Audit of policies and conduct of processing, etc
29. (1) The significant data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Act.
(2) The data auditor shall evaluate the compliance of the data fiduciary with the provisions of this Act, including
(a) clarity and effectiveness of notices under section 7;
(b) effectiveness of measures adopted under section 22;
(c) transparency in relation to processing activities under section 23;
(d) security safeguards adopted pursuant to section 24;
(e) instances of personal data breach and response of the data fiduciary, including the promptness of notice to the Authority under section 25;
(f) timely implementation of processes and effective adherence to obligations under sub-section (3) of section 28; and (g) any other matter as may be specified by regulations.
(3) The Authority shall specify, by regulations, the form and procedure for conducting audits under this section.
(4) The Authority shall register in such manner, the persons with expertise in the area of information technology, computer systems, data science, data protection or privacy, possessing such qualifications, experience and eligibility having regard to factors such as independence, integrity and ability, as it may be specified by regulations, as data auditors under this Act.
(5) A data auditor may assign a rating in the form of a data trust score to the data fiduciary pursuant to a data audit conducted under this section.
(6) The Authority shall, by regulations, specify the criteria for assigning a rating in the form of a data trust score having regard to the factors mentioned in sub-section (2).
(7) Notwithstanding anything contained in sub-section (1), where the Authority is of the view that the data fiduciary is processing personal data in such manner that is likely to cause harm to a data principal, the Authority may direct the data fiduciary to conduct an audit and shall appoint a data auditor for that purpose.