Obligations of Data Fiduciary under DPDPB, 2022

Who is Data Fiduciary?

A data fiduciary is any entity or individual that determines the purposes and means of processing personal data. Under the Digital Personal Data Protection Bill India, data fiduciaries are responsible for complying with the provisions of the law in respect of any processing undertaken by them or on their behalf by a data processor or another data fiduciary. They must also make reasonable efforts to ensure that personal data processed by them or on their behalf is accurate and complete, implement appropriate technical and organizational measures to ensure effective adherence to the provisions of the law and protect personal data in their possession or control by taking reasonable security safeguards to prevent personal data breaches. Further, we will study the responsibilities, compliance requirements, and obligations of Data Fiduciary under DPDPB 2022.

What are responsibilities of Data Fiduciary?

Under the Digital Personal Data Protection Bill in India, the responsibilities of a Data Fiduciary include: (1) being responsible for complying with the provisions of the Act in respect of any processing undertaken by it or on its behalf, (2) making reasonable efforts to ensure that personal data processed is accurate and complete, (3) implementing appropriate technical and organizational measures to ensure effective adherence to the provisions of the Act, (4) protecting personal data in its possession by taking reasonable security safeguards to prevent personal data breaches, (5) notifying the Board and affected Data Principals in the event of a personal data breach, (6) ceasing to retain personal data as soon as it is no longer necessary for legal or business purposes, (7) publishing the business contact information of a Data Protection Officer, if applicable, or a person who can answer on behalf of the Data Fiduciary, (8) having in place a procedure and effective mechanism to redress the grievances of Data Principals, and (9) sharing, transferring or transmitting personal data to any Data Fiduciary, or engaging, appointing, using or involving a Data Processor to process personal data on its behalf, only under a valid contract.

What are compliance requirements for Data Fiduciary?

The compliance requirements of a Data Fiduciary under the Digital Personal Data Protection Bill India include:

1. Responsibility for compliance: A Data Fiduciary is responsible for complying with the provisions of the Act in respect of any processing undertaken by it or on its behalf by a Data Processor or another Data Fiduciary.
2. Accuracy and completeness of personal data: The Data Fiduciary must make reasonable efforts to ensure that personal data processed by or on behalf of the Data Fiduciary is accurate and complete, if the personal data is likely to be used to make a decision that affects the Data Principal to whom the personal data relates or is likely to be disclosed to another Data Fiduciary.
3. Implementation of appropriate technical and organizational measures: The Data Fiduciary must implement appropriate technical and organizational measures to ensure effective adherence with the provisions of the Act.
4. Protection of personal data: Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.
5. Personal data breach notification: In the event of a personal data breach, the Data Fiduciary or Data Processor as the case may be, shall notify the Board and each affected Data Principal.
6. Cessation of retention of personal data: A Data Fiduciary must cease to retain personal data, or remove the means by which the personal data can be associated with particular Data Principals, as soon as it is reasonable to assume that the purpose for which such personal data was collected is no longer being served by its retention and retention is no longer necessary for legal or business purposes.
7. Publication of contact information of Data Protection Officer: Every Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the Data Principal’s questions about the processing of her personal data.
8. Grievance redressal mechanism: Every Data Fiduciary shall have in place a procedure and effective mechanism to redress the grievances of Data Principals.
9. Valid contracts for sharing, transfer or transmission of personal data: The Data Fiduciary may, where consent of the Data Principal has been obtained, share, transfer or transmit the personal data to any Data Fiduciary, or engage, appoint, use or involve a Data Processor to process personal data on its behalf, only under a valid contract. Such Data Processor may, if permitted under its contract with the Data Fiduciary, further engage, appoint, use, or involve another Data Processor in processing personal data only under a valid contract.

What is impact of responsibilities and compliance requirements?

The responsibilities and compliance requirements of the Data Fiduciary under DPDPB 2022 would significantly impact how organizations handle personal data. The Data Fiduciary would be required to comply with the provisions of the Act, irrespective of any agreement to the contrary or non-compliance of the Data Principal with their duties. This means that the Data Fiduciary would have to take responsibility for any processing undertaken by them or on their behalf by a Data Processor or another Data Fiduciary.

The Data Fiduciary would have to make reasonable efforts to ensure that personal data processed by them or on their behalf is accurate and complete. If the personal data is likely to be used to make a decision that affects the Data Principal or is likely to be disclosed to another Data Fiduciary, then the Data Fiduciary must take steps to ensure its accuracy and completeness.

In addition, the Data Fiduciary would have to implement appropriate technical and organizational measures to ensure effective adherence with the provisions of the Act. This would require the Data Fiduciary to develop robust data protection policies and procedures, including security safeguards to prevent personal data breaches.

Furthermore, the Data Fiduciary would have to notify the Board and each affected Data Principal in the event of a personal data breach. This would require the Data Fiduciary to develop an incident response plan to ensure that they can detect and respond to any breaches quickly and effectively.

The Data Fiduciary would also have to publish the business contact information of a Data Protection Officer, if applicable, or a person who can answer on behalf of the Data Fiduciary, the Data Principal’s questions about the processing of their personal data. This would require the Data Fiduciary to designate a person or team responsible for overseeing data protection compliance.

How will technology help Data Fiduciary?

Data fiduciaries can leverage various technology solutions or platforms to fulfill their responsibilities and comply with the requirements under the Indian Personal Data Protection Bill. Here are some examples:

1. Data Management Systems: Data fiduciaries can use data management systems to ensure that the personal data they process is accurate, complete, and up-to-date. These systems can also help them manage consent and maintain records of processing activities.
2. Encryption and Anonymization Tools: Data fiduciaries can use encryption and anonymization tools to protect personal data against unauthorized access and processing. These tools can also help them minimize the risk of data breaches.
3. Privacy-enhancing Technologies (PETs): PETs, such as differential privacy, homomorphic encryption, and secure multi-party computation, can help data fiduciaries process personal data while preserving privacy. These technologies can also help them comply with the data minimization principle and other requirements under the Bill.
4. Consent Management Platforms: Data fiduciaries can use consent management platforms to streamline the process of obtaining and managing consent from data subjects. These platforms can also help them demonstrate compliance with the consent-related requirements under the Bill.
5. Identity Verification Solutions: Data fiduciaries can use identity verification solutions to authenticate the identity of data subjects and ensure that personal data is processed only for legitimate purposes. These solutions can also help them comply with the purpose limitation and storage limitation principles under the Bill.
6. Data Breach Response and Notification Tools: Data fiduciaries can use data breach response and notification tools to detect and respond to data breaches in a timely and effective manner. These tools can also help them comply with the breach notification requirement under the Bill.

About Concur – Harmonizing Data Compliance

Concur is a technology company that provides a suite of enterprise solutions to help organizations manage their data compliance and other business operations. Our solutions include consent management, digital policy management, legacy customer notice guidelines, data principal rights solutions, and more. With a focus on innovation and use of blockchain technology, Concur helps enterprises to stay compliant with various regulations such as DPDPB, while streamlining their operations and enhancing overall efficiency. Additionally, they offer dedicated support through their Support Center to ensure customers have the assistance they need to achieve their compliance goals.

Check Out: Best Consent Management Platforms in India 2024