2. Obligations of the data fiduciary – The draft Bill imposes some significant responsibilities on the data fiduciaries, to ensure that personal data is processed, stored or erased in a safe and proper manner. These obligations include:
a. Security measures – The data fiduciary must ensure that it is taking necessary measures to protect personal data, failing which, it can be subject to a heavy penalty (discussed below). At any rate, if there is a breach, the data fiduciary or data processor (who processes data on behalf of the data fiduciary) must inform the Board and the data principal. This provision is critical since it ensures transparency in case of a breach, and enables the affected persons to take remedial measures to prevent further damage. It may, however, be worthwhile to identify a specific timeline for intimation to the data principal once the data fiduciary or processor becomes aware of a breach.
b. Deletion of data (Right to be Forgotten?) – The draft Bill contemplates deletion of personal data once the purpose for collection is no longer served, or the retention is no longer necessary. This is in addition to the right of withdrawal provided to data principals (as mentioned above) and suggests that the personal data should not be retained longer than necessary. The right to deletion is recognized as an obligation for data fiduciaries, and also (separately) as a right of the data principals.
c. Appointment of a Data Protection Officer (DPO) – Every data fiduciary must appoint a DPO who will address the data principal’s queries and concerns. However, the Bill does not suggest a timeframe for this response either.
d. Personal data of children – The Bill contemplates additional obligations while processing personal data of children, which includes seeking consent from parents/guardians.
e. Significant data fiduciary – While the Bill has not actually defined what a significant data fiduciary is, it seeks to reserve the Central government’s right to identify a data fiduciary as a significant data fiduciary if it handles high volume of sensitive personal data, involves a risk of harm to the data principal and the impact on the sovereignty and integrity of India, security of state, public order, etc.
These significant data fiduciaries must appoint an Independent Data Auditor (to ensure compliance with the provisions of the proposed Bill) and conduct a Data Protection Impact Assessment and periodic audit to ensure compliance.
Source: Barandbench
