In the earlier article we discussed the need for the Board of a company to immediately pass a resolution taking into notice the passage of DPDPA 2023 and initiating further action.
It would be most natural for most companies to immediately entrust the work of preparing a Board note on the impact of DPDPA on the company to the CISO.
However, the first feedback that the Board would like to get should be the “Business Impact” of the new Act which should include the “Financial Impact on the Company” and whether “Business would increase or Decrease”.
The Marketing head should make an assessment about whether any of the clients are asking for a Data Protection Compliance audit and whether it has been a business driver in the previous discussions with the clients. He may therefore give a feedback if his clients would be positively or negatively impacted if the Company declares “We are compliant to DPDPA”.
It is a common practice for customers to look at the website and see if a Company is HIPAA compliant or GDPR Compliant by looking to whether there is any name of the Compliance officer or DPO on the website. Similarly now the customers will look at the website and see if there is any indication of a DPO (India). If they donot find evidence of the appointment of a DPO, then they may need an explanation whether the Company is not a Significant Data Fiduciary or whether there are any other reasons for no DPO being appointed.
Hence the first reaction may come from the marketing head that there would be a positive impact or atleast prevention of any negative impact if the website contains a mention that the Company has appointed a DPO.
The Second person in the top management who would sit up and take notice of the new law is the CFO since he would have heard that there would be penalty of Rs 250 crore plus for non compliance even if there is no data breach.
Then the third person who may be required to respond is the legal head since the CEO will assume that the legal head should know what this law is all about.
While the CMO or CFO would not have had an opportunity to study the law in detail, it is likely that even the CCO may not have complete understanding of the issues involved since they would consider this compliance to be related to Information Security which is too technical for the lawyers to understand.
Under the circumstances, it is most likely that it would be the CISO who would be the person to whom all heads will turn and he would be asked to create a “Business Impact Assessment of DPDPA” in consultation with the CMO,CFO,CCO along with the CTO and the HR head. If the Company has a CRO designate, perhaps he also would be roped in. If the Company has a designation of “Chief Privacy Officer”, then he also may have to be brought in for the discussions
This essentially means that the first step for the Board is to create a “Data Protection Governance Committee” in which all the stakeholders are made a party to study and come back to the Board with their preliminary assessment. The Committee could be headed by an Independent Director and for the time being the CISO would be given the responsibility for creating the report.
At this time the CEO will definitely ask the question whether CISO is the right person to double up as a DPO or whether he should be a different person.
Thus almost in the first meeting itself, the Board would be concerned with how they should proceed.
It is for this reason that some wise Companies are requesting FDPPI members to deliver an initial awareness session to the top management so that these preliminary decisions can be taken.
We shall therefore open a discussion on how you as a CISO would respond if the Board asks you to suggest some preliminary steps on DPDPA Compliance.
…..To Be Continued
Naavi
.
