Skip to main content

Q4 - What kind of additional audits and assessments are mandatory for SDFs?

Once classified as a Significant Data Fiduciary, an organization must comply with enhanced obligations, including:

  • Conducting Data Protection Impact Assessments (DPIAs) before starting any high-risk processing activity.
  • Arranging for periodic independent data audits by accredited auditors to confirm compliance.
  • Appointing a Data Protection Officer (DPO) based in India, who serves as the point of contact for the Board and Data Principals.
  • Reviewing algorithms and automated decision-making systems to ensure they do not harm or unfairly discriminate against individuals.
Example

If ABC Bank launches an AI-driven credit scoring system, it must conduct a DPIA to check whether the system unfairly rejects certain applicants. It must also submit to independent audits verifying whether the data is secured and used lawfully.