India's Digital Personal Data Protection (DPDP) Act represents a major overhaul in regulation of personal data. It mandates strict rules and penalties for businesses to ensure data privacy and security. The Act draws a critical distinction between Data Fiduciaries (those who determine how and why data is processed) and Data Processors (those who process the data on behalf of a fiduciary). Understanding the differences between these roles is vital for businesses that collect, handle, and share personal data.
Unlike the GDPR, the DPDP Act imposes maximum obligations on the fiduciaries and very little on the processors.
Regardless, the line between processors and fiduciary can become blurry at times and one misstep can turn your role from a data processor to a fiduciary. This will automatically attract all the obligations that come with the fiduciary tag. Even otherwise, processors have their fair share of responsibilities arising in the wake of the new DPDP regime.
Who is a Data Processor?
Under the DPDP Act, a Data Processor refers to any person or entity that processes personal data on behalf of a data fiduciary, without determining the purpose or means of processing. This can cover a wide range of services including aggregators, cloud providers, payment processors, or marketing automation tools.
There are two ways in which data processors can be involved in processing personal data:
Upstream Processors: These entities collect data directly from users on behalf of another business, such as a marketing agency collecting customer consent for email campaigns.
Upstream processors are tasked with collecting data and valid consents for that data on behalf of the fiduciary. B2B2C aggregators such as Google Play Store, Zomato, Makemytrip or Amazon are prime examples of upstream processors. Read more on DPDP compliance for aggregators here.
Downstream Processors: These entities process data based on the fiduciary’s instructions, such as payroll providers handling employee salary disbursements for a company. Downstream processors are tasked with running consent checks to ensure all of their processing activities happen on the basis of valid consent or other grounds of processing under the DPDP Act.
For instance, an HR outsourcing firm managing employee data must not decide how the data is used but should merely follow the company's instructions. If the outsourcing firm starts using employee data for its own marketing purposes, it becomes a fiduciary and must now collect its own purpose specific consent to continue processing without breaching the DPDP Act.
Data Protection Compliance for Processors
Data processors have very limited obligations directly arising from the text of the DPDP Act. However, with the high pressure of strict data protection rules and penalties imposed on the fiduciaries, we expect legal obligations for processors to arise out of contractual and other arrangements with fiduciaries and data principals.
1. Contractual Obligations
Fiduciaries are tasked with ensuring data protection compliance on the end of their processors. To ensure such compliant processing, data processors are likely to be bound by Data Processing Agreements (DPAs). These are contracts between the fiduciary and processors, spelling out detailed processing instructions, obligations, and liabilities of the processor. While there are no direct liabilities for the processor under the DPDP Act, the cost of breaches may be transferred onto them in the form of damages or penalties agreed to in the DPA.
A well-drafted DPA typically includes:
- Clear definitions of roles and responsibilities,
- The nature and purpose of processing,
- The types of personal data being processed,
- Duration of the data processing,
- Specific instructions regarding the storage, access, and use of data,
- The requirement that the processor must assist the fiduciary in complying with data principal’s rights, such as the right to access, correction, or erasure.
- Sub-processor agreements, ensuring downstream processors adhere to the same rules,
- Detailed security standards,
- Breach notification timelines, with a maximum of 72 hours for notification,
- Specifics on data transfer protocols, especially if the processor is based in another jurisdiction.
For instance, it would be advisable for a bank working with an outsourced cloud storage provider to clearly outline in the DPA that the provider can only store and secure the data, without analyzing or processing it for other purposes. It is also recommended that processors must not subcontract without prior approval, and any subcontractor should adhere to the same data protection standards.
2. Infosec Measures
The highest quantum of penalties in the DPDP Act are reserved for breaches of personal data and failure to take security measures. Fiduciaries are likely to include liability clauses in DPAs that will require data processors to implement robust technical and organizational security measures to ensure data protection. This could include a full suite of security protocols, including encryption, network security, regular penetration testing, and access controls, to ensure the data they handle is protected from breaches or unauthorized access.
Further, regular audits and penetration testing are crucial to identifying weaknesses. These tests simulate potential attacks on systems, allowing processors to patch vulnerabilities before malicious actors exploit them. For instance, a cloud service provider may undergo quarterly audits to ensure its security measures are up-to-date, ensuring compliance with both the DPDP Act and international standards like ISO/IEC 27001.
