This is likely to increase compliance costs for technology giants such as Facebook, Google and Amazon. Clause 38 of the draft bill says any one collecting data could be termed a ‘significant data fiduciary’ based on the volume of data processed, the sensitivity of the data processed and its turnover.
Factors such as the risk of harm in processing the data and the use of new technologies for processing data could also result in ‘significant data fiduciary’ classification.
A company classified as a significant data fiduciary would need to register with the new Data Protection Authority and undergo data protection impact assessments, data audits, keep records and create a data protection officer role. The bill also states that the authority could require any data fiduciary to follow the rules, even if not classified as a significant data fiduciary, if there is a risk that a person could be harmed through the processing of their data.
“Although audits and record keeping are seen as compliance costs, documentation keeping is really important in making sure privacy is not violated. It is about making companies accountable. Companies sometimes operating at scale may not know how the data is stored and shared,” said Public Policy Advisor at Mozilla Corp.
Annually, companies will have to undergo data audits where the auditor will check if the company is in compliance with the provisions of the Act. A data auditor may assign a rating in the form of a data trust score to the company.