Naavi.org

In the last two articles, we discussed how a Compliance oriented organization in India may react to the passing of the DPDPA with the following steps.

Step 1:

Conduct a Board Meeting in which the advent of the new law is taken note of and instructions passed on to a designated person and a high powered committee within the Company to make a Business Impact Assessment and present it to the Board for further action.

Step 2:

We presume that the CISO or an existing DPO if available would be requested to present a report on the first level impact of DPDPA and suggest measures to be initiated in the short, medium and long term to meet the assessed risks. We shall call him the DPDPA Project Manager or DPM.

Now as a third step, we assume the role of the DPDPA Project lead and try to suggest further steps. This process may be an iterative process and there may be discussions with the committee of functional leaders to understand the impact on each of their activities.

For example, the How does DPDPA affect the Marketing division? R & D division? HR Division?, Legal Division? Finance division? etc.

While the first reaction is to develop a questionnaire and send it across to each of them, we must remember that the functional heads might have only heard of DPDPA in the media and may not have in-depth knowledge themselves.

Hence Step 3.1 is to create an awareness about DPDPA amongst the top management through a Discussion. If necessary the DPM may invite an external expert such as FDPPI to take the top management through this process.

One of the easiest ways is to avail the service of “Leadership Awareness Session” available for all Corporate Members as a one time complementary activity. The Company may call this the “Leadership Initiative for DPDPA” (LID).

At the end of the session, the DPM can distribute a questionnaire for each of the funcional heads to reflect and respond. Following this DPM can chart out further action.

Naavi

In the earlier article we discussed the need for the Board of a company to immediately pass a resolution taking into notice the passage of DPDPA 2023 and initiating further action.

It would be most natural for most companies to immediately entrust the work of preparing a Board note on the impact of DPDPA on the company to the CISO.

However, the first feedback that the Board would like to get should be the “Business Impact” of the new Act which should include the “Financial Impact on the Company” and whether “Business would increase or Decrease”.

The Marketing head should make an assessment about whether any of the clients are asking for a Data Protection Compliance audit and whether it has been a business driver in the previous discussions with the clients. He may therefore give a feedback if his clients would be positively or negatively impacted if the Company declares “We are compliant to DPDPA”.

It is a common practice for customers to look at the website and see if a Company is HIPAA compliant or GDPR Compliant by looking to whether there is any name of the Compliance officer or DPO on the website. Similarly now the customers will look at the website and see if there is any indication of a DPO (India). If they donot find evidence of the appointment of a DPO, then they may need an explanation whether the Company is not a Significant Data Fiduciary or whether there are any other reasons for no DPO being appointed.

Hence the first reaction may come from the marketing head that there would be a positive impact or atleast prevention of any negative impact if the website contains a mention that the Company has appointed a DPO.

The Second person in the top management who would sit up and take notice of the new law is the CFO since he would have heard that there would be penalty of Rs 250 crore plus for non compliance even if there is no data breach.

Then the third person who may be required to respond is the legal head since the CEO will assume that the legal head should know what this law is all about.

While the CMO or CFO would not have had an opportunity to study the law in detail, it is likely that even the CCO may not have complete understanding of the issues involved since they would consider this compliance to be related to Information Security which is too technical for the lawyers to understand.

Under the circumstances, it is most likely that it would be the CISO who would be the person to whom all heads will turn and he would be asked to create a “Business Impact Assessment of DPDPA” in consultation with the CMO,CFO,CCO along with the CTO and the HR head. If the Company has a CRO designate, perhaps he also would be roped in. If the Company has a designation of “Chief Privacy Officer”, then he also may have to be brought in for the discussions

This essentially means that the first step for the Board is to create a “Data Protection Governance Committee” in which all the stakeholders are made a party to study and come back to the Board with their preliminary assessment. The Committee could be headed by an Independent Director and for the time being the CISO would be given the responsibility for creating the report.

