PwC | The Digital Personal Data Protection Act, 2023
Data fiduciary’s obligations
13
Reference to the Act
Guardian consent and
processing children’s personal
data (Chapter II, Clause 9)
Before processing any personal data of a child or a person
with disability who has a lawful guardian, verifiable consent
of the parent of such a child or the lawful guardian is required
to be taken.
A data fiduciary shall not undertake such processing of
personal data that is likely to cause any detrimental effect on
the well-being of a child.
A data fiduciary shall not undertake tracking or behavioural
monitoring of children or targetted advertising directed at
children.
• Guardian/parental consent would help in creating more
awareness, along with an additional layer of safeguarding to
protect children from online risks.
• Organisations must put in place measures to
authenticate/verify the identity of a parent/guardian.
• This would further help the cause of protecting children in the
Indian digital space and ensure a standard practice and
enhance the level of security.
Additional obligations of
significant data fiduciary (SDF)
(Chapter II, Clause 9)
Right to correction and erasure
of personal data
• The Central Government may notify any data fiduciary as an
SDF based on the assessment of relevant factors such as
the volume and sensitivity of personal data processed, risk to
the rights of data principal and the potential impact on the
integrity of India.
Such an SDF shall:
• appoint a Data Protection Officer
• appoint an Independent Data Auditor
•
undertake compliance measures including Data Protection
Impact Assessment (DPIA).
• The Act introduces additional obligations of a significant data
fiduciary as they process data which merits higher protection
due to its sensitive nature.
•
Unauthorised disclosure of such data would create significant
risks to the fundamental rights and freedom of data principals.
• DPO should be able to perform their duties and tasks in an
independent manner. They should directly report to the
highest management level of the organization.
• As board’s primary functions include inquiring breaches,
directing measures and imposing penalties hence Data
Fiduciary must appropriately respond to board's inquiry
request.
Guardian consent and children’s
data processing
Additional
obligations of
significant data
fiduciary
Data privacy
impact
assessments
Independent
data audits
Data
protection
officer