Digital Personal data Protection Act, 2023 and its implication & Impact on Research analyst and Investment advisers

As the heading states that in this article we are going to explore the impact of Digital Personal Data protection Act on SEBI registered research analysts and Investment advisers.

Before we start, it is essential to understand few key terms under the Act in simpler terms

Data Principals - It means individual with whom personal data belongs. In case of a child and person with disability, it includes lawful guardian. ( For SEBI RA/IA, it means the clients whose personal data RA/ IA processes)

Data Fiduciary - It means person who processes the personal data himself or with the help of a data processor. ( It means the SEBI RA/ IA, who is processing the client personal data )

Data Processor- Any person who processes the personal data on behalf of data fiduciary. ( For SEBI RA/ IA, it means third party who processes the data on RA/IA behalf like payment aggregators, client on boarding platforms, any third party SaaS based CRM etc)

Personal Data means any data of person which helps to identify by or in relation to such data. For e.g. PAN, Adhar, email ids, Phone number, social media ids, address, IPs, cookies, behavioral data, bio metrics etc etc. All these can identify or relate to a person.

General Principal of Digital Personal data Protection Act, 2023 ( DPDP Act)

The DPDP act creates an obligation on data fiduciary to take explicit consent before processing the personal data. The consent must be preceded by a clear notice that will state the purpose for which the data shall be processed. The consent must be free, specific, informed, unambiguous and affirmative.

Does RA/ IA require to take explicit consent before processing the personal data of clients?

Though the key obligation specifies about taking consent for processing the personal data of clients as per the intent, spirit & responsibilities under DPDP Act. However, section 7 of DPDP act states DEEMED CONSENT instead of EXPLICIT CONSENT under section 6 of same Act.

Section 7 of DPDP Act allows processing of digital personal data without taking explicit consent provided it is processes for certain legitimate usages which are mentioned under section 7. For such purposes mentioned under section 7, It will be treated as deemed consent.

Under section 7(d) provides a safeguard for SEBI RA/ IA from taking explicit consent for processing digital personal data. It states that data fiduciary (i.e. SEBI RA/ IA) may process data for fulfilling any obligation under any law for the time being in force in India.

To simplify, SEBI RAs/ IAs take email id and phone numbers for the purpose of client on boarding and sending T&C for consent including payment processing. Also SEBI RA/ IA collects PAN data for the purpose of doing KYC check. Both these processes i.e. T&C consent as well as KYC check are well defined process under law i.e. SEBI RA regulations & related guidelines. Therefore email id, phone number or PAN number are collected for fulfilling obligation under law i.e. SEBI regulations. Consequently, in our opinion, explicit consent under regulation 6 is not required to be taken from client and such processing of digital personal data received from client shall be under deemed consent under section 7(d) of DPDP Act, 2023.

Although the explicit consent need not to be taken from client by SEBI RA/IA as mentioned in above paragraph. However, there are certain obligations of data fiduciary (SEBI RA/ IA) that must be fulfilled regarding digital personal data taken from clients irrespective of fact that such digital personal data is processed under deemed consent.

Obligations of SEBI RA/ IA under DPDP Act, 2023

1. Under DPDP Act, SEBI RA/ IA are responsible for compliance with Act for all processing of digital personal data either by themselves or by data processors on their behalf

2. There must be a proper contract between the third party platforms processing the data of clients on behalf of SEBI RA/IA and SEBI RA/IA. The contract must mention the details related to processing activities, retention, security and breach obligations.

3. SEBI RA/ IA system must do validation of commonly used fields like address, mobile no, email id and there must be automated checks for outdated fields or conflicting records

4. Digital personal data processing policy covering data protection, access control, breach response, vendor management and encryption

5. Regular training of employees who are handling personal data

6. Ensuring security safeguard of data by encryption, masking, access control,logging & security monitoring, backup and disaster recovery, incident detection and response.

7. Must maintain personal data logs for minimum one year

8. Data must be erased when it is no longer required for the purpose

9. Publish contact information of authorized contact person and established & maintain effective grievance redressal system accessible to clients

We hope that this article will help you implement the requirement under DPDP Act, 2023.

Compliancify Consulting has been at the forefront of compliance and legal requirements. Our experts can help you implement effective policies and requirements under DPDP Act, 2023. Get in touch or book a consultation with our team.