General obligations of data fiduciaries and significant data fiduciaries
In the fourth instalment of the Prism series on the Digital Personal Data Protection Act, 2023 ("DPDPA"), we analyse the general obligations of data fiduciaries and Significant Data Fiduciaries ("SDFs"). These obligations encompass principles like accountability, fairness, storage limitation, preserving the integrity and confidentiality of personal data, etc. In the latter part of the Prism, we compare these obligations with data protection laws around the world to identify obligations of data fiduciaries under the General Data Protection Regulation ("GDPR"), California Consumers Privacy Act ("CCPA") and the Singapore's Personal Data Protection Act ("PDPA").
What are the obligations of a data fiduciary?
1. Accountability:
- Data processors are defined under the DPDPA to mean any person who processes personal data on behalf of a data fiduciary.
- It is pertinent to note that unlike the GDPR the data processors do not have any direct obligations under the DPDPA. The data fiduciary is responsible for the compliance of the data processors. Therefore it is important to undertake due diligence on data processors before their appointment.
- The DPDPA does not mandate maintaining a record of processing activities ("ROPA"). However maintaining a ROPA will help in identifying gaps in compliance with the DPDPA, and it will also help in responding to data principals' access rights.
- The GDPR mentions that a controller can demonstrate compliance with the GDPR by implementing internal data protection policies, by adhering to code of conduct or certification mechanism. However, the DPDPA does not explicitly mention any measures by which data fiduciary can demonstrate compliance with its obligations.
2. Engagement of data processors:
3. Ensuring completeness, accuracy and consistency of personal data:
4. Implementing technical and organizational measures:
- The GDPR mentions implementing privacy by design and default and other measures like pseudonymising personal data or encryption of personal data as an example of implementing measures to meet the principles of data protection. However, the DPDPA does not elaborate upon the technical and organisational measures for compliance with the DPDPA.
- The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 state that body corporates which have implemented the international standard IS/ISO/IEC 27001 or followed data protection best practice codes provided by an association are deemed to have complied with reasonable security practices and procedures. However, the DPDPA does not provide any such standards for demonstrating compliance.
5. Protection of personal data:
6. Intimation of personal data breach:
7. Contact details of the Data Protection Officer ("DPO") or authorized person of the data fiduciary:
8. Effective grievance redressal mechanism:
9. Retention of personal data:
The specified purpose will be deemed to be no longer served if within a time period, the data principal does not approach the data fiduciary for the purpose or to exercise any of her rights. The time period will be mentioned in the rules.
Who are SDFs?
SDF means any data fiduciary or class of data fiduciaries as the Central Government may notify from time to time based on assessment of certain factors that are captured below.
An SDF has certain obligations, in addition to the general obligations of a data fiduciary, listed below:
1. DPO: An SDF should appoint a DPO.
Although the DPDPA does not require the appointment of a representative, the SDFs are required to appoint a DPO who is based in India. However, for other data fiduciaries who are not classified as an SDF, there is no requirement to appoint a DPO or representative who is based out of India.
2. Independent Auditor: An SDF should appoint an independent auditor.
3. Data Protection Impact Assessment: An SDF should undertake periodic Data protection Impact Assessment ("DPIA").
The rules will mention the other matters that are related to the processing of personal data that should be part of the DPIA.
4. Periodic Audit: An SDF should also undertake periodic audit of its personal data processing activities
5. Other measures: An SDF should also undertake other measures that are consistent with the DPDPA. The rules will mention more measures that an SDF will have to undertake.
Comparison with select data protection laws around the world
Concept | DPDPA | GDPR | CCPA | PDPA |
Implementation of technical and organisational measures | A data fiduciary should implement appropriate technical and organizational measures to comply with DPDPA. | The data controller should implement appropriate technical and organisational measures to comply with GDPR. | A business should implement reasonable security procedures and practices appropriate for the processing of personal information. | An organisation must develop and implement policies and practices to meet the obligations under PDPA. |
Appointment of sub-processors | The data fiduciary can appoint a sub-processor through a valid contract. | The controller can appoint processors through a binding written contract. | A business can appoint a service provider for a business purpose pursuant to a business contract. | An organisation can appoint data intermediaries pursuant to a written contract. |
Personal Data breach notification | The data fiduciary will notify the board and the affected data principals in case of a personal data breach. | The controller without undue delay and within 72 hours of becoming aware of a personal data breach, notify the supervisory authority and the data subject without undue delay unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. | The California's breach notification statute mandates that consumers should be notified of data breach without unreasonable delay. The business must notify the attorney general if more than 500 consumers' personal information has been breached. | If the data breach is a notifiable data breach, the organisation will have to notify the commission within 3 days from the date of the assessment. The organisation should also notify the affected data subjects. |
DPIA | The requirement to undertake a DPIA is only imposed on an SDF. | The controller, prior to the processing, carry out a DPIA where the processing is likely to result in a high risk to the rights and freedoms of natural persons. | Businesses whose processing of consumers' personal information presents significant risk to consumers' privacy or security will conduct a risk assessment. | Where an organisation processes personal data based on deemed consent, it will conduct an assessment. |
Designation of the DPO | An SDF is obligated to appoint DPO. | The controller may appoint a DPO if its core activities require large-scale, regular processing and systematic monitoring of individuals or consist of large-scale processing of special categories of data. | The CCPA does not obligate the appointment of a DPO. | The organisation must designate an individual to ensure that the organisation complies with the PDPA. |
Grievance redressal | Data fiduciaries will establish an effective mechanism to redress the grievances of data principals. | There is no obligation on the controller to provide an internal grievance redressal mechanism under the GDPR. | There is no obligation on the business to provide grievance redressal mechanism under the CCPA. | An organisation should develop a process to receive and respond to complaints that may arise with respect to the application of PDPA. |
Retention of personal data | The data fiduciary should erase personal data if the data principal has withdrawn their consent or if the purpose is no longer being served | One of the principles of the GDPR ("storage limitation") mandates that the personal data should not be retained for longer than what is necessary to achieve the purpose of processing. | A business's retention of personal information must be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed. | Organisations should delete personal data as soon as the purpose for which the personal data was collected is no longer being served or if the retention is no longer necessary for legal or business purposes. |
Obligation to ensure personal data's completeness, accuracy and consistency | Where the personal data is likely to be used to make a decision that affects the data principal or will be disclosed to another data fiduciary, then the data fiduciary shall ensure its completeness, accuracy and consistency. | One of the principles of data protection is to ensure that the personal data is accurate and, where necessary, kept up to date; if personal data is inaccurate, it should be rectified without delay. | The business has an obligation under the CCPA to entertain consumer requests to correct any inaccuracies in the personal information. | The organisation must take reasonable efforts to ensure that the personal data is accurate and complete where the personal data is likely to be used to make a decision that affects the data subjects or if likely to be disclosed by the organisation to another organisation. |
Data audit | DPDPA mandates SDFs to conduct a data audit by an independent auditor. | GDPR does not mandate any data audit by an independent auditor. | CCPA directs the California privacy protection agency to make rules requiring businesses to do annual independent cybersecurity audits if the processing presents significant risk to consumers' privacy or security. | PDPA does not mandate any data audit by an independent auditor. |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.