
DPDPA Rule 13: Additional Obligations for Significant Data Fiduciaries
Master DPDPA Rule 13 requirements for Significant Data Fiduciaries. Discover mandatory DPIAs, algorithmic due diligence, and compliance strategies today.
Written by
Priyanka Choudhury
Date
Read time
6 min

Being a standard Data Fiduciary is a baseline responsibility. Being notified as a Significant Data Fiduciary (SDF) is a completely different weight class.
Under DPDPA Rule 13, the government has decided your data operations are too consequential to be left to unverified trust. Rule 13 of the DPDP Rules 2025 sets out enhanced obligations for entities notified under Section 10 of the Digital Personal Data Protection Act, 2023. It introduces an annual audit and DPIA mandate, required reporting to the Data Protection Board, continuous algorithmic due diligence, and a conditional data localization regime.
Scope and when it applies
These obligations for significant data fiduciaries do not apply to everyone by default. An entity becomes an SDF only when it is individually notified by the Central Government, or when it falls within a notified class.
The DPDP Rules 2025 that include Rule 13 come into force 18 months after their publication on 13 November 2025. That puts the starting line at approximately May 2027. From the moment an entity is notified as an SDF, a ticking clock begins: you have exactly 12 months to complete your first DPIA, finish your audit, and ensure the required report is furnished to the Board. The cycle then repeats every 12 months.

Mandatory annual DPIA and independent audit
Rule 13 requires an SDF to undertake both a Data Protection Impact Assessment (DPIA) and an audit once every 12 months from its notification date. The stated purpose is to ensure effective observance of the Act and the Rules.
Section 10 of the Act dictates the terms of engagement:
- An independent data auditor must be appointed to evaluate compliance with the Act.
- A DPIA must assess the purposes of processing, risks to Data Principal rights, and the exact measures deployed to manage those risks, along with other prescribed matters.
In practice, this is not a paperwork exercise you can cram for in month eleven. It is a recurring, end-to-end assessment of your processing activities, control design, operating effectiveness, risk treatment plans, and governance structure. And note the word independent. The auditor’s separation from your operational teams is not a suggestion,it is a strict requirement.
Reporting to the Data Protection Board
Under the DPDP Rule 13 requirements, an SDF must cause the person carrying out the DPIA and audit to furnish a report to the Board containing “significant observations” arising from both exercises.
The Rules do not define significant observations. But the translation is clear: the regulator expects your auditor to hand them a map of your material vulnerabilities. These are findings that a reasonable regulator would expect to be flagged. Examples include:
- High-risk processing without adequate safeguards
- Systemic gaps in access, correction, erasure, or grievance redress mechanisms
- Algorithmic risks that could impair Data Principal rights
- Non-conformance with retention, security, or consent requirements
The duty to ensure timely submission sits entirely with the SDF. You cannot blame a slow auditor. Make it a hard deliverable in the auditor’s engagement letter, define the format and scope of observations, and set an immovable submission date following completion.
Algorithmic due diligence and risk verification
Rule 13 requires SDFs to observe due diligence to verify that technical measures,including algorithmic software used for hosting, display, uploading, modification, publishing, transmission, storage, updating, or sharing of personal data,are not likely to pose a risk to Data Principal rights.
This is an ongoing obligation. It applies to any algorithm or system that processes personal data across its full lifecycle. The practical implications are heavy:
- Pre-deployment checks: Conduct algorithmic impact assessments for systems that influence user outcomes or handle large-scale profiling.
- Rights test: Verify that algorithms do not impair access, correction, erasure, or grievance rights, and do not enable discriminatory or manipulative outcomes.
- Controls and evidence: Implement explainability where feasible, document training data provenance, test for bias or drift, maintain model change logs, and schedule periodic reviews.
- Human oversight: For consequential automated decisions, ensure documented human review pathways and escalation.
Do not wait for an algorithm to fail in production to figure out how it works. Build repeatable tests and monitoring, and keep auditable records of the verification you perform.
Conditional data localization for specified categories
Rule 13 requires SDFs to ensure that certain personal data,once specified by the Central Government based on recommendations of a constituted committee,is processed subject to a strict restriction: neither the personal data nor the traffic data pertaining to its flow can be transferred outside India.
This is where India data localization rules get highly specific:
- It is category-specific: It does not apply to all personal data by default.
- Traffic data is included: It is not just about where the database lives. The metadata and telemetry tracking the flow of that specified data must also drop anchor in India.
- The prohibition is absolute: For specified categories, cross-border transfers are simply not permitted.
The committee will include officials from the Ministry of Electronics and Information Technology and may include officials from other ministries or departments. Expect the specification to align heavily with national security, critical infrastructure, or other high-sensitivity considerations.
The operational takeaway? Plan now for architectural flexibility. Map data flows for high-impact datasets, identify cross-border dependencies, and line up India-based alternatives for storage, processing, and telemetry.

Penalties and enforcement exposure
Breach of SDF obligations under Section 10 can attract a penalty of up to ₹150 crore per violation. For localization breaches tied to specified categories, enforcement can also involve blocking orders under Section 37. Transfers that compromise national security may trigger additional consequences.
Treat annual non-compliance and algorithmic due diligence failures as separate exposure events. Each missed report, flawed audit, or uncontrolled model rollout is not just a process failure,it creates standalone liability.
Timelines and recurring obligations
- Rules effective: Approximately May 2027 (18 months after publication on 13 November 2025).
- SDF trigger: The date you are notified individually or as part of a class.
- First DPIA and audit: Complete within 12 months of the SDF notification date. Ensure the auditor furnishes significant observations to the Board.
- Recurrence: Repeat DPIA, audit, and reporting every 12 months thereafter.
- Continuous duties: Algorithmic due diligence and localization compliance apply at all times once you are an SDF and once any category is specified.
What changes in practice
Rule 13 shifts compliance from reactive incident response to preventive governance. Annual DPIAs and audits force structured risk discovery. Board reporting makes material gaps visible to the regulator. Algorithmic due diligence extends accountability directly into model design, testing, and monitoring. Conditional localization demands technical and contractual readiness for India-only storage and telemetry for certain datasets.
For operators, this means you need stronger documentation, tighter third-party oversight, and an auditable line of sight from risk identification straight through to remediation.
Practical controls and evidence to put in place
- Governance and roles
- Appoint an India-based Data Protection Officer as required under Section 10.
- Define an SDF compliance calendar tied to your notification date.
- Establish a formal audit committee or equivalent oversight body.
- DPIA and audit workflow
- Maintain a current data inventory and data flow maps.
- Standardize DPIA templates with risk scoring and mitigation tracking.
- Engage an independent auditor with a clear scope, deliverables, and Board reporting clause.
- Algorithmic accountability
- Register all models processing personal data with owners, purposes, datasets, and risks.
- Run pre-deployment impact assessments for high-impact models.
- Implement periodic bias and performance testing, drift detection, and human-in-the-loop review where relevant.
- Keep explainability summaries, feature importance analyses, and change logs.
- Localization readiness
- Identify datasets likely to be specified. Map storage, processing, and telemetry paths.
- Prepare India-based infrastructure options and vendor fallbacks.
- Gate cross-border transfers with rule-based controls and monitoring.
- Board reporting pack
- Compile significant observations, root causes, corrective actions, deadlines, and accountable owners.
- Maintain evidence folders: DPIAs, audit reports, policies, control test results, and model assessments.
- Vendor and contract management
- Flow down SDF obligations in contracts where vendors touch personal data.
- Require attestations and technical controls for localization and algorithmic safeguards.
Delivering on Rule 13 is execution-heavy. It rewards organizations that treat compliance as an operating system rather than a one-time project.
Many teams struggle to coordinate audits, DPIAs, model reviews, and localization controls on a fixed annual clock. At Regodit, we built a structured way to operationalize these exact requirements, keeping evidence tight and aligning stakeholders around the regulator’s expectations. If building an operating model that holds up under scrutiny is on your roadmap, it might be time to talk.
Disclaimer: The views and explanations shared in this blog are based on our team's understanding of the relevant compliance frameworks. While every effort has been made to ensure accuracy, readers are encouraged to refer to the original legal provisions and official notifications for authoritative guidance. Please reach out to us at connect@solsphere.ai.
Keep reading
All blogs →DPDPA Rule 23: Government Requests for Information from Data Fiduciaries and Intermediaries
Handling a notice under DPDP Act Rule 23 requires strict confidentiality. Discover how to respond to government data requests and ensure full compliance.
DPDPA Rule 22: Appeals to the Appellate Tribunal
Lost at the Data Protection Board? DPDPA Rule 22 governs the digital-first appeals process. Read our complete guide to filing an appeal with the Tribunal.
DPDPA Rule 21: The Machinery Behind the Data Protection Board of India
Ensure your business meets DPDP Act compliance requirements. Discover key obligations for data fiduciaries, penalty risks, and steps to protect user privacy.
