legal role in which the enterprise is acting, the purpose of the processing, and whether a specific fiduciary side activity genuinely warrants designation.
• Thirdly, the Government's notification approach will be critical. Since SDF designation is framed at the level of the Data Fiduciary or class, a broadly framed notification could have entity level consequences even where the underlying concern arises from a limited set of activities. Careful calibration will therefore be essential to ensure that the framework remains aligned with actual risk and statutory intent.