Top 10 operational impacts of India’s DPDPA – Data audits for significant fiduciaries
This article provides insight on data audits for significant fiduciaries in relation to India's DPDPA.
Published: 25 July 2024
Last updated: 20 Jan. 2026
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
With the operationalization of India's Digital Personal Data Protection Act, 2023 and the phased implementation of the Digital Personal Data Protection Rules, 2025, the concept of consent managers, data fiduciaries and significant data fiduciaries have been introduced among other roles.
Section 2(i) of the DPDPA defines a data fiduciary as any individual who, independently or in collaboration with others, determines the purpose and means of processing personal data. In essence, a data fiduciary is responsible for determining how personal data is collected, stored and processed.
Further, Section 2(z) defines a significant data fiduciary as a data fiduciary, or a class of data fiduciaries, that may be designated by the central government based on an assessment of certain factors, including the volume and sensitivity of personal data processed, risk to the rights of data principals, potential impact on the sovereignty and integrity of the country, the risk to electoral democracy, security of the state, and public order.
Section 2(g) defines a consent manager as an entity registered with the Data Protection Board of India that serves as a single point of contact for data principals. This allows them to conveniently give, manage, review and withdraw their consent through an accessible and interoperable platform.
The law places critical responsibilities on significant data fiduciaries, data fiduciaries and consent managers when handling personal data. To ensure compliance, regular data audits have become essential. Under the DPDPA, data audits are vital for organizations to ensure that the collecting, storing and processing of personal data is in-line with the requirements of the act and rules. Regular audits can mitigate potential legal risks, prevent security incidents and data breaches and protect the rights of data principals.
Data audits
In general, an audit involves review of an organization's system, processes and/or procedures to ensure accuracy and compliance. A data specific audit, however, typically involves a detailed review of an organization's framework on data governance, including its data collection, classification, processing, retention, erasure, breach response policies, consent procedures and other methods. To ensure all personnel are aware of their statutory data protection obligations, data auditors may also review an organization's training and awareness programs.
The existing data protection regime under Rule 8(4) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 states that a body corporate, which includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities, will have complied with the standard or codes of best practices for data protection under the said rules, provided they have been audited by government-approved independent auditors at least once a year or when internal process systems have been significantly upgraded.
Data audit under the DPDPA for significant data fiduciaries
Section 10 of the DPDPA imposes certain obligations on significant data fiduciaries in addition to those of data fiduciaries. These obligations include appointing an India-based data protection officer to represent the significant data fiduciary before the DPBI and to serve as the primary point of contact for personal-data-related queries and data principals' grievances. Additionally, the data protection officer shall also report to the board of directors of the significant data fiduciary. Further, significant data fiduciaries will be required to conduct periodic data protection impact assessments to evaluate the processing of personal data, analyze risks to data principals' rights and undertake such other measures as may be prescribed under the act and rules.
It must be noted, penalties for non-compliance and/or breach of a significant data fiduciary's additional obligations may extend up to INR150 crore (approximately USD16 million).
Rule 13 of the DPDP Rules imposes additional obligations on significant data fiduciaries, requiring them to conduct a DPIA and data audit at least once every 12 months to ensure compliance and safeguard the rights of data principals. Once the DPIA and data audit are complete, the individual conducting them must submit a report to the DPBI, highlighting their observations from the assessment and audit.
Significant data fiduciaries are also required to ensure that any personal data specified by the central government is processed subject to the restriction that such personal data and the traffic data related to its flow is not transferred outside of India. A significant data fiduciary needs to ensure that any software or adopted mechanisms for hosting, uploading, transmitting, storing, etc. personal data are not likely to pose a risk to the rights of data principals.
While the DPDP Rules do not lay out the procedures for conducting a DPIA, they are likely to involve an auditor's examination of the significant data fiduciary's documentation — like privacy policies, data transfer agreements and processing agreements — and activities including collecting, processing, transferring and storing data. The auditor may also assess the technical and organizational measures implemented by a significant data fiduciary for information security, data storage and processing including appropriate certifications, data access controls and data anonymization/encryption measures.
The DPDPA further states that significant data fiduciaries must undertake periodic DPIAs to evaluate the processing of personal data and risks to data principals' rights. In this regard, while conducting a DPIA, a significant data fiduciary may consider the categories of personal data collected, potential security incidents and activities related to its collection, processing or storage.
To test effectiveness and to formulate mitigation strategies, an auditor may also verify a significant data fiduciary's response time and the procedures it has in place for responding to, reporting and mitigating data security incidents. Data audits under the DPDPA aim to streamline procedures for a significant data fiduciary's collection, use, storage, transfer and disclosure of personal data, further ensuring protection to data principal's rights.
Data fiduciaries and data processors
Although the DPDPA does not explicitly mandate audit obligations for data fiduciaries to ensure that all data processing activities conducted by them or their data processors comply with the law, it is advisable for data fiduciaries to conduct periodic audits on their data processors. These audits should be implemented through appropriate contractual arrangements to ensure that data processors operate within the framework of the DPDPA.
Consent managers
The DPDP Rules set out a framework requiring consent managers to implement an audit mechanism to review, monitor, evaluate and periodically report such audits to the DPBI. The audits need to cover the technical and organizational controls and safeguards implemented by the consent manager, the fulfilment of registration conditions, and compliance with the act and rules.
Measures to be adopted
Any non-compliance with the requirements of the act and the rules may result in significant penalties. A data audit will assist organizations in identifying potential gaps in their data protection framework, thus reducing the risk of incurring penalties. Further, audits help organizations minimize the possibility of data security incidents resulting from unauthorized access or potential breaches. They also ensure personal data is collected and handled in a secure and authorized manner, thereby promoting transparency and accountability in an organization's data processing practices.
However, in the absence of specific rules and procedures governing an audit under the act and rules, organizations may consider adopting the following measures while conducting a data audit:
- Clearly outline the audit's scope with respect to the relevant data involved, including processing to be done and the infrastructure to be used.
- Review relevant documentation related to processing activities, including privacy policies, vendor data processing agreements and dataflow maps.
- Assess statutory compliance by only collecting and processing necessary personal data for legitimate purposes, retaining it only as long as required, with any extended retention limited to regulatory obligations.
- Identify potential deficiencies and develop and implement strategies to address gaps, including any discrepancies in policies and technical and organizational measures.
- Schedule periodic data audits to ensure ongoing compliance.
Data audits in other jurisdictions
Article 28(3)(h) of the EU General Data Protection Regulation, much like Section 10 of the DPDPA, imposes an obligation on the processor to make all information necessary to demonstrate compliance with the law available to the controller and to permit audits by the controller. This enables the controller to verify compliance with the applicable provisions of the GDPR.
The European Data Protection Board released guidelines on the concepts of controller and processor under the GDPR, setting out certain recommendations for clauses to be included in data processing agreements. These guidelines state data processing agreements must entail obligations on communication of information from the processor to the controller to ensure the controller is always aware of processing activities.
Per the EDPB, the audit is intended to ensure the controller is always fully informed of processing activities and the technical security measures adopted by the processor. These guidelines state that the processor may suggest an auditor, but the controller retains the right to make the final decision regarding the processor's suggestion, which will also include the right to contest the nature, process and outcome of the audit.
Based on the outcome, the controller may request the processor implement appropriate measures required to comply with the GDPR. The EDPB also suggests that concerned parties refrain from incorporating disproportionate clauses on costs associated with audits. Imposing excessive costs would be counterproductive and would discourage parties from conducting audits, further defeating the purpose of Article 28(3)(h).
Conclusion
In this era of digital economy, the DPDPA and the DPDP Rules are expected to play a crucial role in safeguarding individuals' right to privacy by ensuring that personal data is handled securely, legally and in an authorized manner. Data audits uphold this principle by keeping organizations accountable for personal data access, storage and processing.
Given the strict compliance requirements around collecting, processing and storing personal data that continue to evolve, it is important for business entities operating in India to conduct compliance audits per the DPDPA and DPDP Rules to identify any deficiencies and implement remediation strategies to ensure compliance with the country's ever-evolving legal landscape.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Contributors:
Nivedita Nivargi
Partner, Samvad Partners
Saurabh Roy
Senior Associate, Samvad Partners' General Corporate Practice Group
Tags:
Top 10 operational impacts of India’s DPDPA – Data audits for significant fiduciaries
This article provides insight on data audits for significant fiduciaries in relation to India's DPDPA.
