+44 (0) 121 582 0192 [email protected]

Introduction

The India DPDP Act Data Protection Bill proposes stringent regulations for data fiduciaries, particularly those classified as Significant Data Fiduciaries. This article delves into the obligations outlined in Section 10(1) of the bill, shedding light on the criteria for designating a Significant Data Fiduciary and the ensuing responsibilities.

Factors Determining Significant Data Fiduciary Status

Section 10(1) of the Indian Data Protection Bill empowers the Central Government to classify certain Data Fiduciaries as Significant Data Fiduciaries. This designation is based on an assessment of several pertinent factors, including:

  1. Volume and Sensitivity of Processed Data: The scale and nature of personal data processing by the entity.
  2. Risk to Data Principal Rights: The potential impact on the rights of Data Principals, ensuring their privacy and control over their data.
  3. Sovereignty and Integrity of India: Assessing the potential influence on the nation’s sovereignty and integrity.
  4. Risk to Electoral Democracy: Evaluating any threats posed to the democratic process.
  5. Security of the State: Considering the implications for national security.
  6. Maintenance of Public Order: Gauging the potential to disrupt public order.

Obligations of Significant Data Fiduciaries

Once classified as Significant Data Fiduciaries, entities are subject to specific obligations, as stated in Section 10(2) of the bill. These responsibilities include:

  1. Appointment of Data Protection Officer (DPO): The entity must appoint a DPO who will serve as the point of contact for regulatory matters, grievance redressal, and representation under the bill. The DPO must be based in India and report to the entity’s governing body.
  2. Independent Data Auditor: A significant data fiduciary is required to appoint an independent data auditor responsible for conducting data audits. The auditor evaluates the entity’s compliance with the Data Protection Bill’s provisions.
  3. Data Protection Impact Assessment (DPIA): Regular DPIAs must be conducted, focusing on Data Principal rights, the purpose of data processing, and risk management. These assessments provide insights into potential privacy risks.
  4. Periodic Audit: Significant Data Fiduciaries must undertake periodic audits to ensure ongoing compliance with the Data Protection Bill’s stipulations.
  5. Additional Measures: As prescribed by the Data Protection Bill, these entities are required to adopt other measures consistent with its provisions.

Conclusion

Section 10 of India’s Data Protection Bill outlines the process of designating Significant Data Fiduciaries and the subsequent obligations they must fulfill. These obligations are crucial for safeguarding individuals’ rights, protecting national interests, and ensuring the proper handling of personal data. Entities that fall under the purview of this classification must be diligent in adhering to these obligations to maintain compliance with the evolving landscape of data protection laws.

Contact the Experts