My colleague Savita talked about DPDPA in her blog.
When I read her blog, the question that I had, as I am sure you do too, is that if DPDPA applies to you. In order to answer that question my first step was to understand the law. So, I ‘decomposed’ my big question into the following smaller questions
What is DPDPA about? What are the elements of DPDPA?
Who does it apply to – what is the criteria?
Does DPDPA apply to me, or does my company satisfy these criteria?
Let us take them up one by one
Elements of DPDPA
The Gazette publication notifying DPDPA describes it as an Act “…to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto”
There are 4 main elements – Digital Personal Data, Data Principal, Data Fiduciary, Data Processor.
The Act grants rights to the Data Principals and places duties and obligations on Data Fiduciaries and Data Processors in the context of Digital Personal Data.
What is Digital Personal Data?
The Act defines it as Identifying data of Individuals in Digital format that includes Names, Addresses, Locations, Phone numbers, Demographic data like Age, Gender. Very importantly it pertains to all Indian Residents.
Who are Data Principals?
This is a simple one. The individuals who are identified by the Digital Personal data are Data Principals. They are the ‘owners’ of their own data. They have rights to have the ability to manage how their stored and used. There are a couple of identified types of Data Principals that are afforded greater protections. These are children and handicapped people. Something for us to keep in mind as we dive deeper into this subject.
Data Principals also have responsibilities like the responsibility to provide authentic info; to not impersonate; not to file false grievances; to verify info; to comply with law; and to use their rights responsibly.
That leaves Data Fiduciaries and Data Processors. Who are they? They are the impacted stakeholders since this act places duties and obligations on them. Let’s explore that.
A close study of the Act reveals Data Fiduciaries as the principal actors, the ones with most of the responsibility, because they are the ones that “determine the purpose and means of processing of Personal Digital Data”.
Fiduciaries are the ones that determine what Personal Digital Data is required, for what purpose, and how it will be processed. Processing includes how Personal Digital Data will be acquired, stored, used, shared, deleted.
That brings in the Processors. As it says in the Act, the Fiduciaries determine the means of processing of personal data. This means that they can choose to process Personal Digital Data themselves or hire sub-contractors. They can use Processors for any or all the tasks involved in processing data, i.e. any of acquiring, storing, using, sharing, and deleting or related tasks.
Criteria for applicability of DPDPA
Understanding these definitions helps us frame the questions we must ask ourselves to determine whether DPDPA applies to us. There are only two key questions.
- About being a Fiduciary: Does my company have a use for Digital Personal Data of individuals that are residents of India? If yes, then I am Data Fiduciary. If not, then…
- About being a Processor: Is my company involved in any part of processing Digital Personal Data of Indian Resident Individuals on behalf of another entity.
Who does DPDPA apply to? Does DPDPA apply to my company?
The quick answer. It applies to every company. And yes, it applies to your company.
Let me ask you a few simple questions. Ones that I asked myself.
Do I have employees? Yes.
Do they live in India? Yes.
Do I pay them salaries? Yes.
Do I process their salaries electronically? Yes.
In order to pay them I need to have their Personal Data.
Therefore, DPDPA applies to my company.
This is the simplest case. But it establishes our duties and obligations.
Now, it is just a question of – “to what extent does DPDPA apply”. If my company provides products or services to Individuals or helps other companies, then it is quite likely that my company is engaged in one or more tasks of processing Digital Personal Data. That increases the obligations that my company is likely to have under DPDPA.
If my company processes Digital Process Data at scale then my company could be a Significant Fiduciary which increases our obligations even more.
I will talk about the extent of our obligations and what we need to do to meet these obligations in a forthcoming blog.
