DATA PROTECTION ACT: SUMMARY – VAIDEHI

The Act only applies to: Digital personal data which is data about an individual who is
identifiable by or in relation to such data and does not apply to offline data.
Key Stakeholders subject to regulations and compliance requirements under the Act:
i) Data Principle: Individual (natural person only) to whom the personal data relates.
Can also be a child or a person with disability – including their representatives.

ii) Data Fiduciary: A person who either by themselves or with another person(s)
determines the purposes and means of processing personal data.

a) Single data fiduciary: Single person determining means and processing of

personal data.
b) Joint data fiduciaries mean both persons are in conjunction determining means
and processing of personal data.
c) Significant Data Fiduciary (Special category): a category or class of data
fiduciaries as notified by the Central Government as significant data
fiduciaries after considering factors like the volume/effect/risks of the data
processed on electoral democracy/sovereignty/integrity/public order.

iii) Data Processor: Any person processing personal data on behalf of a data fiduciary.

Who attracts the key compliance requirements out of the stakeholders:

Mainly the Data fiduciary. Data fiduciaries have vicarious liability for the conduct of their
data processors. Obligation on data principles: compliances regarding impersonation,
submission of authentic information, not filing frivolous complaints.

Compliance (Absolute obligatory) requirements for data fiduciaries:

i) Seeking consent and providing privacy notice to the data principle (applicable
apart from other legal requirements). Implementing security safeguards like
firewalls, intrusion detection tools and comprehensive risk assessment. Also, to
implement technical and organisational measures like encryption, restricted
access protocols, alarm systems, etc.

ii) Ensuring the accuracy, completeness, and consistency of the data that is stored.

iii) Notifying data breach to the data protection board and the data principles. Erasure
of data from its system/processor’s system, if the principal withdraws consent or
the fiduciary, thinks it is appropriate.

iv) Significant data fiduciaries must also appoint a data protection officer and a data
auditor along with conducting a data protection impact assessment.