Section 29 Indian Data Protection Act 2019

Audit of policies and conduct of processing, etc

29. (1) The significant data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Act.

(2) The data auditor shall evaluate the compliance of the data fiduciary with the provisions of this Act, including

(a) clarity and effectiveness of notices under section 7;

(b) effectiveness of measures adopted under section 22;

(c) transparency in relation to processing activities under section 23;

(d) security safeguards adopted pursuant to section 24;

(e) instances of personal data breach and response of the data fiduciary, including the promptness of notice to the Authority under section 25;

(f) timely implementation of processes and effective adherence to obligations under sub-section (3) of section 28; and (g) any other matter as may be specified by regulations.

(3) The Authority shall specify, by regulations, the form and procedure for conducting audits under this section.

(4) The Authority shall register in such manner, the persons with expertise in the area of information technology, computer systems, data science, data protection or privacy, possessing such qualifications, experience and eligibility having regard to factors such as independence, integrity and ability, as it may be specified by regulations, as data auditors under this Act.

(5) A data auditor may assign a rating in the form of a data trust score to the data fiduciary pursuant to a data audit conducted under this section.

(6) The Authority shall, by regulations, specify the criteria for assigning a rating in the form of a data trust score having regard to the factors mentioned in sub-section (2).

(7) Notwithstanding anything contained in sub-section (1), where the Authority is of the view that the data fiduciary is processing personal data in such manner that is likely to cause harm to a data principal, the Authority may direct the data fiduciary to conduct an audit and shall appoint a data auditor for that purpose.

author avatar
A H

You may also like

Children Safety Encryption www.privacad.com
Apple’s New Step to Protect Child Abuse via Encryption Feature
20 August, 2021
DNA Technology and Privacy www.privacad.com
DNA Technology Regulation Bill and Violation of Privacy for Minority Groups
19 August, 2021
www.privacad.com
India accuses Twitter of not complying with new IT rules
18 August, 2021