If the Central Government notifies your organisation as a Significant Data Fiduciary, the DPDP compliance clock resets to a much higher standard. Every twelve months. Without exception. And the compliance report goes directly to the Data Protection Board — not just your internal governance team.
This is Episode 9 — the final episode — of our series on Technology & DPDP Compliance. We close where the law places its highest obligations: on organisations that process personal data at scale, with sensitivity, or with the potential to affect the sovereignty, integrity, electoral democracy, or security of India.
Who is a Significant Data Fiduciary (SDF)?
Under Section 10(1) of the DPDP Act, the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary based on an assessment of the following factors: the volume and sensitivity of personal data processed, risk to the rights of Data Principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order.
None of these are minor thresholds. Organisations that process the personal data of crores of Indian citizens — large technology platforms, healthcare aggregators, financial institutions, telecom service providers, e-commerce majors, and social media companies — sit squarely in the zone of potential notification. The Act does not establish a fixed threshold; notification is a discretionary Central Government decision based on assessed risk. Any organisation that cannot rule out being notified would be prudent to prepare as if it will be.
Obligation 1 — Annual DPIA and Compliance Audit
Rule 13(1) of the DPDP Rules, 2025 requires every Significant Data Fiduciary to undertake a Data Protection Impact Assessment and a compliance audit once in every twelve-month period from the date of notification. These are not optional governance exercises.
The DPIA must comprise — as prescribed in Section 10(2)(c)(i) — a description of the rights of Data Principals and the purpose of processing their personal data, an assessment and management of risk to those rights, and such other matters as may be prescribed. It is a systematic, documented analysis of every processing activity, mapped to the rights that processing may affect, with risk scores and mitigation plans against each.
Under Rule 13(2), the person carrying out the DPIA and audit must furnish a report containing significant observations to the Data Protection Board. This is a regulatory submission — not an internal board paper.
What technology must power the DPIA:
A credible DPIA cannot be produced from narrative alone. It requires an automated data flow mapping system that records every category of personal data processed, its source, purpose, storage location, retention period, and all third parties it is shared with. It requires a processing activity register that is kept current — not reconstructed annually before the DPIA cycle. It requires a risk assessment engine that evaluates each processing activity against Data Principal rights and generates a risk score that can be documented, justified, and reported.
Organisations that attempt a DPIA on the basis of spreadsheets and memory will produce an audit artefact, not a compliance document. The technology infrastructure must support the DPIA, not the DPIA justify the technology.
Obligation 2 — The Independent Data Auditor and the IS Audit Standard
Section 10(2)(b) requires the SDF to appoint an independent data auditor to carry out data audit — evaluating the compliance of the Significant Data Fiduciary with the provisions of the Act. The independence of this auditor is not a procedural nicety. It is a substantive safeguard.
The IS Audit Standards published by ICAI (ISAS 430 — Audit of Digital Personal Data Protection) establish the specific framework for this engagement. ISAS 430 covers engagements related to digital personal data protection, requiring evaluation of procedures, internal control structures, and compliance with legal or regulatory requirements.
ISAS 510 (Reporting Results) sets out what the audit report must contain: the audit firm and lead auditor identification, the scope (defining which information systems, processes, controls, and technology domains were audited, along with any exclusions and access limitations), the period covered, a management responsibilities statement, an executive summary with the overall IS Audit opinion, structured findings with Finding ID, criteria, condition, cause, effect, risk rating, and management response, and a regulatory compliance mapping table linking each legal requirement to the control tested, the test result, and the compliance status.
The risk rating scale — Critical, High, Medium, Low — reflects the potential impact on confidentiality, integrity, and availability, and guides the prioritisation of remediation. Material Weaknesses are deficiencies in IS controls where there is a reasonable possibility that material misstatement, unauthorised access, data compromise, or non-compliance could occur and would not be prevented, detected, or corrected on a timely basis. Significant Deficiencies are less severe but still merit governance attention. Both categories must be separately identified and reported.
The intended users of this audit report — Board of Directors, Audit Committee, the DPO, and the Data Protection Board — are entitled to a report that provides reliable assurance about the effectiveness, adequacy, and operating performance of the organisation’s IS controls, governance mechanisms, risk management practices, and compliance with the DPDP Act and Rules.
IS Audit Module 1 and the ISAS standards are explicit: materiality in IS audit includes both quantitative factors (volume of transactions, regulatory penalty amounts) and qualitative factors (sensitivity of data at risk, pervasiveness of control failures, potential for reputational damage). For an SDF operating under the DPDP Act, penalties up to ₹250 crore make materiality analysis particularly consequential. A control deficiency that could permit unauthorised access to the personal data of a million users is, by any materiality standard, a Material Weakness — and the independent auditor is required to say so.
