Data Protection Bill: What is Data Fiduciary & How will the Proposed Law Impact Business | Explained

The Digital Personal Data Protection (DPDP) Bill, which the government tabled in the Parliament, seeks to establish the rights of a user regarding the use of data and lays down obligations of the company or government agency collecting and processing the data.

The government aims to make entities like internet companies, mobile apps, and business houses more accountable and answerable about collection, storage and processing of the data of citizens as part of Right to Privacy.

What is Data Fiduciary?

The DPDP Bill introduces the term ‘data fiduciary’ to refer to any entity or individual that determines the purpose and means of processing personal data. This includes organizations that collect personal data for various purposes, such as providing services, conducting research, or marketing products.

Under the proposed law, the government also defines ‘Significant Data Fiduciary’ (SDF), which is a special category of data fiduciary that is subjected to additional obligations under the DPDP Bill, according to a report by India Future Foundation.

An individual or an entity is classified as an Significant Data Fiduciary based on factors such as the volume and sensitivity of personal data, its processes, its turnover and its use of new technologies for processing data. SDFs are required to implement additional measures, such as conducting data protection impact assessments and appointing a data protection officer.

Obligations of data fiduciary

The Digital Personal Data Protection (DPDP) Bill, imposes several obligations on data fiduciaries to ensure the protection of personal data and the privacy rights of individuals. These obligations apply to all data fiduciaries, with additional requirements for those classified as “Significant Data Fiduciaries”.

Obtaining Valid Consent

One of the primary obligations of data fiduciaries under the DPDP Bill, is to obtain valid consent from data principals before collecting and processing their personal data. Consent must be free, informed, specific, clear and capable of being withdrawn.

Ensuring Data Security

Data fiduciaries are required to implement appropriate security safeguards to protect personal data from unauthorized access, disclosure, alteration, or destruction. These safeguards should be proportionate to the potential harm that could result from a data breach and should consider the nature and purpose of data processing and the risks associated with the processing.

Implementing Privacy by Design Principles

The bill mandates data fiduciaries to implement privacy by design principles. This means that data protection measures should be integrated into the design of data processing systems, rather than being added on later. Data fiduciaries should adopt measures such as data minimization, pseudonymization and encryption and should regularly review and update their data protection measures.

Other Obligations

The DPDP bill also includes obligations like:

• Comply with provisions of the Act, irrespective of any agreement to contrary or failure of data principal to carry out duties
• Security safeguards to prevent data breach
• Intimation of data breaches to affected Data Principals
• Erasure of data upon withdrawal of consent
• Ensure completeness, accuracy and consistency of the data when used in making a decision
• Use of Data Processors only under a valid contract
• Establishing of an effective grievance redressal system

BUSINESS IMPLICATIONS

Upon its passing, the proposed legislation will significantly alter how business collect and use digital personal data.

In other terms, organizations should have to take steps to ensure transparency and compliance with data protection standards at every level of their operations. This could involve redesigning user interfaces to include essential details, popup notices, and checkboxes that inform and seek consent from users about their data collection and use.

According to the bill, the companies and entities have to also update privacy policies and notifications to ensure they are in line with the latest regulations, comprehensive, and understandable for users.

Companies need to be proactive in reviewing vendor contracts and assessing their data handling practices before initiating any engagement.

Moreover, the bill highlights the need for training employees educating and sensitizing them about the implications of data use, the importance of safeguarding user data, and the need to adhere to data protection guidelines.