DPDP Consultants Privacyium Tech Pvt. Ltd. 4th floor, GM IT Park, Plot no 32-33, Sector 142, Noida, Uttar Pradesh 201305
Our Locations
Copyright 2024 © DPDP Consultants, A Privacyium Tech Pvt. Ltd. Company
DPDP Consultants, your trusted partner in ensuring Digital Personal Data Protection (DPDP Act 2023) compliance for businesses in India.
Explore the concept of Significant Data Fiduciary under the DPDP Act. Learn about the entities entrusted with crucial data responsibilities to stay informed.
As per the DPDP Act 2023, a data fiduciary is an entity or organization that processes or handles an individual’s personal data. They are responsible for collecting, storing, processing or saving an individual’s personal data like name, address, phone number, email and more.
This covers a wide range of organizations that collect data for things like services, research, or marketing. However, the bill goes a step further by introducing ‘Significant Data Fiduciary.’
Significant Data Fiduciaries are subjected to additional obligations, owing to their crucial role in handling personal data. And, their appointment is based on several factors.
According to the Digital Personal Data Protection Act (DPDP), Section 10 grants the central government, the authority to classify certain entities or class known as the data fiduciaries, as significant Data Fiduciaries.
For example, – Large and influential organisations that handle a significant volume of sensitive personal data, such as major technology companies, financial institutions, e-commerce platforms, and healthcare, might be considered Significant Data Fiduciaries.
The selection of a Significant Data Fiduciary is at the discretion of the Central Government, which has the authority to appoint any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary.
The selection is based on an assessment of relevant factors that the Central Government determines. This includes:
1. The volume and sensitivity of personal data processed
2. Risk to the rights of the Data Principal
3. Potential impact on the sovereignty and integrity of India
4. Risk to electoral democracy
5. Security of the State
6. Public order
The Central Government considers all these factors to see whether a Data Fiduciary should be classified as a Significant Data Fiduciary. Once identified as a Significant Data Fiduciary, they have additional obligations imposed on them.
Here are the additional responsibilities that Significant Data Fiduciaries must undertake.
Under the Data Protection Bill (DPDP), a Significant Data Fiduciary or SDF is mandated to appoint a Data Protection Officer or DPO who must be an individual accountable to the board of directors or a similar governing body of the SDF. This DPO serves as the primary point of contact for addressing grievances related to data protection.
The DPO must be
• based in India
• an individual accountable to the board of directors
• and the point of contact for the grievance redressal mechanism under the provisions of this Ac
Essentially, the DPO plays a crucial role in overseeing and ensuring compliance with data protection regulations within the organization, acting as a liaison between the SDF and individuals seeking resolution for data-related concerns.
Source: Meity.gov
As per the DPDP Act, DPIA is a structured process of outlining what’s happening with personal data, stating the purposes, evaluating the potential harm, measuring and managing risks, and addressing other specific aspects related to processing personal data.
In PDP 18 and PDP 19, Significant Data Fiduciaries were required to conduct DPIAs in specific situations. However, the DPDP bill 2023 lacks detailed descriptions of special SDF obligations. This leaves room for potential future regulations to specify compliance requirements. However, more details are yet to be provided.
Source: Meity.gov
Significant Data Fiduciaries are required to appoint an Independent Data Auditor or IDA. The primary role of the IDA is to assess and evaluate the SDF’s compliance with the provisions outlined in the DPDP. So, the IDA serves as an external entity responsible for objectively reviewing and auditing the SDF’s adherence to the data protection regulations outlined in the DPDP.
The appointment of an IDA is a measure aimed at ensuring transparency and accountability in the data processing practices of SDFs.
If a Significant Data Fiduciary does not comply with the necessary obligations, they may face penalties, and monetary fines, which can go up to INR 250 Cr.
Currently, the DPDP outlines a set of general obligations. However, the specific additional obligations for Significant Data Fiduciaries may be introduced in separate regulations.
The DPDP Act of 2023 represents a crucial initiative aimed at safeguarding individual privacy and promoting ethical data processing in the digital era. It establishes clear guidelines for organizations and individuals to follow to maintain data privacy.
The Act designates specific responsibilities for both Data Fiduciaries and Significant Data Fiduciaries, creating a framework to ensure proper handling of personal information.
To navigate the complexities of data privacy, organizations, and individuals need to be aware of their duties outlined in the DPDP Act. Data Fiduciaries and Significant Data Fiduciaries play key roles in upholding these standards, making sure that personal data is treated with the utmost care and in compliance with the law.
DPDP Consultants can be the support system you need to help you overcome the challenges and guide you through the intricacies of the new regulatory framework:
DPDP Act 2023 comes with its own set of challenges and equipping yourself with the right automation tools and services empowers you to navigate them seamlessly.
DPDP Consultants Privacyium Tech Pvt. Ltd. 4th floor, GM IT Park, Plot no 32-33, Sector 142, Noida, Uttar Pradesh 201305
Copyright 2024 © DPDP Consultants, A Privacyium Tech Pvt. Ltd. Company