Rule 12: Additional Obligations of Significant Data Fiduciaries
Statutory Text — Rule 12:Additional obligations of Significant Data Fiduciary. (click to expand)
(1) A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder.
(2) A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board a report containing significant observations in the Data Protection Impact Assessment and audit.
(3) A Significant Data Fiduciary shall observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.
(4) A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government on the basis of the recommendations of a committee constituted by it is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India.
Rule 12 sets out enhanced compliance duties for organisations designated as Significant Data Fiduciaries (SDFs) by the Central Government. These are entities that process large volumes of personal data or handle sensitive or high-impact datasets, such as banks, social media platforms, telecom companies, or healthcare networks.
The purpose is to ensure such organisations adopt a proactive and auditable approach to data protection through regular assessments, governance controls, and localisation safeguards.
1. Annual Data Protection Impact Assessment (DPIA) and Privacy Audit
Every SDF must perform a Data Protection Impact Assessment (DPIA) and a privacy audit once every twelve months from the date it was notified as an SDF. This ensures that privacy and security measures are reviewed periodically rather than reactively.
A DPIA is a structured risk assessment exercise to identify, analyse, and mitigate privacy risks in processing activities. It examines how data is collected, stored, shared, and deleted, and whether these actions align with the principles of necessity, proportionality, and lawfulness under the Act.
A privacy audit complements the DPIA by validating actual practices — policies, logs, security configurations, and contractual clauses — against regulatory requirements and internal standards.
For implementation:
- Create a DPIA framework (for example, based on ISO 27701 or NIST Privacy Framework).
- Assign a privacy office or external consultant to carry out assessments.
- Integrate findings into your annual risk register and governance reporting cycle.
A national hospital chain, designated as an SDF, conducts an annual DPIA covering its patient management system, insurance data exchange, and remote consultation platform. The audit identifies excessive retention of historical prescriptions beyond the retention limit and recommends automatic purging. The corrected process is documented and reported to the Board.
2. Reporting of Significant Observations to the Data Protection Board
The SDF must ensure that the auditor or DPIA team furnishes a summary report of significant observations to the Data Protection Board of India (DPBI). This summary enables regulatory oversight while maintaining confidentiality of proprietary details.
The report should include:
- Scope of Assessment: Define which data flows, systems, or business units were evaluated.
Example: “Customer onboarding, payment processing, and CRM systems.”
- Methodology: Describe the approach (interviews, log reviews, penetration tests, DPIA matrix, etc.) used for evaluation.
A clear methodology establishes audit credibility and reproducibility.
- Significant Findings: Present key risks or non-compliances in plain language with severity levels (Critical, High, Medium).
Example: “Unencrypted data backups stored on third-party servers outside India.”
- Remediation and Timeline: Summarise corrective actions with responsible owners and implementation deadlines.
Example: “Encryption-at-rest deployment across data warehouses within 45 days.”
This transparent reporting strengthens regulatory trust and demonstrates continuous accountability.
3. Algorithmic Accountability and Risk Control
Rule 12(3) introduces algorithmic due diligence, recognising that many SDFs rely on automated systems that influence how personal data is hosted, shared, or displayed. The SDF must verify that any algorithmic software used in data handling does not create discriminatory, privacy-invasive, or unfair outcomes.
This includes:
- Testing algorithms for bias or discriminatory profiling (e.g., lending models, recruitment screening).
- Ensuring explainability — being able to justify how an algorithm reached a certain decision affecting a Data Principal.
- Implementing model governance policies that track version control, data lineage, and validation reports.
- Engaging third-party AI ethics auditors or using fairness frameworks (like IBM AI Fairness 360 or Google’s What-If Tool).
For example, a fintech SDF using an AI model for credit scoring must regularly audit the algorithm to ensure it doesn’t unfairly disadvantage individuals based on age, gender, or geography.
An SDF operating a large social media network verifies that its content-ranking algorithms don’t infer sensitive interests (e.g., health or religion) for advertising purposes. It implements regular fairness audits and logs all algorithmic updates in a governance dashboard accessible to compliance officers.
4. Restriction on Cross-Border Transfer of Certain Data
The Central Government may specify categories of personal data that must remain within India’s borders, based on the recommendations of an expert committee. When such data categories are notified, SDFs must ensure:
- The data and related traffic metadata are not transferred or mirrored outside India.
- All processing, storage, and routing occur in localised data centres within the country.
- Cloud or vendor contracts explicitly restrict cross-border access or replication.
This rule effectively operationalises data localisation for high-impact categories such as financial records, defence-related information, or health datasets.
Implementation steps include:
- Maintaining a data localisation map identifying which datasets fall under restrictions.
- Configuring geo-fencing and network controls to restrict data flow beyond Indian IP ranges.
- Engaging certified domestic cloud providers for processing and backup operations.
- Establishing data transfer governance SOPs to monitor export activity through APIs or integration points.
A payment aggregator designated as an SDF processes transaction logs containing cardholder data. Once financial datasets are categorised as “restricted for export” by the Central Government, the company transitions its cloud servers from Singapore to India and limits all processing to Indian data centres.
5. Strategic Importance of SDF Compliance
Being designated as an SDF places an organisation under direct scrutiny of the Data Protection Board.
Failure to perform annual audits, neglecting algorithmic due diligence, or transferring restricted data abroad may attract significant penalties and reputational harm.
However, strong compliance can serve as a competitive advantage, signalling to clients, investors, and regulators that the organisation operates at the highest standard of privacy governance.
Significant Data Fiduciaries should maintain a continuous governance framework that includes quarterly privacy reviews, an internal DPIA tracker, and algorithmic transparency documentation.
Rule 12 creates a comprehensive compliance ecosystem for entities with the largest impact on citizens’ data. By mandating regular DPIAs, audits, algorithmic checks, and localisation controls, it transforms privacy from a one-time exercise into a sustained accountability cycle, ensuring that India’s digital economy remains transparent, fair, and sovereign by design.