A structured, layered approach to security would allow data processors not only comply with the legal obligations under the DPDP Act and DPAs, but also protect the businesses they serve from the devastating financial and reputational damage that can follow a data breach.
3. Data Deletion
The DPDP Act mandates that personal data be deleted when it is no longer required or if the data subject withdraws consent. This would require processors to maintain efficient systems for tracking data lifecycle and ensure timely deletion. Since this will always be an ongoing process, the process of deletion must be automated to smoothly respond to every consent withdrawal from the user or deletion instruction from the fiduciary.
It would be wise to include specific clauses on data deletion within the DPAs themselves. This might involve:
- Setting clear policies for data retention and data disposal based on the agreed terms,
- Automation of data deletion processes when the contractual obligation ends or the consent expires,
- Ensuring that backups and archives are also wiped after the retention period ends.
For example, a telecom company might contract a data processor to manage customer complaints. Once the complaint is resolved and the data no longer needed, the processor must delete the customer’s personal data. However, data must be retained if required by another law such as RBI circulars, TRAI directions or other legal mandates.
4. When Processors become Fiduciaries
Under the DPDP Act, the roles of data processors and data fiduciaries are distinct, but a data processor can quickly become a data fiduciary if it crosses certain boundaries in processing. As soon as a processor starts making its own decisions about the personal data, they take on fiduciary responsibilities.
Consider a cloud storage provider, which is typically classified as a data processor, storing data for an e-commerce platform. As a processor, its role is limited to storing the data securely based on the instructions provided by the fiduciary. However, if this cloud provider decides to use the stored customer data for its own analytics, targeting, or any other purpose that it determines itself, it shifts from being a processor to a fiduciary. Now, the cloud provider will be responsible for the consequences of data misuse, data breaches, and non-compliance with privacy laws.
Similarly, a third-party marketing automation tool processing customer data for an online retailer is typically just a processor. But if it starts analyzing the customer data to create its own marketing insights or begins sending out campaigns without the retailer's direct approval, it transitions into the fiduciary role. At that point, it is no longer just following instructions but making decisions about the data’s use.
As soon as the fine line is crossed and a processor becomes a fiduciary, these are some of the obligations that apply:
- Consent Management: As a fiduciary, the entity must now ensure that explicit consent has been obtained from the data principals for every processing activity. This means obtaining consent for the purposes and methods of processing personal data, and the fiduciary must ensure that the consent is freely given, informed, and easily revocable.
- Rights Management: The fiduciary must provide the data principals all rights promised under the DPDP Act, including the right to access, correction, deletion of data and grievance redressal. To fulfill these rights in a timely manner, businesses will need to set up clear procedures, such as an accessible portal for data requests, automated response systems, and designate a Data Protection Officer (DPO) or other person to handle queries and grievances.
- Data Minimization and Purpose Limitation: Fiduciaries must ensure that they are collecting and processing only the minimum amount of data necessary for the purpose at hand. This requires businesses to regularly audit their data collection practices to avoid excess data gathering and ensure that the information is strictly used for the intended purpose. They must also implement data classification tools to monitor usage, preventing any unauthorized repurposing.
- Breach Notification and Penalties: Fiduciaries are responsible for notifying the Data Protection Board (DPB) and the affected individuals in case of a breach. To effectively manage this, businesses need to establish a breach response protocol that includes real-time monitoring, rapid incident assessment, and a communication strategy to meet the legal deadlines for notification. Failure to comply can result in penalties of up to ₹250 crore per instance under the DPDP Act.
- Accountability for Vendors: A fiduciary is responsible not only for its data processing activities but also for ensuring that its third party vendors/partners or any other processors are compliant with the DPDP Act. Businesses must therefore include stringent data protection clauses in contracts with vendors, conduct regular audits, and require vendors to adhere to security standards and data management practices outlined in the Act.
Best Practices for Businesses
Businesses need to adopt a proactive approach when hiring or acting as data processors to ensure compliance and mitigate risks. By implementing the following strategies, businesses can safeguard personal data, uphold legal obligations, and build trust with stakeholders.
1. Carry Out Vendor Due Diligence
Before engaging a data processor, businesses should conduct a thorough vetting process to ensure the vendor’s compliance with relevant data protection laws and their ability to meet security standards. This includes:
- Security Certifications: Look for vendors with recognized data security certifications such as ISO/IEC 27001.
- History of Compliance: Review past compliance history, previous data breaches, and audit reports to assess risk.
