Data Privacy Regulations Applicable to Cloud Computing in India
Cloud computing is not explicitly defined under the laws of India, but it is governed by several sectoral regulations and frameworks based on the industry in which the cloud service is utilised. The primary legal framework that governs data privacy and security in the context of cloud computing includes the Information Technology Act, 2000 (the “IT Act”), read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”), enshrined under Section 43A of the IT Act. These regulations govern corporate bodies handling sensitive personal data in computer resources, including cloud-based systems. Any negligence in implementing adequate security standards, resulting in wrongful loss or gain, subjects the corporate bodies to liability for damages.
In 2013, the Ministry of Electronics and Information Technology (MeitY) introduced Meghraj, India’s own GI Cloud Initiative to accelerate the adoption of cloud computing in the government sector. Cloud service providers (CSPs) empanelled by MeitY are expected to offer services across different categories, such as basic, advanced and managed cloud services through Meghraj, to optimise government expenditures on information and communications technology.
In August 2023, India introduced the Digital Personal Data Protection Act, 2023 (the “DPDP Act”), India’s first comprehensive data protection legislation. However, the Act is awaiting notification by the central government and is thus not yet in force, as the corresponding Rules are yet to be notified. Once formally effectuated, the DPDP Act will repeal Section 43A of the IT Act, thereby removing the relevance of the SPDI Rules entirely.
Other sector-specific regulations addressing cloud computing technologies include the following.
Defining Personal and Sensitive Data
Personal data and sensitive personal data are primarily governed by the IT Act and the SPDI Rules. The latter define “personal data” as any information that relates to an identified or identifiable individual, including name, contact information and financial data. “Sensitive personal data” includes information such as passwords, financial information (like bank account or credit card details), health conditions, sexual orientation, biometric data, etc. The processing and handling of sensitive data must adhere to prescribed reasonable security practices and procedures.
In addition, sector-specific regulations such as the SEBI Cloud Framework and the IRDAI Regulations impose strict controls on the processing and storage of customer data, especially sensitive financial and insurance-related information.
Requirements for Processing Personal Data in the Cloud
Under Indian law, entities must adhere to several key requirements when processing personal data in the cloud. They must publicly disclose a privacy policy detailing data collection and processing methods, as mandated by the SPDI Rules, and obtain explicit consent before handling sensitive personal data. Data localisation is crucial, particularly for SEBI-regulated financial entities, which must store data within India to ensure compliance with regulatory oversight.
Entities must also follow the security standards detailed in 2.1 Data Security and the Cloud, mandating additional measures such as disaster recovery, business continuity plans and ensuring access for regulatory authorities.
Obligations on Data Controllers and Processors in the Cloud Environment
Data controllers and processors using cloud services must meet several key obligations. They are required to implement reasonable security practices, such as compliance with the security standards mentioned in 2.1 Data Security and the Cloud, and are liable for compensation if negligence leads to data breaches under the IT Act. Entities must also maintain oversight through board-approved IT outsourcing policies, conduct regular audits, and ensure disaster recovery and service continuity, especially in the financial sector as per the RBI Master Directions. Transparency and accountability are also crucial, with CSPs needing to adhere to security and regulatory requirements.
The DPDP Act introduces the concept of a Significant Data Fiduciary (SDF), a classification for data fiduciaries that handle large volumes of sensitive data. Under Section 10 of the DPDP Act, the central government may notify any data fiduciary or class of data fiduciaries as an SDF based on an assessment of the following factors, among others:
Once designated, an SDF is subject to additional compliance obligations beyond those of a regular data fiduciary. These obligations are detailed in the DPDP Act and further clarified in the Draft DPDP Rules, 2025 (the “DPDP Rules”), and include the appointment of key personnel, periodic assessments and audits, algorithmic accountability, and data transfer restrictions.
Cross-border data transfers in cloud computing raise privacy concerns, particularly when data moves across jurisdictions. Once the DPDP Act is effectuated, cross-border data transfers in cloud computing are expected to be governed through a “blacklist” approach, which would allow the government to restrict transfers to countries where adequate safeguards may not exist. Exceptions are anticipated to include transfers necessary for contractual performance, compliance with legal obligations or transfers with the data subject’s consent.
Under the existing law (ie, the IT Act and the SPDI Rules), cross-border transfers of sensitive personal data are permitted only if the receiving jurisdiction ensures the same level of data protection as provided under Indian law. In addition, such transfers can only occur if the data subject has provided explicit consent or if the transfer is necessary for the performance of a lawful contract. The SPDI Rules mandate that organisations handling sensitive personal data must adopt reasonable security practices and ensure that the recipient entity abroad also adheres to these standards, safeguarding the data throughout the transfer process.
While there are no specific penalties targeting breaches in cloud computing under Indian laws, data privacy violations are governed by the IT Act, Section 43 of which penalises unauthorised access to computer systems, including cloud infrastructure, with uncapped compensation to the person so affected. Section 43A further mandates that corporate bodies failing to implement reasonable security practices, resulting in wrongful loss or gain, are liable to compensate affected individuals.
Section 44 imposes penalties of up to INR150,000 for failing to furnish required documents or reports, with additional fines accruing at INR5,000 per day of non-compliance. Non-maintenance of records can attract a penalty of INR10,000 per day. Following the prospective enforcement of the DPDP Act, breaches involving large-scale data processing could result in exorbitant fines of up to INR2.5 billion for failure to implement reasonable security safeguards and up to INR2 billion for failure to notify personal data breaches.
Security Measures for Data Stored in the Cloud
As mentioned in 1.1 Data Privacy and Cloud Computing, data security in the cloud is governed by various standards, regulations and guidelines, primarily set forth by MeitY. One of the key standards is the ISO/IEC 27001 standard, as delineated under Rule 8 of the SPDI Rules, which outlines best practices for Information Security Management Systems (ISMS). Compliance with this standard is essential to safeguard against cyber-attacks and data breaches. In addition, ISO/IEC 27018 is specific to CSPs and is designed to protect personally identifiable information (PII) stored or processed in the cloud, focusing particularly on securing cloud environments.
Other notable security measures include compliance with the Payment Card Industry Data Security Standard (PCI DSS) for organisations processing credit and debit card transactions. These frameworks ensure a shared responsibility between CSPs and their clients in securing data, especially financial and personal information.
Measures to Ensure the Confidentiality, Integrity and Availability of Data
The above-mentioned standards collectively uphold the principles of confidentiality, integrity and availability. By mandating multi-layered security controls, organisations are required to secure data at the physical, network and application levels, to facilitate the following.
Encryption Standards Recommended for Data in Transit and at Rest in the Cloud
Encryption remains a fundamental pillar of data security in cloud environments. For data in transit, India’s regulatory bodies, such as SEBI and RBI, recommend a minimum of 128-bit Secure Socket Layer encryption to secure financial transactions. This encryption method is widely adopted for browser-to-server communications, protecting sensitive financial data during transmission.
For data at rest, the encryption standards typically recommended include 256-bit Advanced Encryption Standard. The Unique Identification Authority of India (UIDAI) is India’s national agency responsible for issuing Aadhaar (India’s national resident identification number), and mandates 2048-bit encryption for Aadhaar-related data. These encryption norms apply across sectors, including financial institutions and healthcare services, ensuring robust protection against unauthorised access or breaches.
Managing Access Controls in the Cloud Environment
Access control in cloud computing is primarily managed through identity-based policies that regulate who can access specific resources within an organisation’s cloud infrastructure. These policies may include the following:
CSPs also deploy session policies and organisation-wide service control policies to manage access at a granular level. These access control mechanisms ensure that only legitimate users can interact with the cloud environment, mitigating the risk of unauthorised access.
Measures to Prevent Unauthorised Access or Data Breaches
The IT Act provides the fundamental legal framework to prevent unauthorised access and data breaches in India. Compliance with standards like ISO/IEC 27001 (ISMS) and ISO/IEC 27018 (protection of PII in public clouds acting as PII processors) facilitates CSPs to maintain strict security controls, including best practices such as encryption, data anonymisation and regular security audits.
Furthermore, sector-specific regulations such as SEBI’s guidelines for encryption of data in transit and the RBI’s mandate for end-to-end encryption in mobile financial services significantly reduce the risk of unauthorised access. The “know your customer” (KYC) norms enforced by regulatory bodies such as RBI and SEBI also ensure that CSPs maintain a strict identification process, preventing unauthorised access to sensitive data.
Handling Security Accidents and Breaches in the Cloud
In the case of a security breach, CSPs are required to follow the incident reporting and response framework outlined in the IT Act, read with the guidelines issued by the Indian Computer Emergency Response Team (CERT-In), under MeitY. Key measures include the following:
In addition to regulatory frameworks, CSPs often offer contractual guarantees, such as cloud service agreements (CSAs) or service level agreements (SLAs), which outline the procedures and timelines for addressing and reporting security breaches.
Addressing Data Ownership and Control in Cloud Agreements
In cloud agreements, data ownership and control are key concerns addressed through specific contractual provisions. Typically, the ownership of the data resides with the entity that uploads or stores it on the cloud, often referred to as the “data owner”. In India, CSAs tend to follow this principle, ensuring that the data customer retains ownership rights over the data, while the CSP acts as a custodian or processor. This is explicitly outlined in the ownership clauses, which clarify that any data stored in the cloud remains the intellectual property of the customer, not the provider. Cloud agreements usually incorporate additional clauses to regulate data usage, such as the following.
Rights of Data Subjects Over Their Data in the Cloud
The DPDP Act proposes that data subjects (referred to as “data principals” in the DPDP Act) are to be granted significant rights concerning their personal data. These rights would apply even when the data is stored in the cloud. Data subjects are envisioned to have the following key rights under the DPDP Act.
Exercising Data Access, Rectification and Deletion Rights in Cloud Environments
Data subjects can exercise their rights over cloud-stored data through mechanisms established by the data fiduciary, which collaborates with the CSP. To exercise the right to access, data subjects can submit a request to the data fiduciary to obtain their personal data, which is then retrieved from the cloud by the CSP and provided in a clear, accessible format. For the right to rectification, data subjects can request corrections or updates to inaccurate or incomplete data. The data fiduciary is responsible for ensuring that these corrections are applied across all cloud systems, including back-ups.
Likewise, CSPs must ensure the deletion of personal data that is no longer required for its original purpose upon the data subject’s request for the deletion of their personal data. By co-ordinating with the data fiduciary and CSP, data subjects can effectively exercise these rights, ensuring that their personal data is handled in compliance with the legal framework. CSAs must also incorporate these rights to maintain regulatory compliance and protect user data.
However, it is important to note that, as the DPDP Act has not yet been implemented, the rights of data subjects outlined above, and their ability to exercise those rights, are not yet legally enforceable.
Indian laws do not explicitly include the right to data portability, unlike the EU’s GDPR. The preliminary drafts of the DPDP Act featured a limited right to data portability with exceptions for legal compliance, trade secrets and technical feasibility, but the enacted iteration excluded this right due to potential concerns about data security, such as identity fraud and complications in transferring shared data in cloud environments.
That said, the DPDP Act introduces “consent managers”, which will be entities registered with the Data Protection Board of India (DPB) and will act as intermediaries between users and platforms. These managers will aim to facilitate user control over personal data, potentially enabling limited data transfers through interoperable platforms in cloud environments. Therefore, the DPDP Act does indicate an inclination of the legislators to move towards enhanced data mobility.
In cloud computing, data portability remains challenging due to the lack of standardisation among CSPs. Seamless data transfer requires uniform data formats and technical compatibility, which the current laws do not holistically address. As India’s legal framework evolves, more mechanisms may emerge to support data portability in cloud services, balancing user autonomy with security concerns.
