Data Fiduciary Obligations Under DPDPA

Under the Digital Personal Data Protection Act 2023, a data fiduciary is any person or entity that alone or in conjunction with other persons determines the purpose and means of processing personal data. This includes companies, government bodies, trusts, and any organisation that collects, stores, or uses personal information of individuals in India. The term is analogous to the concept of a "data controller" under the GDPR. Every such custodian is subject to a set of obligations under the Act including implementing security safeguards, limiting information processing to stated purposes, ensuring accuracy of records, erasing personal information when the purpose is fulfilled, and notifying breaches to the Data Protection Board and affected individuals.

A Significant Data Fiduciary is a data fiduciary designated by the Central Government under Section 10 of the DPDPA based on factors such as the volume and sensitivity of personal information processed, the risk to the rights of data principals, the potential impact on India's sovereignty and integrity, the risk to electoral democracy, security of the state, and public order. Such designated entities face additional obligations beyond those of regular custodians, including the mandatory appointment of a Data Protection Officer based in India, appointment of an independent auditor, conducting periodic Data Protection Impact Assessments, undergoing compliance audits, and fulfilling additional government reporting requirements.

Section 8 of the DPDPA establishes several core obligations for every data fiduciary. These include implementing reasonable security safeguards to protect personal information in their possession or under their control (Section 8(1)), engaging only processors who provide sufficient guarantees and operate under a valid contract (Section 8(3)), processing personal records only for the purpose for which consent was given or which is permitted under the Act (Section 8(4)), ensuring the completeness, accuracy, and consistency of personal information where such records are used to make decisions affecting the data principal (Section 8(5)), notifying the Data Protection Board and affected individuals of any personal data breach (Section 8(6)), and erasing personal information when it is no longer needed for the stated purpose or when consent is withdrawn (Section 8(7)).

Under Section 10 of the DPDPA, the appointment of a Data Protection Officer (DPO) is mandatory only for entities designated as Significant Data Fiduciaries by the Central Government. The DPO must be based in India and serves as the point of contact for the Data Protection Board of India, affected individuals, and internal compliance functions. The DPO is responsible for overseeing the organisation's protection strategy, monitoring compliance with the Act, coordinating with the Board on breach notifications and inquiries, facilitating Data Protection Impact Assessments, and ensuring that employees and processors are trained on their obligations. Regular responsible entities are not required to appoint a DPO but are encouraged to designate a compliance lead.

A Data Protection Impact Assessment under DPDPA is a structured evaluation process that Significant Data Fiduciaries must conduct to assess the potential risks to data principal rights arising from their information processing activities. The DPIA involves systematically describing the processing operations, evaluating the necessity and proportionality of the processing, identifying risks to individuals including risks of re-identification, unauthorised access, and discriminatory outcomes, and documenting the measures taken to mitigate identified risks. DPIAs must be conducted periodically and whenever new processing activities are introduced that may pose high risks. The results must be available for review by the Data Protection Board and the independent auditor.

Under Section 8(7) of the DPDPA, a data fiduciary must erase personal information when it is reasonable to assume that the specified purpose for which the records were collected is no longer being served by their retention, or when the data principal withdraws their consent. This means organisations cannot retain personal records indefinitely and must implement clear retention policies tied to the original purpose of collection. Once the purpose is fulfilled, the information must be deleted unless retention is required by any other law in force. Organisations must also ensure that their processors delete the records within a reasonable time. Failure to comply with retention and erasure obligations can result in penalties under the Act.

The DPDPA regulates data processors indirectly through the obligations imposed on data fiduciaries. Under Section 8(2) and 8(3), a data fiduciary may engage a processor to handle personal information on its behalf, but the responsible entity remains accountable for compliance. The processor must only handle personal records pursuant to a valid contract with the custodian and solely for the purposes authorised by the custodian. The organisation must ensure that the processor implements reasonable security safeguards and that records are erased by the processor once the processing purpose is fulfilled. Unlike the GDPR, the DPDPA does not impose direct obligations on processors, placing the compliance burden squarely on the responsible entity.

Section 8(1) of the DPDPA requires every data fiduciary to implement reasonable security safeguards to protect personal information in their possession or under their control, including records processed by processors on their behalf. While the Act does not prescribe specific technical measures, reasonable security safeguards are generally understood to include encryption of personal information at rest and in transit, access controls and authentication mechanisms, regular security assessments and penetration testing, incident detection and response capabilities, employee training on protection practices, secure disposal procedures, and documentation of security policies and their implementation. The standard of reasonableness is assessed in context, considering the nature and sensitivity of the information, the volume of records, and the state of the art in security technology.

The DPDPA prescribes substantial financial penalties for violations of data fiduciary obligations. Under the Schedule to the Act, failure to implement reasonable security safeguards to prevent a breach carries a penalty of up to 250 crore. Failure to notify the Board and affected individuals of a breach can result in penalties of up to 200 crore. Non-compliance with additional obligations for Significant Data Fiduciaries, including failure to conduct DPIAs or appoint a DPO, carries penalties of up to 150 crore. Breach of obligations relating to children's records carries a penalty of up to 200 crore. General non-compliance with other provisions of the Act carries penalties of up to 50 crore. The Data Protection Board determines the specific penalty amount based on the nature, gravity, and duration of the non-compliance.

The DPDPA's data fiduciary framework shares conceptual similarities with the GDPR's data controller obligations but differs in several key respects. Both frameworks impose accountability on the entity determining the purpose and means of processing. However, the GDPR imposes direct obligations on processors, while DPDPA places processor compliance responsibility on the custodian. The GDPR requires Data Protection Officers for all entities engaged in large-scale systematic monitoring or processing of sensitive information, whereas DPDPA limits this requirement to Significant Data Fiduciaries. The GDPR mandates DPIAs for high-risk processing by any controller, while DPDPA limits DPIAs to Significant Data Fiduciaries. The GDPR provides a broader set of lawful bases for processing, while DPDPA primarily relies on consent and certain legitimate uses. Both frameworks impose breach notification obligations, though with different timeline specifics. Organisations subject to both should implement the stricter standard for each obligation.