Rule 12: Additional Obligations of Significant Data Fiduciaries (SDFs)
Rule 12 sets out the enhanced responsibilities for Significant Data Fiduciaries (SDFs). These are entities identified by the Central Government on the basis of factors such as the volume and sensitivity of personal data processed, the potential impact on the rights of individuals, or concerns relating to sovereignty, integrity, or public order.
The obligations imposed on SDFs are designed to ensure a higher level of accountability, transparency, and risk management.
Under this rule, an SDF must:
- Conduct Data Protection Impact Assessments (DPIAs) to evaluate how its data processing activities affect the privacy of Data Principals.
- Undergo periodic independent audits to verify compliance with the Act and the Rules.
- Appoint a Data Protection Officer (DPO), who will be based in India and will serve as the point of contact for both the Data Protection Board and the Data Principals.
- Put in place governance measures to ensure that automated decision-making systems and algorithms do not cause harm or unfair treatment to individuals.
- Maintain comprehensive records of data processing activities, safeguards, and risk assessments, ready for inspection when demanded by the Board.
Example
A large social media platform processing millions of users’ photos, messages, and location details is highly likely to be classified as an SDF.
It will therefore need to appoint a DPO, conduct DPIAs before introducing new features such as AI-driven recommendation engines, and submit to independent audits to ensure that user privacy is not compromised.
The essence of Rule 12 is that organizations with greater access to personal data and greater ability to affect individuals’ lives must also bear greater responsibility.