• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
BW Businessworld

Data Protection Compliance By Data Fiduciaries

The Bill terms personal data as any data which includes characteristics or traits about an individual which can be used to identify such individual.

Photo Credit :


The Personal Data Protection Bill, 2019 (“Bill”) is significant legislation which seeks to regulate how personal data is treated by the entities collecting such data and establishes a statutory authority to regulate and enforce the data protection regime in India. The Bill governs the processing of personal data by the government; entities incorporated in India, and foreign companies collecting personal data of individuals in India. The Bill terms personal data as any data which includes characteristics or traits about an individual which can be used to identify such individual. Such data includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government. Under the Bill term Data Fiduciary means anyone who collects the above mentioned personal data, which makes social media platforms, banks or even the local RTO offices, a Data Fiduciary. Data Principal is any person to whom the said personal data relates to.

The Bill places certain obligations on the Data Fiduciary which includes, that personal data should not be collected or processed without consent of the data principal; such collection of data should be for a specific, clear and lawful purpose and; that the processing of such data should be fair and reasonable at all times in order to ensure privacy of the data principal.

The bill mandates that explicit consent from the Data Principal must be taken in respect of the data to be processed. The consent is only considered adequate under the Bill if it is free of coercion, with due information, specific to the purpose, clear in wording and fully capable of being withdrawn at all times. Further, the Data Fiduciary is supposed to maintain the data in the most accurate and up to date form and in case any discrepancy is found, the same is to be reported to the data principal for amendment or correction. The Bill also mandates that if the purpose has been achieved, the data should be immediately deleted unless the same is required to be maintained by any law or judicial orders.

The Bill seeks to enforce the above by way of heavy penalties like fine of five crore rupees or 2% of total worldwide turnover, whichever is higher in case of failure to fulfil the obligations and fine of 15 crore rupees or 4% of total worldwide turnover, whichever is higher in case of processing or transferring personal data in violation of the bill.

All Data Fiduciaries are required to comply with the provisions of the Bill once it’s passed by the parliament. The organisations in order to comply with provisions of the Bill should follow certain best practices which may include:

As a starting point for compliance with the law it is essential to identify what kind of data is collected, from whom it is collected, the purpose for which the said data is processed and for how long such data is preserved and how it is preserved. At the same time, security protocols regarding handing of such data should be reviewed. This is termed as Data Protection Impact Assessment. Based on the results a privacy policy should be created which will be a binding contract between Data Fiduciary and Data Principal and it shall outline the terms under which data principal has granted access to its data to Data Fiduciary.

Have legal justification of data collection and processing. Under the Bill, data can be collected for purposes which are clear, specific and lawful. Data should only be processed for a specified purpose. Data collected should be stored in a secure manner as any breach can have severe implications.

Consent should free, unambiguous, informed, specific and capable of being revoked by data principal. Consent cannot be the condition to using a particular service by data principal. The onus to prove that the consent by data

principal is free and without coercion is on the Data Fiduciary. Specific consent is required to be taken in case of sensitive personal data. Sensitive Personal Data will be defined by the data protection authority.

It is advisable to lay emphasis on the security of the data collected. Employees should be sensitized about the importance and mechanisms for data protection employed by the organization. It is important to have clear protocols to report a data breach within organizations.

It is important that clear agreements be entered into with data processors and third parties who may handle the data collected by the Data fiduciaries. The agreements should impose the highest data protection obligations and guarantee sufficient data protection.

Appoint Data protection or grievance officer and provide their contact details prominently on the company website and other significant places which can be accessed by data principals.

Make it easy for data principals to delete their data or to ask Data Fiduciaries to stop the processing of their data. It is advisable that no data is retained beyond what is necessary

Lastly, Privacy policy should be concise, transparent, unambiguous, easily accessible, using clear and plain language.

Besides the above steps, it is also important that companies adopt a sound defence strategy in case of a data breach involving legal, technical and public relations aspects.

Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.

Tags assigned to this article:
data protection Data Fiduciary

Rajat Prakash

The author is Managing Partner, Athena Legal and Specialists in Corporate and Commercial Law

More From The Author >>