Data retention and deletion in cloud environments are generally governed by the existing IT regulations and contractual agreements between CSPs and clients. The SPDI Rules require CSPs to implement reasonable security practices, including clear retention and deletion policies. Under Rule 5(4) of the SPDI Rules, sensitive personal data or information should not be retained for longer than necessary for the purpose for which it was collected or processed. Once the data is no longer required, it must be deleted to ensure compliance with the retention policy.
Akin to the SPDI Rules, Section 8(7) of the DPDP Act requires data controllers to erase personal data once the data subject withdraws consent or when the specified purpose for which the data was collected is no longer being served, whichever comes first. Notably, the DPDP Rules propose specific retention periods; for instance, large e-commerce entities, online gaming intermediaries and social media intermediaries may be required to erase personal data if a user has not accessed their account or exercised their rights for a period of three years, subject to certain exceptions. In addition, the data fiduciary must ensure that any data processor involved also erases the personal data provided for processing, unless retention is necessary for compliance with existing legal obligations.
In addition to legal requirements, contractual agreements between CSPs and their clients typically outline specific retention periods and conditions for data deletion within cloud environments. These agreements may include provisions for the secure removal of data, including back-ups, upon the termination of services or upon client request. To ensure secure data management, established CSPs like Amazon Web Services, Microsoft Azure, Google Cloud, etc, frequently utilise automated data lifecycle management tools, encryption and stringent access controls.
Due Diligence Considerations for Selecting a CSP
Choosing a CSP may entail comprehensive due diligence measures to ensure compliance with applicable laws and parallel alignment with organisational and project-specific needs. Broadly, these considerations may be bifurcated into two aspects, as set out below.
Data Protection Requirements in CSAs
Data protection is a fundamental element of CSAs, especially in light of India’s evolving regulatory landscape. These agreements should be tailored to ensure that CSPs comply with robust data security and privacy standards, safeguarding personal data from unauthorised access, breaches and misuse. Typical provisions of CSAs include the following.
Ensuring Compliance with Data Privacy Regulations by CSPs
The IT Act and the forthcoming DPDP Act set out several measures that CSPs would need to follow in order to comply with data privacy regulations. Illustratively, in compliance with Section 8 of the DPDP Act, CSPs are expected to adopt a “privacy by design” approach – ie, integrating privacy principles into their services from the outset and thereby embedding personal data protection directly into their technical infrastructure. The DPDP Act is also expected to ensure that CSPs adhere to the principle of data minimisation, ensuring that only the necessary personal data is collected and retained for the required period, with secure deletion thereafter.
In relation to data breaches, Section 8(6) of the DPDP Act proposes to mandate CSPs to promptly notify data principals and the DPB, ensuring swift action to mitigate any potential damage. Furthermore, under Section 8(4) of the DPDP Act, read in conjunction with the extant Rule 8 of the SPDI Rules, CSPs would need to implement robust information security measures, including but not limited to encryption, access controls and compliance with industry standards like ISO/IEC 27001. Rule 6 of the DPDP Rules further clarifies that such “reasonable security safeguards” include data encryption or masking, access control measures, monitoring logs to detect unauthorised access, and maintaining data back-ups.
To ensure accountability and compliance, large-scale CSPs may be further obliged to appoint data protection officers and undergo regular audits, as stipulated under Section 10 of the DPDP Act.
Structuring Data Processing Agreements (DPAs) in the Cloud Environment
DPAs typically outline the scope of services provided by the CSP, which may include data migration, technical support, software development and updates. The agreement applies to data processed within the CSP’s infrastructure and any approved sub-processors. Confidentiality is a critical component, with the DPA mandating that CSPs maintain strict confidentiality and prevent unauthorised access to customer data, personal data and other sensitive information, including by sub-processors. DPAs also specify data processing details, such as the subject matter, duration and purpose of processing, ensuring that the data controller is fully aware of how their data will be handled.
The DPA may further oblige the CSP to comply with established data protection standards, in addition to undergoing periodic audits to ensure secure data management. DPAs may also grant the data controller audit rights, allowing them to request audit reports or conduct their own audits to verify the CSP’s compliance with data protection obligations.
In addition to the above, governing law and dispute resolution clauses are also vital from the standpoint of structuring a DPA, in order to establish a clear mechanism for resolving disputes, particularly in the context of cross-border data processing.
Typical Termination and Exit Strategies for CSAs
Termination and exit strategies in CSAs are vital for securing the customer’s data and ensuring a smooth transition to another CSP.
CSAs typically include two types of termination clauses:
Best practices for exit strategies to ensure a smooth exit process, protect the customer’s interests and facilitate secure data transfers, include the following.
Migrating Data and Services Between Cloud Providers
Data migration from one cloud provider to another requires careful planning and execution to ensure the security and integrity of the data. MeitY has issued guidelines for migrating applications and data between cloud providers, particularly for government departments. The data migration process is typically structured in the following key phases:
Given the absence of specific migration regulations in India, organisations should follow industry best practices such as the Cloud Standards Customer Council’s Practical Guide to Cloud Migration and National Institute of Standards and Technology’s Cloud Computing Standards to ensure smooth transition between providers.
Reporting Data Breaches in the Cloud
The reporting of data breaches in the cloud is primarily governed by Section 70B of the IT Act, which mandates the reporting of cybersecurity incidents to CERT-In. Under the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “CERT-In Rules”), two types of reporting apply:
CERT-In also publishes guidelines on the formats and methods for reporting incidents, which are regularly updated on its official website. Reporting must follow the “Point of Contact” (POC) format, which is sent to CERT-In via email and updated periodically per the directives of MeitY.
Section 8(6) of the DPDP Act will also require data fiduciaries to promptly notify data principals and the DPB upon the occurrence of any personal data breach. Rule 7 of the DPDP Rules specifies that notification to the affected data principal must be made “without delay” and must include the nature of the breach, likely consequences and mitigation measures. The notification to the DPB must occur “without delay”, with a detailed report submitted within 72 hours.
Penalties for Failing to Report Data Breaches in the Cloud
Failure to report a data breach in the cloud attracts penalties under Section 70B(7) of the IT Act, including imprisonment for up to one year, a fine of up to INR10 million, or both, for non-compliance with the mandatory reporting requirements.
Under Section 33(1) of the DPDP Act, a data fiduciary may face a substantial penalty of up to INR2 billion for failing to notify the DPB and affected data principals of a personal data breach, in compliance with Section 8(6).
Data breaches in the cloud are investigated and remedied in accordance with the CERT-In Rules, under the supervision of CERT-In. When a breach is detected, CERT-In initiates an investigation by requesting information from the CSP, which must submit relevant data, including technical reports and logs, as per the CERT-In Directions of 28 April 2022.
Non-compliance can result in escalated actions, where the designated officer may report the matter to the Director General of CERT-In, and eventually to the Review Committee, which may initiate legal proceedings under the IT Act. Remedial measures may include patching vulnerabilities and strengthening security protocols to mitigate the breach’s impact, in addition to any other reasonable measures that may be required on a case-specific basis.
Timelines For Notifying Data Subjects and Regulators of Data Breaches
As discussed in 5.1 Requirements to Report Data Breaches, data breach notification standards are governed by CERT-In. The notification process varies depending on the type of reporting, as follows.
Information to Include in Data Breach Notifications
Data breach notifications in India must include specific details based on whether they are incident reports or vulnerability reports. The following particulars must be provided.
Co-Ordinating Data Breach Notifications With CSPs
Co-ordination between CSPs and regulatory authorities is critical when reporting data breaches. Under CERT-In Directions, CSPs are required to comply with several duties to ensure effective breach management.
Regulating International Data Transfers in the Context of Cloud Computing
International data transfers in the Indian jurisdiction are currently governed by the IT Act, read in conjunction with the SPDI Rules. With the introduction of the DPDP Act, a more structured framework is set to govern cross-border data flows in cloud environments.
The DPDP Act empowers the government to restrict data transfers to specific countries (a “blacklist” approach), based on their data protection standards. Accordingly, for restricted jurisdictions, CSPs would need to implement stricter legal safeguards.
