Who is or Who Should be a Significant Data Fiduciary?

One of the keenly awaited rule under DPDPA 2023 is the criteria to be adopted by the Government for declaring a Data Fiduciary as a Significant Data Fiduciary.

While the Act does not define “Sensitive Personal Data”, Section 10(1) brings in the concept of “Sensitivity of data” under the special obligations of a SDF.

According to the section, the Central Government may notify “Any” data fiduciary or “Class” of data fiduciaries as Significant data fiduciary on the basis of an assessment of such relevant factors as it may determine including

(a) the volume and sensitivity of personal data processed;

(b) risk to the rights of Data Principal;

(c) potential impact on the sovereignty and integrity of India;

(d) risk to electoral democracy;

(e) security of the State; and

(f) public order.

“Sensitivity” of personal data in the context of the Act is tagged with the “Volume” which means that different combinations of “Sensitivity” and “Volume” may determine the definition of a SDF. In the case of security of state or public order, risk to tights etc., volume is not an essential criterion.

Since the reasons mentioned in Section 10(1) are “Inclusive examples”, the Government may be at its liberty to notify any specific data fiduciary or class of data fiduciaries as SDF.

In the case of a “Class” of data fiduciaries, those who are involved in the processing of Financial data, Health Data or Bio metric data or minor’s data may be easily recognized as potential SDF category.

To this we need to add “Organizations” which supply material to defence organizations or law enforcement agencies or to Government in general. These are the types of organizations which are often targeted by the enemies of the state for stealing state secrets. Hence they should be declared SDF by virtue of the “Security of State” clause itself. In such cases, the volume may not be a key criterion.

In other cases different volume limits may be specified for different classes of data fiduciaries also.

Further, all criteria for declaring an entity as SDF may not be announced at one time and it may come from time to time through individual notifications just as Section 70 notifications are made under ITA 2000.

An organization will have some special obligations if it becomes a SDF and hence the compliance canvas will change. Unless otherwise exempted, the applicability of DPDPA 2023 is from the date of specific notification. Hence it is possible that an organization which is declared as a SDF may need to designate a DPO and conduct a DPIA immediately. Hopefully a time of around 6 months may be given for this compliance.

However, to err on the safe side, wise organizations should make a self assessment and decide themselves to be compliant to the higher degree of compliance of a SDF at least to the extent of designating a DPO/Compliance officer.

Some of these organisations are already into the DPIA process as the first time implementation of DPIA is time consuming.

All B2C e-commerce organizations will be potentially considered as SDF unless they are having a low volume of transactions. Any organization which has more than say 50 lakh customers till now (cumulatively since inception) could be considered as SDF by virtue of the ITA 2000 definition. The Government may however bring down this limit substantially for DPDPA for Health and Fintech Companies.

Ideally the limit should be in the range of around 1 lakh personal data sets which meet a threshold sensitivity criteria of health data or finance data. In case of biometric data it could go even down to around 50000 and in case of highly sensitive biometric data such as DNA records, there may be no limit at all.

We donot know if the MeitY will go to such depths of thinking and opt for some generic description of SDF.

We have also in the past raised another important issue which also is not expected to be addressed by MeitY. It is the need to allow flexibility to consider an organization as a hybrid entity where certain operations are of SDF nature and certain others are not. In such an event the SDF obligations can be applied only to the unit processing sensitive personal information and not others.

For example, if there is a diagnostic lab processing normal health data of small volumes with a unit handling DNA processing or there is a payment gateway service which provides services to many ordinary data fiduciaries and one or two clients providing sensitive transactions, then if the data fiduciary offers to segregate its SDF activities from others, it should be permitted to treat the part of its business to be declared as a “SDF Unit” instead of the entire organization to be treated as SDF.

I am not sure that this nuance is recognized or will be recognized by the Meity when it formulates its rules. Let us wait and see .


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.