Published: 25 July 2024
Last updated: 20 Jan. 2026
Contributors:
Nivedita Nivargi
Partner, Samvad Partners
Saurabh Roy
Senior Associate, Samvad Partners' General Corporate Practice Group
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
With the operationalization of India's Digital Personal Data Protection Act, 2023 and the phased implementation of the Digital Personal Data Protection Rules, 2025, the concept of consent managers, data fiduciaries and significant data fiduciaries have been introduced among other roles.
Section 2(i) of the DPDPA defines a data fiduciary as any individual who, independently or in collaboration with others, determines the purpose and means of processing personal data. In essence, a data fiduciary is responsible for determining how personal data is collected, stored and processed.
Further, Section 2(z) defines a significant data fiduciary as a data fiduciary, or a class of data fiduciaries, that may be designated by the central government based on an assessment of certain factors, including the volume and sensitivity of personal data processed, risk to the rights of data principals, potential impact on the sovereignty and integrity of the country, the risk to electoral democracy, security of the state, and public order.
Section 2(g) defines a consent manager as an entity registered with the Data Protection Board of India that serves as a single point of contact for data principals. This allows them to conveniently give, manage, review and withdraw their consent through an accessible and interoperable platform.
The law places critical responsibilities on significant data fiduciaries, data fiduciaries and consent managers when handling personal data. To ensure compliance, regular data audits have become essential. Under the DPDPA, data audits are vital for organizations to ensure that the collecting, storing and processing of personal data is in-line with the requirements of the act and rules. Regular audits can mitigate potential legal risks, prevent security incidents and data breaches and protect the rights of data principals.
Data audits
In general, an audit involves review of an organization's system, processes and/or procedures to ensure accuracy and compliance. A data specific audit, however, typically involves a detailed review of an organization's framework on data governance, including its data collection, classification, processing, retention, erasure, breach response policies, consent procedures and other methods. To ensure all personnel are aware of their statutory data protection obligations, data auditors may also review an organization's training and awareness programs.
The existing data protection regime under Rule 8(4) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 states that a body corporate, which includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities, will have complied with the standard or codes of best practices for data protection under the said rules, provided they have been audited by government-approved independent auditors at least once a year or when internal process systems have been significantly upgraded.
Data audit under the DPDPA for significant data fiduciaries
Section 10 of the DPDPA imposes certain obligations on significant data fiduciaries in addition to those of data fiduciaries. These obligations include appointing an India-based data protection officer to represent the significant data fiduciary before the DPBI and to serve as the primary point of contact for personal-data-related queries and data principals' grievances. Additionally, the data protection officer shall also report to the board of directors of the significant data fiduciary. Further, significant data fiduciaries will be required to conduct periodic data protection impact assessments to evaluate the processing of personal data, analyze risks to data principals' rights and undertake such other measures as may be prescribed under the act and rules.
It must be noted, penalties for non-compliance and/or breach of a significant data fiduciary's additional obligations may extend up to INR150 crore (approximately USD16 million).
Rule 13 of the DPDP Rules imposes additional obligations on significant data fiduciaries, requiring them to conduct a DPIA and data audit at least once every 12 months to ensure compliance and safeguard the rights of data principals. Once the DPIA and data audit are complete, the individual conducting them must submit a report to the DPBI, highlighting their observations from the assessment and audit.
Significant data fiduciaries are also required to ensure that any personal data specified by the central government is processed subject to the restriction that such personal data and the traffic data related to its flow is not transferred outside of India. A significant data fiduciary needs to ensure that any software or adopted mechanisms for hosting, uploading, transmitting, storing, etc. personal data are not likely to pose a risk to the rights of data principals.
While the DPDP Rules do not lay out the procedures for conducting a DPIA, they are likely to involve an auditor's examination of the significant data fiduciary's documentation — like privacy policies, data transfer agreements and processing agreements — and activities including collecting, processing, transferring and storing data. The auditor may also assess the technical and organizational measures implemented by a significant data fiduciary for information security, data storage and processing including appropriate certifications, data access controls and data anonymization/encryption measures.
