One of the important aspects of DPDPA Rules that was being looked upto was regarding the identification of the “Significant Data Fiduciary” since many obligations including the need to designate the DPO emerges from the definition.
It is surprising that the draft rules meant for public discussion seems to be yet undecided in this aspect and requires an urgent correction to incorporate the details of how we can define a Significant Data Fiduciary. Naavi.org has discussed this issue several times (Refer here)
However the current draft of the rules only state the following in regard to the Significant Data Fiduciary.
Measures to be undertaken by the Significant Data Fiduciary.
(1) A Significant Data Fiduciary shall in addition to the measures provided under the Act undertake the following measures , namely:-
(a) Ensure that its Data Protection Officer shall be the point of contact for answering on its behalf, the questions, if any, raised by the Data Principal about the processing of her personal data
(b) Include in the business contact information to be published under rule 9 a toll-free telephone number issued in India and an e-mail address for Data Principals to contact its Data Protection Officer: and
(c) Undertake the periodic Data Protection Impact assessment and the perioidic audit under the provisions of the Act at least once in every year.
(2) In this rule, the expression “every year” in relation to a Data Fiduciary, shall mean every period of one year reckoned from the date on which
(a) these rules come into force or
(b) such data fiduciary becomes a significant data fiduciary, whichever is later.
For some reasons this clause appears to be poorly constructed and requires urgent revision.
Firstly there is a need to define a “Significant Data Fiduciary” u/s 10(1) so that organziations can start preparing for designating a DPO and instituting measures for audit etc.
Secondly the responsibility of DPO cannot be stated as “Answering the questions of Data Principal”. It should be a responsibility to resolve the disputes of the data principal at the level of the Data Fiduciary and to be a point of contact for the DPB and to also be responsible for any inadequacies for compliance.
The current version of the rule appears to reduce the importance of the DPO to that of a help center manger. This is not keeping with the spirit of the Act and needs to be changed immediately before further discussion of the rules in the public domain.
Naavi
