Skip to main content

Q4 - What kind of additional audits and assessments are mandatory for SDFs?

Under the Digital Personal Data Protection Act, 2023 (DPDPA), the Central Government may designate certain organizations as Significant Data Fiduciaries (SDFs) based on factors such as the volume and sensitivity of data they handle, the potential impact on individuals’ rights, and the risk to national security, public order, or electoral democracy.

Once designated, SDFs are subject to additional compliance requirements beyond those applicable to regular Data Fiduciaries. These obligations are specified under Section 10(2) of the Act.

Mandatory Audits and Assessments for SDFs

  1. Appointment of a Data Protection Officer (DPO)

    • The SDF must appoint a Data Protection Officer who is based in India.
    • The DPO acts as the point of contact for grievance redressal and represents the organization before the Data Protection Board of India.
    • The DPO must report directly to the Board of Directors or governing body of the organization.

  2. Independent Data Audit

    • Every SDF is required to appoint an independent data auditor.
    • The auditor must carry out periodic audits to evaluate the organization’s compliance with the provisions of the DPDPA, including consent management, security controls, retention, breach handling, and grievance mechanisms.

  3. Data Protection Impact Assessment (DPIA)

    • SDFs must conduct periodic Data Protection Impact Assessments (DPIAs).
    • The DPIA includes:
      • A description of the personal data being processed.
      • The purpose and potential risks to the rights of Data Principals.
      • An assessment of the measures taken to mitigate those risks.
    • The DPIA ensures that processing activities are evaluated for their potential impact on privacy and individual rights.

  4. Periodic Compliance Audits and Reviews

    • SDFs must perform regular internal reviews of their data processing operations.
    • These reviews include verifying adherence to consent requirements, retention timelines, lawful processing, and response procedures for data breaches.
    • The results of these audits may be reviewed by the Data Protection Board if required.

  5. Other Prescribed Measures

    • The Central Government may prescribe additional technical, organizational, or procedural measures for SDFs through future rules or notifications.
    • These could include certifications, security maturity assessments, or submission of compliance reports.
Example

An organization that handles large-scale biometric and financial data across India is designated as a Significant Data Fiduciary. It must appoint a Data Protection Officer, conduct an independent compliance audit every year, and perform a Data Protection Impact Assessment before introducing any new AI-driven analytics process that may affect user privacy.

Referenced Provision:

  • Section 10(2) of the Digital Personal Data Protection Act, 2023
    Specifies that a Significant Data Fiduciary shall:
    • (a) Appoint a Data Protection Officer;
    • (b) Appoint an independent data auditor to evaluate compliance;
    • (c) Undertake periodic Data Protection Impact Assessments, periodic audits, and other prescribed measures.