Mechanisms for Transferring Data Outside India
The SPDI Rules currently regulate international data transfers through several mechanisms. Upon its enforcement, the DPDP Act will allow the government to permit transfers to all jurisdictions by default, unless a specific country or territory is explicitly restricted by notification. For countries without such restrictions, Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) of the EU can be referred to as benchmarks, which are legally recognised international standards facilitating cross-border data transfers within multinational corporations.
Addressing Data Protection Measures in International Data Transfer Agreements
International data transfer agreements in cloud computing must ensure that personal data remains protected according to the SPDI Rules and the forthcoming DPDP Act. A crucial aspect introduced by the DPDP Rules is the requirement for a data fiduciary to comply with any government orders restricting the availability of personal data to foreign states or their agencies. Key contractual mechanisms may include SCCs, which impose obligations on the data importer to maintain data subject rights, enforce security standards like encryption and access control, and address concerns about third-party government access.
Furthermore, BCRs may be incorporated into contractual agreements, which are essentially a set of internal policies for multinational companies to ensure compliance with data protection standards across borders. BCRs focus primarily on accountability, governance and redress mechanisms.
It is worth mentioning that both the SPDI Rules and, particularly, the DPDP Act rely heavily on obtaining the explicit consent of data subjects for processing their personal data, which includes cross-border data transfers. Therefore, explicit consent from data subjects must be obtained for transferring their personal data across jurisdictions.
While there is no overarching central legislation governing data localisation, it has become a critical regulatory requirement for certain sectors, particularly those involving sensitive personal data, financial data and critical infrastructure. This push towards localisation has significant implications for cloud computing, affecting operational efficiency, costs, security and compliance. Some sectoral data localisation requirements are set out below.
Implications
The aforementioned data localisation norms mandate that particular categories of data be stored within India. This directly impacts CSPs and necessitates them to invest in local infrastructure, raising operational costs and reducing flexibility in managing global data. Localisation also impacts the availability of advanced cloud services, such as AI-based analytics and real-time fraud detection, which rely substantially on cross-border data flows. These requirements pose challenges, particularly for start-ups and businesses relying on cloud-driven technologies.
While these localisation measures aim to enhance data sovereignty and privacy, they do not necessarily improve data security, as concentrating data in a sole jurisdiction can lead to vulnerabilities to cyber-attacks and loss of data due to natural disasters. In addition, CSPs may face increased compliance burdens as the Indian regulatory landscape evolves, with additional layers of complexity, making it more difficult for them to operate efficiently while ensuring regulatory compliance synchronously.
Addressing Conflicts of Law in Cross-Border Data Transfer
Conflicts of law in cross-border data transfers within the cloud computing framework particularly arise when different jurisdictions enforce varying data protection standards. The DPDP Act will govern such transfers by allowing data movement unless a country is specifically blacklisted. However, conflicts may also arise when sector-specific laws (as indicated in 1.1 Data Privacy and Cloud Computing and 6.2 Data Localisation) impose stricter requirements – eg, mandating that certain classes of data be stored within India’s borders, despite the existing SPDI Rules and the forthcoming DPDP Act permitting cross-border transfers.
To address these conflicts, CSPs and businesses must ensure compliance with sector-specific regulations while facilitating cross-border data transfers, where allowed. This can be achieved by integrating localisation requirements into their operational infrastructure. Furthermore, as discussed in 6.1 Cross-Border Transfer Regulation, cross-border data transfer agreements should be tailored to incorporate SCCs and BCRs, in addition to clear contractual provisions, to reinforce compliance with international data protection standards and minimise potential conflicts.
Risks and Challenges Associated With International Data Transfers in the Cloud
International data transfers in cloud computing face significant challenges, particularly around compliance with varying legal frameworks. Jurisdictional conflicts arise when the data of Indian residents is transferred to countries with differing regulations, like the GDPR in the EU or the CCPA in California, USA. This leads to uncertainty concerning the applicability of the law, especially when data protection standards are not equivalent. Strict sector-specific localisation requirements, as mentioned in 6.2 Data Localisation, that mandate data storage within India further complicate cross-border transfers.
