Data Fiduciary Obligations Under the Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (“DPDPA”) is an umbrella legislation that governs the processing of personal data in India. The law establishes a comprehensive framework for the processing of personal data and specifically requires data fiduciaries – defined as persons that determine the means and purposes of processing personal data – to ensure the privacy and security of personal data.

Key Obligations of Data Fiduciaries Under the New Data Protection Law in India

Under the DPDPA 2023, data fiduciaries must comply with the following obligations:

1. Legal Bases for Processing: Personal data may only be processed in compliance with the law and for lawful purposes. This processing can occur either with the explicit consent of the data principal or for certain legitimate purposes, which do not require prior consent. Legitimate interests include the voluntary provision of data by data principals, processing of personal data to respond to medical emergencies, processing of personal data in connection with a breakdown of public order, and processing for employment related purposes. Data fiduciaries must therefore carefully identify a legal basis for each type of processing that they undertake. A single ground of processing may not be appropriate for different processing activities in respect of the same category of personal data. As an example, an individual may request a pharmacy to issue the receipt for supplies purchased to her phone number. The pharmacy may rely on the ground of voluntary provision of data by the data principal to send her the receipt. However, the pharmacy cannot rely on this ground to send marketing or promotional messages to the individual’s phone number; it will have to identify a different ground of processing to do so.
   
2. Transparency and Accountability: Data fiduciaries must provide a comprehensive notice to data principals at the time of seeking consent for data processing. This notice should include information about the personal data collected, the purposes of collection, and how data principal rights can be exercised. This notice should be made available in English and 22 other Indian languages and should, in line with best practices, be simple, easy to understand, clear, and be made available in layered formats.   
   
3. Appointment of Data Processors: Data fiduciaries are permitted to engage data processors (that is, entities that process personal data on behalf of the data fiduciary). This engagement should occur on the basis of a valid contract that defines the terms and conditions of data processing. Since the law does not impose any statutory obligations on data processors, data fiduciaries are liable for data processors’ compliance with the Indian data protection law. In addition to carefully structured contracts, data fiduciaries should ensure comprehensive due diligence and pre-engagement verifications and explore ongoing monitoring of data processor’s activities.
   
4. Accuracy: Data fiduciaries must ensure that the personal data they handle is accurate, complete, and consistent, especially when such data is likely to affect the data principal or be disclosed to another data fiduciary. The data processed by them must be up-to-date and complete. This may be ensured by routinely requesting data principals to update their information and seeking reliable documentation to verify sensitive information.
   
5. Grievance Redressal: Data fiduciaries must implement a grievance redressal mechanism to address data principals’ grievances and complaints. Data fiduciaries should explore consumer-facing tools that permit data principals to lodge complaints in an effective manner (for instance, through simple forms or portals within a website or app). In addition, they should define standard operating procedures and undertake training for internal teams to ensure grievances are addressed in a timely manner and escalations, if any, occur in advance.
   
6. Security: Data fiduciaries are required to implement reasonable security measures, particularly to prevent personal data breaches and security incidents in compliance with the data privacy policy in India.

The DPDP Act 2023 also empowers the central government the authority to designate specific data fiduciaries as “significant data fiduciaries” based on factors such as the volume and sensitivity of the data processed, potential risks on data principals, etc. In addition to the abovementioned obligations, significant data fiduciaries must:

a. Appoint an India-based data protection officer who is responsible directly to the board of directors. No particular qualifications have been specified for such individuals at this point; however, it is standard for organisations to appoint personnel from the information security or legal teams.

b. Hire an independent data auditor to conduct periodic data audits.

c. Conduct regular data protection impact assessments.

Children’s Data:

Data fiduciaries must obtain verifiable consent from parents or lawful guardians before processing personal data of children (individuals under 18 years of age) or persons with disabilities who have guardians. Unless specifically permitted by the government through notifications, data fiduciaries are prohibited from processing data that could harm the well-being of a child or engaging in tracking, behavioural monitoring, or targeted advertising directed at children.

Impact on Businesses:

Non-compliance with the DPDPA may lead to fines of up to INR 250 crores. The DPDPA 2023 marks an important step in India’s increasing commitment towards data protection and security. By safeguarding personal data, businesses can improve their reputation, avoid penalties, and gain a competitive edge in an increasingly data-conscious world.