DPDP Act Audit Requirements: What Records to Maintain
What audit records the DPDP Act 2023 requires Data Fiduciaries to maintain, how long to keep them, and how to prepare for a Data Protection Board investigation.
- Significant Data Fiduciaries must conduct periodic data audits through an independent data auditor under Section 10(2)(b).
- All Data Fiduciaries should maintain records of processing activities, consent records, breach notifications, and Data Principal rights requests.
- Audit records must be maintained for a period that enables potential Board investigations — a minimum of 3 years is a prudent baseline.
- The Data Protection Board has power to call for information and records during an inquiry — companies without adequate records face an impossible compliance defence.
- AuditPath and similar GRC platforms can maintain the evidence trail required for both DPDP and SOC 2 audit readiness.
In this guide
Audit Obligations Under the DPDP Act
The DPDP Act 2023 imposes tiered audit obligations. For Significant Data Fiduciaries (SDFs), Section 10(2)(b) requires periodic data audits to be conducted by an independent data auditor. For all other Data Fiduciaries, while the Act does not mandate a specific audit cycle, the Board has broad powers under Section 27 to call for information and conduct inquiries — which means every company needs to be able to demonstrate compliance on demand.
Even before the SDF classification is established through notification, companies should operate as if they may be subject to a Board inquiry at any time. The Board can investigate on receipt of a complaint from a Data Principal, on a reference from the Central Government, or on its own motion. An investigation can cover any aspect of the DPDP Act compliance, and the Board can require production of documents, information, and records.
Building an audit-ready compliance programme from the outset is far more efficient than scrambling to assemble documentation when an inquiry arrives. The records you maintain for day-to-day operations — consent logs, DSAR tracking, breach notifications, DPA agreements — are the same records you will need to produce in an investigation. The discipline is the same; only the audience changes.
Significant Data Fiduciary Audit Requirements
Once the Central Government notifies the criteria for Significant Data Fiduciary classification, entities meeting those criteria will be required to conduct periodic data audits by an independent data auditor. The auditor will assess compliance with the DPDP Act obligations: lawfulness of processing, consent management, Data Principal rights fulfilment, security safeguards, data accuracy, storage limitation, and Data Processing Agreement compliance.
Independent data auditors will likely need to be empanelled or qualified by MEITY or the Data Protection Board — the Rules will specify the qualification criteria. In the interim, companies should engage legal and compliance professionals with DPDP Act expertise to conduct internal audit exercises that mirror what an independent audit will require. This gap analysis approach helps identify weaknesses before they are found by an external auditor.
The audit report for SDFs will likely need to be submitted to the Data Protection Board on a periodic basis. This creates a formal regulatory accountability mechanism: non-compliant audit findings become Board records that can trigger enforcement. For SDFs, audit readiness is not just an internal governance matter — it directly affects regulatory standing.
Records Every Data Fiduciary Should Keep
Every Data Fiduciary should maintain a core set of compliance records. Processing records: a record of all personal data processing activities, including the data categories, purposes, lawful bases, Data Processors used, and retention periods. This is your data purpose register (also called a Record of Processing Activities). It should be updated whenever processing activities change.
Privacy notice records: maintain a version history of your privacy notice with the date each version was published. If a Data Principal questions what they were told at the time of consent, you need to be able to produce the privacy notice that was in effect at that date. Use version control for your privacy policy documents.
DPA records: maintain a register of all Data Processing Agreements, with the counterparty name, date executed, and status (current/expired). For each DPA, keep a copy of the signed agreement. This enables you to quickly demonstrate to the Board that you have contracts in place with all processors and to identify any gaps.
Consent and Withdrawal Records
Consent records are among the most important records to maintain under the DPDP Act. For each consent obtained, record: the Data Principal's identity (user ID or hashed identifier), the timestamp of consent, the version of the privacy notice in effect at consent, the specific purposes consented to, the mechanism by which consent was obtained (checkbox, API call, Consent Manager), and the current status (active or withdrawn).
Consent withdrawal records: when a Data Principal withdraws consent, record the timestamp of withdrawal, the specific consents withdrawn, and the actions taken in response (processing cessation, data deletion). These records demonstrate that you honoured the withdrawal right promptly.
Consent records should be retained for as long as the underlying data relationship exists plus a reasonable period for dispute resolution — typically 3 years after the end of the relationship. Older consent records may be anonymised or aggregated (retaining statistical information about consent rates and withdrawal rates without retaining individual-level records) once the retention period expires.
Data Principal Rights Request Records
Maintain a log of all Data Principal rights requests (access, correction, erasure, grievance) received. For each request, record: the type of request, the date received, the date acknowledged, the identity verification status and method, the assessment of the request (granted, partially granted, refused), the reason for any refusal, the date of completion, and the outcome communicated to the requester.
For erasure requests, additionally record the systems from which data was deleted and the deletion timestamps. This provides evidence that deletion was comprehensive and timely. For correction requests, record the before and after values, the evidence provided in support of the correction, and the date of correction.
DSAR records should be retained for 3-5 years. This period covers the limitation period for Board complaints and provides a sufficient historical record for any investigation. Do not delete DSAR records prematurely — these records are among your most important compliance evidence. Note that DSAR records themselves contain personal data and should be handled accordingly.
Security Incident and Breach Records
Maintain detailed records of every security incident involving personal data, whether or not it met the threshold for a breach notification. For incidents below the notification threshold, record: the nature of the incident, the personal data affected, the assessment of whether notification was required and why it was not triggered, and the remediation steps taken. This demonstrates a systematic incident management process even for lower-severity events.
For notifiable breaches: record the full incident timeline (detection, containment, investigation, notification), the Board notification submitted (with timestamp), the Data Principal notifications sent, the number of Data Principals notified, and the post-incident remediation actions. Keep copies of all Board correspondence.
Breach records should be retained for a minimum of 5 years, given the seriousness of breach-related enforcement and the possibility of Board investigations that begin well after the breach occurred. Maintain breach records separately from routine operational logs and ensure they are backed up and preserved even if other records are purged.
Preparing for a Board Investigation
A Board investigation begins with a notice requiring the Data Fiduciary to produce specified information and records within a defined timeframe. The Board's powers under Section 27 include calling for information, summoning officers, and conducting on-site inspections. Cooperation with the Board is mandatory; obstruction or non-production of records is itself a breach with penalty consequences.
Build an "investigation readiness" package that can be assembled quickly: the data purpose register, a sample of consent records, a sample of DSAR records and outcomes, all current DPAs, a summary of your security controls and any certifications, breach notification records, and your privacy notices (all versions). This package should be reviewed and updated quarterly so it is ready on short notice.
Designate a Board investigation coordinator — a senior compliance, legal, or operations person who will manage the response to a Board inquiry, coordinate evidence production, and be the primary contact with the Board. Ensure this person has access to all relevant records and has authority to engage external legal counsel promptly. A well-coordinated response to a Board inquiry, with complete and accurate records, substantially improves the enforcement outcome.
Frequently Asked Questions
How long should we retain DPDP compliance records?
Are all companies required to conduct an independent data audit?
What format should records be maintained in?
Do we need to keep records for processing done by our vendors?
Can records be stored outside India?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free