Data Audit

By Reina Legal

17th January, 2020

The PDPB, 2019 requires significant data fiduciaries (discussed in details in our earlier newsletter) to appoint data auditor and conduct data audits annually.

Eligibility criteria for auditor

  • Shall be an independent person. i.e. shall not be related or in employment with data fiduciary
  • Shall be registered with the Data Protection Authority (DPA)
  • Shall have expertise in the area of information technology, computer systems, data science, data protection or privacy, possessing such qualifications, experience and eligibility factors such as independence, integrity and ability

Appointment of auditor

  • The significant data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor or
  • Where the DPA is of the view that the significant data fiduciary is processing personal data in such manner that is likely to cause harm to a data principal, the DPA may direct the data fiduciary to conduct an audit and shall appoint a data auditor for that purpose.

Audit Process

The DPA shall specify

  • the form and procedure for conducting audits
  • the criteria for assigning a rating in the form of a data trust score basis the factors of evaluation mentioned below.

Factors of evaluation

The data auditor shall evaluate the compliance with the provisions of the Act, including –

  1. clarity and effectiveness of notices for collection and processing of data
  2. effectiveness of measures adopted in design policy
  3. transparency in relation to processing of personal data
  4. security safeguards adopted
  5. instances of personal data breach and response of the data fiduciary, including the promptness of notice to the Authority
  6. timely implementation of processes and effective adherence to obligations for maintenance of records
  7. any other matter as may be specified by regulations

A data auditor may assign a rating in the form of a data trust score to the significant data fiduciary pursuant to a data audit conducted.


Where the significant data fiduciary contravenes obligation to conduct a data audit it shall be liable to a penalty which may extend to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher.