Data has become extremely important in the modern age with some of the industry specialists quoting data as new age money. In such case, the protection of data becomes extremely crucial for the people. A person's personal data thus is susceptible to intrusion by websites, hackers, third party apps, etc.

In order to protect the Personal data, the Digital Personal Data Protection Act, 2023 ("DPDP Act") was passed on . This is in consonance with the landmark Supreme Court judgment K.Puttuswamy v/s Union of India, in which it held that "right to privacy is part of the fundamental right of right to life under article 21 of the Indian Constitution". The DPDP Act has enabled the protection personal data in a two-pronged approach: firstly, it has mandated consent of the data principle for collecting personal data and imposed several obligations on the data fiduciary: secondly, it has imposed a hefty fine for non-compliance with the provisions of the Act.

Companies as data fiduciary or Data processor:
Section 2 (5) of the DPDP Act defines Data Fiduciary as "any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data". And section 2 (6) of the DPDP Act defines Data Principal as "the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child". So, if a company or an organization collects the personal data of data principals for a specified purpose and determines how such personal data should be processed digitally, such an organization would be a 'data fiduciary' and would have to comply with the obligations on data fiduciaries set out under the DPDP Act.

On the other hand, if the organization only processes personal data on behalf of another organization, such an organization would be considered as a 'data processor'. In this case, the organization on whose behalf personal data is being processed would be the data fiduciary. For example, if Google collects personal data and processes the data digitally, it would be considered a data fiduciary whereas, if a third party website collects data on behalf of Google, then such third party website will be termed as data processor.

Depending on whether the company is a data fiduciary or a data processor, the compliance requirements for the company will be different. There is another category of demarcation of organization under the DPDP Act, which is significant data fiduciary. If the Central Government determines that due to the volume of personal or sensitive data held by the organization, it must be categorized as a significant data fiduciary, it can be notified as a significant data fiduciary.
 

Compliance Obligations of the Company under the DPDP Act:

1. Collection of data for lawful purpose: The Act provides that the Data Fiduciary can process the data only in accordance with the rules and the guidelines provided in the Bill for a lawful purpose (Section 5).
    
2. Consent of Data Principal: Further, it is mandatory for the data fiduciary to obtain the consent of the data principal before processing the personal data of the data principal (Section 6).
    
3. Mandatory notice for taking consent: Further, the data principal shall give consent to such processing of personal data after obtaining such request for consent from a data fiduciary by issuing a mandatory notice to it. The notice must contain:
   • A description of the personal data sought to be collected from the data principal and the purpose for its processing;
   • The manner in which the data principal may exercise her right to withdraw consent and to grievance redressal; and
   • The manner in which the data principal may make a complaint to the Data Protection Board ("Board").
      
4. The consent sought must not infringe upon any provision of the Bill and such consent request must contain the details of the data protection officer (Section 7 (3)).
    
5. Deemed consent: As per section 8 of the Bill, it shall be deemed that consent was given by the data principal in certain circumstances such as where the personal data is provided voluntarily, compliance with any judgment, responding to a medical emergency, in the public interest, etc (Section 8).
    
6. Obligation to correct and erase personal data: If a data principal requests to correct, complete or update the personal data for which previously consent was given to process, the data fiduciary must correct, complete, or update the same in accordance with such data principal's instructions. Additionally, the data fiduciary must ensure that you erase the personal data of the data principal, and that your data processor also erases any personal data of the data principal, on the occurrence of either of the following:
   • The data principal requests you to erase her personal data.
   • The data principal withdraws the consent;
   • It has become reasonable to assume that the purpose for which the personal data was collected is no longer being served by retaining the personal data; or
   • Retention of the personal data is no longer necessary for compliance with any law.
      
7. Responsibility of the data fiduciary: The data fiduciary is responsible for ensuring that the data given is correct and accurate, protecting the personal data in their possession, and the data fiduciary shall be responsible for the contravention of any of the provisions of the Bill. In case of a data breach, it's the responsibility of the data fiduciary to inform the Board and the data principal (Section 9).
    
8. Obligations of data fiduciary in relation to the personal data of children: Section 10 of the Bill states that the data fiduciary shall obtain verifiable consent of the parents or the guardian before processing such data. Further, the fiduciary shall not undertake tracking or behavioral monitoring of children or process any personal data which may cause harm to the children.
    
9. Grievance Redressal mechanism: The Data Fiduciary is also required to establish an effective mechanism to redress the grievances of data principals. If the organization is classified as significant data fiduciary, then there is additional requirement of appointing a data protection officer.
    
10. Providing information of data breaches to the Board: The DPDP Act requires organisations to report data breaches to the Data Protection Board of India (section 19) as well as to the affected data principals.
     
11. Obligations of Significant Data Fiduciary (SDF): Section 11 of the Bill states that a significant data fiduciary, as notified by the Central Government shall:
    • Appoint a Digital Protection Officer, who shall be responsible to the Board of Directors,
    • An Independent Data Auditor, who shall evaluate the compliance of SDF with the Act, and
    • Undertake such other measures including Data Protection Impact Assessment and periodic audit in relation to the objectives of this Act.

Conclusion:
The Digital Personal Data Protection Act, 2023, is a pivotal legislation safeguarding personal data in India, ensuring compliance with the constitutional right to privacy. It mandates data fiduciaries to obtain explicit consent, manage data accurately, and report breaches, with stringent penalties for non-compliance. Special provisions protect children's data, requiring parental consent and prohibiting harmful data processing. The Act also emphasizes grievance redressal mechanisms and additional obligations for significant data fiduciaries, ensuring robust data protection and accountability in the digital age.