There are also significant data security risks associated with transferring data to regions with weaker or no statutory protection standards, making the data vulnerable to unauthorised access or government surveillance. The DPDP Act shoulders legal liability on Indian data fiduciaries, inferring that any breach by foreign processors can lead to hefty penalties. In addition, ensuring data subject rights, such as access or deletion requests, should be respected across multiple jurisdictions and their enforcement can be particularly challenging when foreign laws do not offer equivalent remedies.
Conducting Compliance Audits in Cloud Environments
Compliance audits in cloud environments in India are indirectly governed by regulatory frameworks such as the Companies Act, 2013, the SPDI Rules and other sector-specific regulations, including guidelines issued by MeitY. These audits are typically conducted by independent third-party auditors or government-approved internal auditors, to assess the security, privacy and legal compliance of corporate entities, including CSPs.
Rule 8 of the SPDI Rules mandates corporate bodies handling sensitive personal data to conduct periodic audits, at least on an annual basis, to ensure compliance with reasonable data security standards. Likewise, Section 10 of the DPDP Act mandates SDFs to conduct data audits through an independent data auditor to ensure conformity with the provisions of the DPDP Act. Rule 12 of the DPDP Rules proposes that this audit, along with a Data Protection Impact Assessment (DPIA), be undertaken annually by SDFs.
The audit process may include verifying data centre security, disaster recovery plans, data privacy measures and compliance with sector-specific regulations. For government entities, MeitY has issued guidelines that include specific audit requirements. CSPs offering services to the government must submit a sample audit report that covers critical aspects like data integration, disaster recovery and business continuity. The scope of compliance audits also encompasses reviewing legal compliance, managed services, and exit and transition plans.
Key Areas of Focus for Compliance Audits in Cloud Computing
The key areas of focus during a compliance audit in cloud computing typically include the following.
Managing Audit Trails and Logs in the Cloud
Audit trails in the cloud are crucial for tracking user activities and system events, enabling companies to maintain transparency and accountability. These trails typically include:
CSPs also ensure that audit logs are maintained securely, typically using encryption and access controls to prevent tampering.
The Companies Act, 2013, read with Rule 11 of the Companies (Audit and Auditors) Rules, 2014, mandates that all companies using accounting software (including cloud-based software) must ensure that the software has a feature to maintain an audit trail (or edit log) of all financial transactions, which cannot be disabled.
Measures to Ensure the Integrity and Accuracy of Audit Reports
To ensure the integrity and accuracy of audit reports in cloud environments, CSPs and auditors must adopt a multifaceted approach that aligns with both legal and operational imperatives. At the forefront of this process is data validation, a critical step to ascertain the consistency, accuracy and reliability of data under audit. This is supplemented by robust encryption protocols, which shield sensitive information from unauthorised access and potential tampering, thus upholding data confidentiality throughout the audit process. The engagement of key stakeholders ‒ data fiduciaries, internal audit teams and regulatory authorities – is equally paramount, fostering a comprehensive oversight mechanism and ensuring that responsibilities are clearly delineated.
Regular audits, both internal and independent, are mandated to ensure ongoing compliance with India’s dynamic regulatory landscape, including the stringent requirements set forth by MeitY. Furthermore, data consistency checks are integral to verifying that no unauthorised alterations have been made within the cloud infrastructure, thereby safeguarding the integrity of the system. Collectively, these measures form the bedrock of a resilient audit framework in cloud computing environments, harmonising operational transparency with India’s data protection framework.
Addressing Audit Findings and Recommendations in the Cloud
Once audit findings and recommendations are documented, they are typically addressed through a structured process, which includes the following.
Statutory Penalties for Non-Compliance With Cloud Audit Requirements
Penalties for non-compliance with audit requirements can be both statutory and contractual, depending on the nature of the CSP and the sector concerned. Such penal implications include the following.
1st Floor, DLF Centre Court
Golf Course Road
DLF Phase 5, Sector 42
Gurugram
Haryana
122002
India
+91 99991 91620
harsh.kumar@kaizenlaw.in www.kaizenlaw.in