This article is part of a series on the operational impacts of India's DPDPA. The full series can be accessed here.

Published: July 2024

Contributors:

Nivedita Nivargi

Kevin Robin

Saurabh Roy

Navigate by Topic

Though India's Digital Personal Data Protection Act is not yet in effect, it has introduced the concepts of data fiduciaries and significant data fiduciaries, among others.

Section 2(i) defines a data fiduciary as any individual who, independently or in collaboration with others, determines the purpose and means of processing personal data. In essence, a data fiduciary is responsible for determining how personal data is collected and processed.

On the other hand, Section 2(z) defines a significant data fiduciary as a data fiduciary or a class of data fiduciaries that may be designated by the central government based on an assessment of certain factors, including the volume and sensitivity of personal data processed, risk to the rights of data principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the state, and public order.

Data audits under the DPDPA will be vital for organizations collecting, using and storing personal data. Regular audits can mitigate potential legal risks, prevent security incidents and data breaches, and protect data principals' rights.

Data audit

In general, an audit involves a review of an organization's system, processes or procedures to ensure accuracy and compliance. A data specific audit, however, typically involves a detailed review of an entity's framework on data governance, including its data collection, classification, processing, retention, erasure, breach response policies, procedures and methods. To ensure all personnel are aware of their statutory data protection obligations, data auditors may also review an organization's training and awareness programs.

The existing data protection regime under Rule 8(4) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules states a body corporate — which includes a firm, sole proprietorship, or other association of individuals engaged in commercial or professional activities — will have complied with the standard or codes of best practices for data protection under the rules, provided they have been audited by government-approved independent auditors at least once a year or when internal process systems have been significantly upgraded.

Obligations of a significant data fiduciary

Section 10 of the DPDPA imposes certain obligations on the significant data fiduciary, in addition to those of a data fiduciary. These include appointing an India-based data protection officer to represent the significant data fiduciary, report to the board of directors and serve as a primary point of contact for grievance redressal; appointing an independent data auditor to facilitate audits and evaluate the significant data fiduciary's DPDPA compliance; and conducting periodic data protection impact assessments to evaluate the processing of personal data, risks to data principals' rights and such other measures as may be prescribed under the DPDPA.

It must be noted, penalties for noncompliance and/or breach of a significant data fiduciary's additional obligations may extend up to INR150 crore.

While the central government has yet to provide specific rules and procedures under the DPDPA, it is safe to assume the audit process will involve an assessment of a significant data fiduciary's data protection mechanisms and compliance with the DPDPA, with the intent to identify noncompliance and provide recommendations to ensure protection of data principals' rights.

Assessments are likely to involve an auditor's examination of the significant data fiduciary's documentation, like privacy policies, data transfer and processing agreements, and activities including data collection, processing and storage. The auditor may also assess the significant data fiduciary's technical and organizational measures for information security, such as appropriate certifications, data access controls and data encryption measures.

To test effectiveness and formulate mitigation strategies, an auditor may also verify a significant data fiduciary's response time and the procedures it has in place for data security incidents.

The DPDPA also states the significant data fiduciary must undertake a periodic DPIA to evaluate the processing of personal data and risks to data principals' rights. In this regard, while undertaking a DPIA, a significant data fiduciary may consider the categories of personal data collected, activities related to its collection, processing or storage, and potential security incidents.

Data audits under the DPDPA aim to streamline procedures for a significant data fiduciary's collection, use and disclosure of personal data, further ensuring protection of a data principal's rights.

Noncompliance may result in significant penalties. A data audit will assist a significant data fiduciary in identifying potential gaps in its data protection framework, thus reducing the risk of incurring such penalties. Further, audits help significant data fiduciaries minimize the possibility of data security incidents resulting from unauthorized access or breaches. They also promote transparency and accountability of a significant data fiduciary's data processing practices by ensuring personal data is collected and handled in a secure and ethical manner.

In the absence of rules and procedures under the DPDPA, consider incorporating the following measures while conducting a data audit:

• Clearly outline the audit scope with respect to the relevant data involved, including processing to be done and the infrastructure to be used.
• Review relevant documentation related to processing activities, including privacy policies, vendor data processing agreements and data flow maps.
• Assess statutory compliance by ensuring accurate and necessary personal data is collected and processed for specified legitimate purposes in which such data is only retained for the duration necessary for the purpose.
• Identify potential deficiencies and develop and implement strategies to address gaps, including in policy updates and organizational changes to ensure DPDPA compliance.
• Schedule periodic data audits to ensure ongoing compliance.

Data audits in other jurisdictions

Much like Section 10 of the DPDPA, which draws inspiration from the EU General Data Protection Regulation, GDPR Article 28(3)(h) imposes an obligation on the processor to make all information necessary to demonstrate compliance with the law available to the controller and permit audits by the controller. This enables the controller to verify compliance with the applicable provisions of the GDPR.

The European Data Protection Board released guidelines on the concepts of controller and processor in the GDPR, setting out certain recommendations for clauses to be included in a data processing agreement. The guidelines state the data processing agreement must entail obligations on communication of information from the processor to the controller to ensure the controller is aware of the processing activities at all times.

Per the EDPB, the audit is intended to ensure the controller is always fully informed of the processing activities and the technical security measures adopted by the processor. The guidelines state the processor may suggest an auditor, but the controller retains the right to make the final decision regarding the processor's suggestion, which will also include the right to contest the nature, process and outcome of the audit.

Based on the outcome, the controller may request the processor implement appropriate measures required to comply with the GDPR. The EDPB also suggests concerned parties refrain from incorporating disproportionate clauses on costs associated with audits. The EDPB noted Article 28(3)(h) of the GDPR already requires the processor to provide the controller with all the necessary information for the purposes of an audit. Imposing excessive costs would be counter effective and would discourage parties from conducting audits, further defeating the purpose of Article 28(3)(h).

Conclusion

In the digital economy era, the DPDPA is expected to play a crucial role in safeguarding individuals' right to privacy by ensuring personal data is handled securely and ethically.

Data audits uphold this principal by holding organizations accountable for personal data processing.

Given the strict compliance requirements around collecting, processing and storing personal data, it is important for business entities operating in India to conduct compliance audits under the DPDPA to identify any deficiencies and implement remediation strategies to ensure compliance with the country's ever-evolving legal landscape.

The IAPP Resource Center additionally hosts an "India" topic page, which updates regularly with the IAPP's latest news and resources.