Data fiduciary is a person who alone or in conjunction with other persons determines the purpose and means of processing the personal data. To ensure the protection and privacy of individual’s data, the act outlines several essential obligations for data fiduciary.

1. Engagement of data processor: Data fiduciaries must engage, appoint, or involve data processors to handle personal data on their behalf through valid contracts. This ensures that data processing is carried out in compliance with the law.
2. Data Accuracy & Completeness: Data fiduciaries are responsible for ensuring the completeness, accuracy, and consistency of personal data, especially when such data is used in decision-making processes affecting data principals or when shared with other data fiduciaries.
3. Technical and organization measures: Data fiduciaries are obligated to implement appropriate technical and organizational measures to effectively adhere to the provisions of the Act. These measures help safeguard personal data.
4. Data security safeguards: Data fiduciaries are required to take reasonable security precautions to prevent personal data breaches. This includes implementing robust security measures to protect against unauthorized access or data leaks.
5. Data breach notification: In the event of a personal data breach, data fiduciaries must promptly notify the regulatory authority (Board) and the affected data principals about the breach, ensuring transparency and accountability.
6. Data Erasure: Data fiduciaries must erase the personal data of data principals upon withdrawal of consent or when the specified purpose for data processing is no longer relevant. This helps ensure that data is not retained unnecessarily.
7. Instruction to Data Processor: Data fiduciaries must instruct Data processor to delete any personal data that was provided by the data fiduciary for processing once it is no longer required for the specified purpose.
8. Publication of contact information: Data fiduciaries are required to publish the business contact information of their Data Protection Officer or a designated representative. This facilitates communication and allows data principals to raise questions or concerns regarding the processing of their personal data.
9. Grievance redressal mechanism: Data fiduciaries must establish a mechanism to address and redress the grievance of data principals. This ensures that individuals have a means to seek recourse if they believe that their data protection rights have been violated.

The term “Significant Data Fiduciary” refers to any “Data Fiduciary” or a specific category of Data Fiduciaries as designated by the Government based on specific criteria, including:

1. The volume and sensitivity of personal data processed.
2. The potential risks to the rights of data principals.
3. The potential impact on the sovereignty and integrity of India.
4. The risks to the security of the state, electoral democracy, and public order.

Responsibilities of Significant Data Fiduciaries

1. Appointment of a Data Protection Officer (DPO): Significant Data Fiduciaries are required to appoint a Data Protection Officer, who must be an individual located in India and accountable to the Board of Directors or a similar governing body. The DPO serves as the primary point of contact for addressing grievance redressal mechanisms.
2. Engagement of an Independent Data Auditor: Significant Data Fiduciaries must engage an Independent Data Auditor to conduct regular data audits.
3. Conduct Periodic Data Protection Impact Assessments: These assessments are essential for evaluating the impact of data processing activities on data protection. Significant Data Fiduciaries should undertake these assessments periodically to ensure compliance with data protection regulations.