The DPDPA further states that significant data fiduciaries must undertake periodic DPIAs to evaluate the processing of personal data and risks to data principals' rights. In this regard, while conducting a DPIA, a significant data fiduciary may consider the categories of personal data collected, potential security incidents and activities related to its collection, processing or storage.
To test effectiveness and to formulate mitigation strategies, an auditor may also verify a significant data fiduciary's response time and the procedures it has in place for responding to, reporting and mitigating data security incidents. Data audits under the DPDPA aim to streamline procedures for a significant data fiduciary's collection, use, storage, transfer and disclosure of personal data, further ensuring protection to data principal's rights.
Data fiduciaries and data processors
Although the DPDPA does not explicitly mandate audit obligations for data fiduciaries to ensure that all data processing activities conducted by them or their data processors comply with the law, it is advisable for data fiduciaries to conduct periodic audits on their data processors. These audits should be implemented through appropriate contractual arrangements to ensure that data processors operate within the framework of the DPDPA.
Consent managers
The DPDP Rules set out a framework requiring consent managers to implement an audit mechanism to review, monitor, evaluate and periodically report such audits to the DPBI. The audits need to cover the technical and organizational controls and safeguards implemented by the consent manager, the fulfilment of registration conditions, and compliance with the act and rules.
Measures to be adopted
Any non-compliance with the requirements of the act and the rules may result in significant penalties. A data audit will assist organizations in identifying potential gaps in their data protection framework, thus reducing the risk of incurring penalties. Further, audits help organizations minimize the possibility of data security incidents resulting from unauthorized access or potential breaches. They also ensure personal data is collected and handled in a secure and authorized manner, thereby promoting transparency and accountability in an organization's data processing practices.
However, in the absence of specific rules and procedures governing an audit under the act and rules, organizations may consider adopting the following measures while conducting a data audit:
- Clearly outline the audit's scope with respect to the relevant data involved, including processing to be done and the infrastructure to be used.
- Review relevant documentation related to processing activities, including privacy policies, vendor data processing agreements and dataflow maps.
- Assess statutory compliance by only collecting and processing necessary personal data for legitimate purposes, retaining it only as long as required, with any extended retention limited to regulatory obligations.
- Identify potential deficiencies and develop and implement strategies to address gaps, including any discrepancies in policies and technical and organizational measures.
- Schedule periodic data audits to ensure ongoing compliance.
Data audits in other jurisdictions
Article 28(3)(h) of the EU General Data Protection Regulation, much like Section 10 of the DPDPA, imposes an obligation on the processor to make all information necessary to demonstrate compliance with the law available to the controller and to permit audits by the controller. This enables the controller to verify compliance with the applicable provisions of the GDPR.
The European Data Protection Board released guidelines on the concepts of controller and processor under the GDPR, setting out certain recommendations for clauses to be included in data processing agreements. These guidelines state data processing agreements must entail obligations on communication of information from the processor to the controller to ensure the controller is always aware of processing activities.
Per the EDPB, the audit is intended to ensure the controller is always fully informed of processing activities and the technical security measures adopted by the processor. These guidelines state that the processor may suggest an auditor, but the controller retains the right to make the final decision regarding the processor's suggestion, which will also include the right to contest the nature, process and outcome of the audit.
Based on the outcome, the controller may request the processor implement appropriate measures required to comply with the GDPR. The EDPB also suggests that concerned parties refrain from incorporating disproportionate clauses on costs associated with audits. Imposing excessive costs would be counterproductive and would discourage parties from conducting audits, further defeating the purpose of Article 28(3)(h).
Conclusion
In this era of digital economy, the DPDPA and the DPDP Rules are expected to play a crucial role in safeguarding individuals' right to privacy by ensuring that personal data is handled securely, legally and in an authorized manner. Data audits uphold this principle by keeping organizations accountable for personal data access, storage and processing.
Given the strict compliance requirements around collecting, processing and storing personal data that continue to evolve, it is important for business entities operating in India to conduct compliance audits per the DPDPA and DPDP Rules to identify any deficiencies and implement remediation strategies to ensure compliance with the country's ever-evolving legal landscape.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
US State Privacy Legislation Tracker
Data Protection Officer Requirements by Country
Top 10 operational impacts of India’s DPDPA