It is legally correct to say that DPDPA does not directly impose any liability directly under the Act to Data Processors. The law only mandates that the Data Fiduciaries shall be responsible even for the processing done by the Data Processor.
It is however not ethi
cal for Data Processors to think that they have no responsibility towards the data fiduciary being in compliance with the law. If necessary they have to take the lead and alert the data fiduciary if there is any risk of non compliance. This also makes prudent commercial sense since if there is a penalty on the data fiduciary and his business is shaken, the downstream data processor may also lose an opportunity to grow with the data fiduciary.
Currently the Data Fiduciary enters into a contract to protect his responsibilities under DPDPA and directs the Data Processor on how to process the data in compliance with the DPDPA. The Data Processor Contract therefore is not limited to the commercial benefits or functional requirements but should have a clear description of the Data Processing responsibilities. A DPDPA compliant Data Processing Contract will therefore have necessary data protection related clauses.
Though DPDPA might not have specified liabilities to the data processor directly, it should be recognized that Section 72A of ITA 2000 creates a liability for the data processor if a Data Processing Contract involving “Personal Data” is violated.
Recognizing the need therefore for Data Processors to be responsible for DPDPA Compliance, FDPPI promotes that a Data Processor should take measures to be compliant with DPDPA as if he is a “Deemed Data Fiduciary”.
In this context DGPSI (Data Governance and Protection Standard of India) has introduced a variant framework DGPSI-Data Processors exclusively to address the need for Data Processors to be voluntarily compliant with DPDPA.
The DGPSI-DP as it is being referred to adopts the unique principle that “A Data Processor inherits the responsibilities of the data fiduciary through the contract”. Under this principle, Data processor should look through the contract as if it is a transparent glass and view the DPDPA on the other side.
Since many data processors are bigger than the data fiduciaries themselves, the voluntary adoption of DGPSI-DP by them will provide confidence to the Data Fiduciaries to use their services. This is ideal for such businesses who run a “Platform” for a specialized data processing service and invite data fiduciaries to use them.
According to the inheritance principle, a Data Processor of a Significant Data Fiduciary is a “Significant Data Processor” and needs to show the same level of responsibility that the Significant Data Fiduciary is expected to show.
As a part of this, the Data Processor depending on the volume and sensitivity of data processed by him cumulatively as an organization, needs to conduct a DPIA, designate an internal DPO and also conduct external Data Audits from time to time.
The DGPSI-DP is built therefore to reflect both the contractual obligations without losing sight of DPDPA liabilities.
We therefore urge all Data Processors to start understanding the essence of DPDPA and take steps to be in compliance. They should also realize that every Data Processor will himself be a Data Fiduciary to the extent of the Data of employees. Hence there is no clean escape from DPDPA for any Data Processor. They can however explore the DGPSI-HR as a framework for their manpower relate
d obligations while looking at DGPSI-DP for compliance related to their data processing Contracts.
Hence, emancipated Data Processors should look for a combination of DGPSI-DP and DGPSI-HR and this will be a hallmark of Ethical responsibility that an organization may exhibit in terms of certifications.
In the coming days we should not be surprised if ISO certification marks may be replaced with DGPSI certification marks on the websites of responsible companies as a symbol of assurance.
Naavi
