Why we call Data Auditors as “Guardians of DPDPA Compliance”

DPDPA introduced the statutory profession of “Independent Data Auditor” under Section 10.

Section 10 described the additional responsibilities of a Significant Data Fiduciary which stated that the Significant Data Fiduciary shall appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and  periodic DPIA.

Rule 13 of the DPDPA Rules mentions

 -A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board* a report containing significant observations in the Data Protection Impact Assessment and audit. (*Board means Data Protection Board, the regulator)

-A Significant Data Fiduciary shall observe due diligence to verify that technical measures including algorithmic software adopted by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.

In view of the requirement for direct report of significant observations, the Independent Data Auditor (IDA) has been cast a duty on behalf of the regulator.

This provides the IDA a statutory relevance in the eco  system of DPDPA Compliance. In view of this FDPPI interprets that the Data Auditor functions as the eyes and ears of the DPB. The need to be involved in periodic audit also signifies a continuous monitoring of the activity of a significant data fiduciary.

The law does not currently specify the credentials required for being a Data Auditor and what does the word “Independent” imply. It also does not specify if the annual audit, the DPIA and the periodic audits can be performed by different auditors and whether there is any check on an organization playing one auditor against the other.

We hope these issues will be clarified over a period of time by the DPB or MeitY.

However, without waiting for the Government to provide a criteria for the Data Auditors and the Code of Conduct which makes them “Independent”, FDPPI has gone ahead with its own pro active decision to create a knowledge base and certification for the Data Auditors and the Code of Conduct for “Independence”. In order to enforce this code of conduct, FDPPI has created an “Empanelment” under AIDAI (Association of Independent Data Auditors). In order to provide incentivisation for empanelment, AIDAI will be providing a Business Exchange platform which will enable its trained persons to interact with the industry for audit business.

At this point of time we do envisage that an organization may experiment with different auditors for DPIAs while settling down for the annual audit with one of them. However, the changes and the need thereof may be documented by the company and the subsequent auditors.

Since some organizations particularly in the IT services industry may have multiple applications dealing with different sectors, FDPPI envisages that “Sectoral Specialist IDAs” may conduct DPIAs for different sector facing applications. For example if there is an application which can be used both for health care and Finance, the IDA who specializes in health care may conduct a DPIA for health care facing application while finance related application may be audited by an IDA who specializes in Finance.

The DPDPA rules also envisage an audit of “Algorithms” or “AI”. RBI has also indicated that Models and AI need to be audited. In such circumstances there may be a IDA who specializes only in AI models or Autonomous algorithms. Perhaps DGPSI-AI can be used for this purpose.

FDPPI is therefore developing individuals who specialize in different DGPSI frameworks to serve different industries.

Currently the sectoral DGPSI frameworks are available for HR, Data Processor platforms, Banks, Bank Branches, Hospitals. Additional frameworks for Education are also being developed.

In each of these sectors, there is scope for specialization and FDPPI will develop “Champions” for each of the frameworks indicated below.

Watch this space and keep in touch with Naavi if you want to take part in such sectoral specialization.

Naavi

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Privacy. Bookmark the permalink.