- Data Flow Understanding: Ensure the processor understands the flow of data and the specific requirements of your industry.
A healthcare organization may choose a third-party billing service that has a track record of compliance with both DPDP and the Health Insurance Portability and Accountability Act (HIPAA) if they also operate internationally.
2. Conduct Regular Audits
Continuous monitoring of data processors is critical to maintaining data security. Businesses should conduct regular audits to assess whether their processors are complying with the agreed security measures and DPDP regulations. This can include:
- Third-party Audits: Hiring an independent auditor to evaluate the data processor’s practices.
- Penetration Testing: Simulating cyberattacks on the processor’s systems to identify vulnerabilities.
- Compliance Reviews: Ensure that the processor is adhering to data deletion, consent management, and security protocols as outlined in the DPDP Act.
For instance, a logistics company using a fleet management tool that stores driver information might conduct an annual audit to ensure that no unauthorized individuals are accessing or processing data.
3. Automate Data Deletion Processes
The DPDP Act places heavy emphasis on data minimization and retention limits. To ensure compliance, businesses should automate the process of data deletion when consent is withdrawn or the data is no longer needed for its original purpose.
- Data Lifecycle Management: Implement systems that automatically track and manage the lifecycle of data.
- Retention Schedules: Create clear policies for data retention and disposal, tailored to industry-specific legal requirements.
An e-commerce platform could automate the deletion of customer transaction records after a specified retention period or when the customer closes their account, ensuring compliance without manual intervention.
4. Prepare for Breach Responses
Processors and fiduciaries should have a predefined response plan in case of a breach, which includes:
- Real-Time Monitoring: Implement systems to detect and respond to breaches in real-time.
- Notification Protocols: Ensure the processor understands their role in notifying the data fiduciary immediately in case of a breach. The fiduciary is then responsible for notifying the DPB and the affected principals.
For example, a payment gateway company must notify its partnering online retailer within a specific time frame after detecting unauthorized access to transaction data. This allows the retailer to notify the DPB and affected customers within the legally mandated 72-hour period.
5. Adopt Strong Consent Management Systems
For upstream processors, where consent is collected, it is vital to implement a robust consent management system that verifies, stores, and manages consents securely. Data processors need to ensure that the consents are valid, traceable, and revocable.
- Granular Consent Collection: Ensure that the processor collects specific and informed consent for each processing activity.
- Revocation Mechanisms: Develop automated systems that allow users to easily withdraw consent and trigger data deletion processes accordingly.
For instance, an aggregator like Amazon must ensure that its third-party sellers are collecting and managing consent for any marketing communications sent to customers, while offering customers the ability to withdraw that consent at any time.
6. Liability Insurance and Risk Management
Given the severe financial penalties under the DPDP Act (up to ₹250 crore per breach), businesses should consider liability insurance to cover potential risks. The DPA should also address risk-sharing between fiduciaries and processors, especially in terms of compensation in the event of a data breach.
A bank outsourcing data processing to a cloud provider might include clauses in the DPA that place responsibility for certain breaches on the processor and require the processor to hold insurance coverage to mitigate financial risks.
7. Stay Informed About Evolving Data Protection Standards
Data protection laws and regulations are constantly evolving, and it’s important for both fiduciaries and processors to stay up-to-date with these changes. Businesses should:
- Participate in Workshops: Engage with legal experts, regulators, and data protection bodies to understand any updates to the DPDP Act or its rules.
- Continuous Training: Ensure that both employees and processors undergo continuous training to stay compliant with the latest legal requirements.
- Read our Consent Blog: Gain practical insights, build compliant strategies and stay up to date with latest legal developments in the arena of data protection.
Next Steps
The Digital Personal Data Protection (DPDP) Act fundamentally alters how businesses in India must approach the processing of personal data. While the bulk of responsibility lies with data fiduciaries, data processors play a crucial role in ensuring the safety, security, and lawful processing of sensitive information. As businesses increasingly outsource critical functions to third-party processors, it is essential that they establish clear, comprehensive DPAs and implement robust security measures.
In a rapidly evolving regulatory environment, staying informed and proactive is key. Data processors must continuously align their operations with the DPDP Act by implementing automation for data deletion, conducting regular audits, and ensuring that consent management systems are effective and compliant. This strategic approach will help businesses navigate the complexities of data protection but also build trust with stakeholders and foster a culture of accountability and transparency in the digital age.