Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

Explore the concept of Significant Data Fiduciary under the DPDP Act. Learn about the entities entrusted with crucial data responsibilities to stay informed.

As per the DPDP Act 2023, a data fiduciary is an entity or organization that processes or handles an individual’s personal data. They are responsible for collecting, storing, processing or saving an individual’s personal data like name, address, phone number, email and more.

This covers a wide range of organizations that collect data for things like services, research, or marketing. However, the bill goes a step further by introducing ‘Significant Data Fiduciary.’

Significant Data Fiduciaries are subjected to additional obligations, owing to their crucial role in handling personal data. And, their appointment is based on several factors.

Who Is a Significant Data Fiduciary (SDF)?

According to the Digital Personal Data Protection Act (DPDP), Section 10 grants the central government, the authority to classify certain entities or class known as the data fiduciaries, as significant Data Fiduciaries.

For example, – Large and influential organisations that handle a significant volume of sensitive personal data, such as major technology companies, financial institutions, e-commerce platforms, and healthcare, might be considered Significant Data Fiduciaries.

Source: Meity.gov

The selection of a Significant Data Fiduciary is at the discretion of the Central Government, which has the authority to appoint any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary.

Source: Meity.gov

The selection is based on an assessment of relevant factors that the Central Government determines. This includes:

1. The volume and sensitivity of personal data processed

2. Risk to the rights of the Data Principal

3. Potential impact on the sovereignty and integrity of India

4. Risk to electoral democracy

5. Security of the State

6. Public order

The Central Government considers all these factors to see whether a Data Fiduciary should be classified as a Significant Data Fiduciary. Once identified as a Significant Data Fiduciary, they have additional obligations imposed on them.

What Are The Additional Obligations of Significant Data Fiduciaries?

1. Appointment of DPO

Here are the additional responsibilities that Significant Data Fiduciaries must undertake.

Source: Meity.gov

Under the Data Protection Bill (DPDP), a Significant Data Fiduciary or SDF is mandated to appoint a Data Protection Officer or DPO who must be an individual accountable to the board of directors or a similar governing body of the SDF. This DPO serves as the primary point of contact for addressing grievances related to data protection.

The DPO must be

• based in India

• an individual accountable to the board of directors

• and the point of contact for the grievance redressal mechanism under the provisions of this Ac

Essentially, the DPO plays a crucial role in overseeing and ensuring compliance with data protection regulations within the organization, acting as a liaison between the SDF and individuals seeking resolution for data-related concerns.

2. DPIAs

Source: Meity.gov

As per the DPDP Act, DPIA is a structured process of outlining what’s happening with personal data, stating the purposes, evaluating the potential harm, measuring and managing risks, and addressing other specific aspects related to processing personal data.

In PDP 18 and PDP 19, Significant Data Fiduciaries were required to conduct DPIAs in specific situations. However, the DPDP bill 2023 lacks detailed descriptions of special SDF obligations. This leaves room for potential future regulations to specify compliance requirements. However, more details are yet to be provided.

3. Independent Data Auditor

Source: Meity.gov

Significant Data Fiduciaries are required to appoint an Independent Data Auditor or IDA. The primary role of the IDA is to assess and evaluate the SDF’s compliance with the provisions outlined in the DPDP. So, the IDA serves as an external entity responsible for objectively reviewing and auditing the SDF’s adherence to the data protection regulations outlined in the DPDP.

The appointment of an IDA is a measure aimed at ensuring transparency and accountability in the data processing practices of SDFs.

4. Breaches

If a Significant Data Fiduciary does not comply with the necessary obligations, they may face penalties, and monetary fines, which can go up to INR 250 Cr.

Currently, the DPDP outlines a set of general obligations. However, the specific additional obligations for Significant Data Fiduciaries may be introduced in separate regulations.

DPDP Compliance for A Secure Future

The DPDP Act of 2023 represents a crucial initiative aimed at safeguarding individual privacy and promoting ethical data processing in the digital era. It establishes clear guidelines for organizations and individuals to follow to maintain data privacy.

The Act designates specific responsibilities for both Data Fiduciaries and Significant Data Fiduciaries, creating a framework to ensure proper handling of personal information.

To navigate the complexities of data privacy, organizations, and individuals need to be aware of their duties outlined in the DPDP Act. Data Fiduciaries and Significant Data Fiduciaries play key roles in upholding these standards, making sure that personal data is treated with the utmost care and in compliance with the law.

DPDP Consultants can be the support system you need to help you overcome the challenges and guide you through the intricacies of the new regulatory framework:

• The DPDP Readiness Review facilitates a comprehensive understanding of how DPDPA impacts operational processes.
• Our Data Protection Officer (DPO) services let organizations engage in third-party audits, ensuring adherence to regulatory requirements in DPDP implementation.
• The Contract Review service enables compliance with DPDP specifications, prompting necessary revisions for existing agreements.
• Our dedicated team provides extensive support in achieving DPDPA Compliance, including the establishment of internal audit frameworks aligned with regulatory requirements.
• The DPDPA Training program addresses the practical implications of policies, delivering robust compliance education.
• The Data Protection Impact Assessment (DPIA) process assists in identifying and navigating privacy risks associated with projects and policies.

Looking for expert advice from top consultants?

Whether you need guidance on legal compliance consulting or tool-based technical solutions, DPDP Consultants can help you with the best professional services in the industry. Get tailored insights and practical solutions to help you succeed.

For News updates, expert insights, and practical tips on DPDP compliance and personal data security please subscribe to our newsletter Privacy Talks.