Obligation 3 — Algorithmic Software Due Diligence
Rule 13(3) creates an obligation that distinguishes SDFs from all other Data Fiduciaries: they must observe due diligence to verify that technical measures including algorithmic software adopted for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data are not likely to pose a risk to the rights of Data Principals.
This is technology governance at the level of the algorithm. Any software that makes or influences decisions about personal data — content ranking algorithms, credit scoring models, fraud detection systems, recommendation engines, profiling tools, targeted advertising systems — must be assessed for whether it poses a risk to Data Principal rights. The question is not whether the algorithm performs as designed. The question is whether, when it operates on personal data at scale, it produces outcomes that infringe on the rights the DPDP Act grants to every individual whose data it processes.
CERT-In’s Elemental Cyber Defense Controls (VAA.1 and VAA.2) require independent third-party vulnerability assessments of business-critical assets and applications at least once a year, with effective remediation strategies — directly aligned with the algorithmic due diligence obligation. Where algorithmic software processes personal data, the technology risk assessment and the DPDP rights assessment converge.
Practically, organisations must: maintain an inventory of every algorithmic system that processes personal data, document the purpose and decision logic of each, conduct periodic impact assessments specifically for effects on Data Principal rights, and maintain audit trails that allow the auditor and the Board to verify that due diligence was actually conducted — not merely asserted.
Obligation 4 — Data Localisation
Rule 13(4) requires every SDF to undertake measures to ensure that personal data specified by the Central Government is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India.
This is not a policy statement — it is an infrastructure mandate. Compliance requires: cloud region configuration that restricts specified data to India-hosted servers, data egress controls that prevent outbound transmission of specified data categories, network-level monitoring that detects and blocks cross-border data flows for restricted categories, and regular verification through technical testing (not just policy review) that localisation controls remain effective.
For organisations using global cloud platforms, this requires detailed understanding of which data categories will be subject to localisation orders, configuration of dedicated India-region deployments for those categories, and contractual and technical controls over Data Processors that are party to global data flows.
Obligation 5 — Data Protection Officer (DPO)
Section 10(2)(a) requires every SDF to appoint a Data Protection Officer who must be an individual (not a committee, not a function, not a designation shared with another role) based in India, responsible to the Board of Directors or equivalent governing body, and serving as the point of contact for the grievance redressal mechanism under the Act and the Data Protection Board.
The DPO is the organisational anchor of the SDF’s DPDP compliance. The accountability to the Board of Directors is structurally significant — it means the DPO reports upward to governance, not laterally to legal or IT. The DPO’s independence from operational management is essential to the integrity of the role. An individual who reports to the same management team whose processing decisions they are expected to assess cannot independently discharge the DPO function.
The Two Roles That Must Remain Separate
The DPO and the independent data auditor serve fundamentally different functions — and the law clearly contemplates that these are two distinct persons. The DPO manages the SDF’s compliance posture on an ongoing basis. The independent data auditor evaluates that posture independently and reports to the Board and the Data Protection Board. Conflating the two — or having the auditor report through the DPO — compromises both functions. IS Audit Standards are explicit: the auditor must not set risk appetite, must not implement risk responses on management’s behalf, and must not impose risk management processes. The only role of the auditor is independent, evidence-based evaluation and reporting.
A Closing Thought on This Series
Eight episodes ago, we started with a question: does your IT team know what DPDP means for them?
Nine episodes later, the architecture is mapped. Consent management platforms. Encryption, masking, and tokenisation. Identity and access management. Logs, monitoring, and SIEM. Breach detection and 72-hour notification. Automated data erasure. Data Principal rights portals. And now — for those notified as Significant Data Fiduciaries — annual DPIA, algorithmic due diligence, data localisation, a DPO accountable to the Board, and an independent audit reported to the Data Protection Board of India.
This is not a compliance checklist. It is the architecture of an organisation that takes the right to privacy seriously — and builds systems that make that right real for every individual whose personal data it holds.
The organisations that will be ready when enforcement begins are building these systems today. Not after the first Board notice arrives.
This concludes the 9-episode Technology & DPDP Compliance series.
Follow DSK Sustainability Tech LLP for continued DPDP compliance insights, advisory content, and technology governance perspectives.
In association with our knowledge partners — Karthik & Sunil, Chartered Accountants.
Sources: DPDP Act 2023 (Sections 10, 11–14) | DPDP Rules 2025 (Rules 13, 14) | ICAI Information Systems Audit Standards | ICAI IS Audit 3.0 Course Materials | CERT-In Elemental Cyber Defense Controls for MSMEs (Version 1.0, 01.09.2025) | Justice K.S. Puttaswamy (Retd.) vs Union of India (2018)
Leave a Reply