Raksha Labs
← Raksha WatchData protection
Informational

There's no '50 lakh users' rule for Significant Data Fiduciaries

Despite what many blogs claim, neither the DPDP Act nor the 2025 Rules sets a numeric threshold (like '50 lakh users' or '₹250 crore turnover') for becoming a Significant Data Fiduciary. Only a government notification can designate you one.

The myth

You'll see confident claims online that you become a Significant Data Fiduciary (SDF) — with extra obligations like audits and a Data Protection Officer — once you cross "50 lakh users" or "₹250 crore turnover." Neither figure is in the law.

What the law actually says

Under section 10(1), the Central Government designates SDFs by notification, based on qualitative factors:

  • the volume and sensitivity of personal data processed;
  • risk to the rights of data principals;
  • potential impact on the sovereignty and integrity of India;
  • risk to electoral democracy, security of the State, and public order.

There is no automatic, number-based trigger. You become an SDF only if the government notifies you (or your class) as one.

Where the stray numbers come from

  • "50 lakh users" is a real threshold — but it belongs to a separate online-gaming / data-retention context, not SDF designation.
  • "₹250 crore" is the maximum penalty for a security-safeguards failure, not a turnover trigger.

What this means for you

Most SMBs will not be SDFs. Don't over-engineer to a threshold that doesn't exist — focus on the baseline obligations that apply to every data fiduciary.

What to do now

Quick win

Ignore online 'user count' or 'turnover' SDF thresholds — they aren't the law. Only a government notification designates an SDF. Focus on the baseline obligations that apply to everyone.

This affects you if…
  • you've seen '50 lakh users / ₹250 crore' SDF claims online
  • you're unsure whether extra SDF duties apply to you
Source

DPDP Act, 2023 (India Code) · DPDP Act 2023, s.10

Don't just read it — find out where you stand.

A free scan shows what your live site is exposing today. When you're ready to be audit-ready, our Compliance Sprint gets you DPDPA-ready in 30 days.

Scan my site freeCompliance Sprint — ₹49,999

General information, not legal advice. Verify against the cited primary source and confirm specifics with a qualified advisor before acting.