DPDP Act, 2023: Key Roles and Responsibilities for Data Processors in India’s Healthcare Sector

Under India’s Digital Personal Data Protection (DPDP) Act, 2023, a Data Processor is defined as any individual or organization that processes personal data on behalf of a Data Fiduciary (the entity determining the purpose and means of processing). The DPDP Act applies to both Indian and foreign organizations processing personal data within India, or processing the data of Indian citizens, making it particularly relevant for entities that handle outsourced data processing functions.

Roles & Responsibilities of Data Processors under the DPDP Act

1. Processing Personal Data on Behalf of Data Fiduciaries: Data Processors act as intermediaries, performing data processing tasks such as data collection, storage, retrieval, and analysis based on the instructions of the Data Fiduciary. They have no autonomy over the purpose of data usage, which remains the responsibility of the Data Fiduciary.
2. Following Data Fiduciary Instructions: The DPDP Act mandates that Data Processors follow strict guidelines provided by the Data Fiduciary and are prohibited from using personal data for any unauthorized purposes. This means that Data Processors are not entitled to determine how data is used and must restrict data processing solely to purposes defined by the Data Fiduciary.
3. Implementing Security Safeguards: Data Processors are required to maintain a secure environment for data processing, which includes establishing technical and organizational security measures to prevent data breaches, unauthorized access, and data corruption. They must follow cybersecurity standards, encryption protocols, and access controls as stipulated by the DPDP Act and relevant cybersecurity guidelines.
4. Assisting Data Fiduciaries with Compliance: Data Processors must cooperate with Data Fiduciaries in ensuring compliance with the DPDP Act. This includes assisting with data subject requests (such as access, correction, or deletion of personal data), breach notification procedures, and any data audits required by regulatory authorities.
5. Contractual Requirements: The relationship between a Data Fiduciary and a Data Processor must be formalized through a contract that outlines all compliance, security, and data handling obligations as per the DPDP Act. The contract should also establish the Processor’s liability in the case of non-compliance or data breaches.

Obligations of Data Processors under the DPDP Act

1. Data Security and Confidentiality: The DPDP Act imposes stringent obligations on Data Processors to implement and maintain data security protocols to safeguard personal data. Data Processors must take proactive measures to ensure data confidentiality, integrity, and availability.
2. Data Minimization and Purpose Limitation: Although mainly the responsibility of Data Fiduciaries, Data Processors must ensure they only process the minimum amount of data necessary for the purposes instructed by the Data Fiduciary. They are obligated to avoid processing beyond the stipulated purpose and minimize unnecessary data storage.
3. Breach Notification: If a Data Processor detects any data breach or unauthorized access, it must promptly notify the Data Fiduciary, which is then responsible for notifying the Data Protection Board and affected individuals. This obligation ensures rapid action to mitigate risks and comply with legal reporting requirements.
4. Retention and Deletion: Data Processors must follow Data Fiduciary instructions on data retention periods and the secure deletion or anonymization of data once the purpose of processing is achieved or when retention is no longer necessary.
5. Data Subject Rights Facilitation: Data Processors are obligated to assist Data Fiduciaries in enabling data subject rights, including the rights to access, correction, and deletion of data. Although Processors do not directly interact with data subjects, they are crucial in supporting the Fiduciary’s response to these requests.

Penalties for Non-Compliance by Data Processors

1. Financial Penalties: Under the DPDP Act, Data Processors can be penalized up to ?250 crore for non-compliance. This is particularly relevant for breaches of data security and unauthorized use of data, which the law seeks to strictly control. Penalties vary based on the severity and impact of the non-compliance.
2. Legal and Reputational Consequences: Non-compliance may result in contractual breaches with Data Fiduciaries, leading to loss of business, potential litigation, and damage to reputation, especially if sensitive personal data is compromised.
3. Obligations in Data Breach Incidents: Data Processors must respond promptly to Data Fiduciary notifications in the event of a breach and may be subject to regulatory review if their actions contributed to the breach. Failing to comply with breach protocols may result in increased liability.

Comparison of Data Processor Requirements with Global Privacy Laws

GDPR (European Union):

• Under the GDPR, Data Processors are similarly required to follow strict processing instructions from the Data Controller, ensure data security, and comply with contractual obligations. Unlike DPDP, GDPR places a greater emphasis on accountability and demonstrable compliance, requiring Data Processors to maintain records of processing activities.
• The GDPR imposes steep fines for non-compliance, up to 4% of annual global turnover or €20 million, whichever is higher.
• GDPR allows for Data Protection Impact Assessments (DPIAs), which may involve Data Processors in identifying and mitigating processing risks. The DPDP Act, while less explicit, encourages risk-based security.

CCPA/CPRA (California, USA):

• Under CCPA/CPRA, Data Processors, known as “Service Providers,” are similarly required to follow the directives of the Data Controller. However, CCPA/CPRA focuses more on consumer rights, and Service Providers have fewer explicit security obligations compared to GDPR and DPDP Act.
• The penalties under CCPA/CPRA are relatively lower than GDPR and DPDP Act, but the law includes a private right of action, allowing individuals to sue for data breaches, potentially exposing Data Processors to litigation.

PIPEDA (Canada):

• In Canada, PIPEDA regulates Data Processors (referred to as “third-party processors”), emphasizing similar principles of accountability, data security, and limited use. PIPEDA does not impose fines as high as GDPR or DPDP Act but mandates compliance with Canada’s Security Breach Notification Laws.
• PIPEDA has a focus on consent management, and third-party processors are required to support Data Controllers in respecting individual privacy rights.

PDPA (Singapore):

• Singapore’s Personal Data Protection Act (PDPA) mandates Data Processors to comply with data protection guidelines set forth by the Data Controller, with a focus on data security and breach notification. However, unlike DPDP and GDPR, PDPA has a more lenient approach to data minimization and purpose limitation.
• Penalties under PDPA are also lower compared to GDPR but can still result in significant financial consequences for Data Processors if compliance lapses

The DPDP Act positions India alongside global privacy laws in emphasizing the protection of personal data, placing significant obligations on Data Processors to enhance data security and confidentiality. By aligning with international standards, the DPDP Act ensures that Data Processors play an essential role in the broader compliance framework, reinforcing the trust and security in India’s digital ecosystem.