At this time the CEO will definitely ask the question whether CISO is the right person to double up as a DPO or whether he should be a different person.

Thus almost in the first meeting itself, the Board would be concerned with how they should proceed.

It is for this reason that some wise Companies are requesting FDPPI members to deliver an initial awareness session to the top management so that these preliminary decisions can be taken.

We shall therefore open a discussion on how you as a CISO would respond if the Board asks you to suggest some preliminary steps on DPDPA Compliance.

…..To Be Continued

Naavi

.

Now that DPDPA 2023 has been gazetted with the Presidential Assent professionals in the industry are wondering what they should do now?

Should they expect that the Government will now sleep over it and the date of applicability may not be announced for the time being and they can relax and go back to what they were doing earlier?

With Mr Rajeev Chandrashekar driving the Act, it may not be wise to think the Government will forget DPDPA and move on. Probably by this time the Government has shortlisted the members of the Data Protection Board and would soon come up with the names of the members of the DPB and the Chairman so that they can take charge at the earliest. If DPB is set up in Delhi or Bangalore, or any other place, the selected members need to move into their destination and set up their preliminary office.

The DPB will then have to get a few members of their technical team to get ready and open a website and backend server to maintain whatever data they need to maintain.

Then the Government (MeitY) and the DPB will be working on the different notifications that would be required starting with the laundry list in Section 40.

Section 46 lists 26 different rules that needs to be made as per the law. Several more sub rules and clarificatory notifications will also be issued from time to time.

The rules include the “Manner of appointment of the Chairperson and the Members of the Board” [Sec 40(r)]. This notification has to be released before the constitution of the DPB is announced. Along with it the details of salaries and allowances and conditions of services of the Chairperson and the members of the Board need to be announced [Sec40(s)]. Then the terms and conditions of appointment and service of officers and employees of the Board [Sec40(u)] and the manner of authentication of orders, directions and instruments [Sec40(t)] need to be notified. The technolegal measures to be adopted by the Board [Sec 40(v)] and other matters related to DPB [Sec 40(w)] also have to follow.

These should be the first set of rules to be released.

However, for the industry it is immaterial how the DPB is going to be constituted or who will be the members of the DPB. They need to presume that sooner or later the DPDPA will become effective and non compliance could lead to penalties.

Hence the organizations need to start looking at what they should do now. The very first step that any responsible Corporate entity should do is to take note of DPDPA having been passed and start analysing its business impact.

Hence Corporate Managements need to include in their next Board Meeting a resolution that the Board takes note of the passing of DPDPA and develops a “Business Impact Report” to be submitted to the Board or a sub committee of the Board probably the Audit Committee within a short time.

The Independent Directors need to take the lead in this respect.

Next: Who should the Board ask for the Business Impact Assessment?

Naavi

India has just now passed DPDPA 2023. While there is an expectation in the air about organizations becoming more responsible in handling personal information, I came across a request for permission for installation of SonyLiv app on an Android mobile. This was recommended by Samsung along with one of its updations.

I wonder how SonyLiv can justify the need for all this information and how Samsung can recommend such app that too after DPDPA 2023 has become a law in India.

The Data Protection Board to be set up has one case to follow up. May be many more such instances be reported by Naavi.org in the times to come.

Naavi

We the data protection professionals were already feeling that we were on the moon when DPDPA was passed into an act

Now we are elated that India has joined the select band of countries which have soft landed on the moon and first on the Moon’s South pole .

Our hearty congratulations to the entire team.

Naavi

FDPPI and Manipal Law School (MLS) conducted a Round Table Discussion at the MLS Campus in Yelahanka, Bangalore on DPDPA and its impact on the Fintech industry, yesterday.

Several industry professionals attended the discussions. It was a lively discussion to unravel the intricacies of the proposed Act and its challenges to the Fintech industry. MLS/FDPPI will be collating the views from the industry professionals and documenting the industry response.

Some photographs of the event is given below.