Naavi.org

On September and october 2019, Naavi posted a series of articles on “Data Governance”. At that time a committee had been formed to develop a Data Governance Framework. This was also the time when Naavi embarked on his exploration of the “Theory of Data”

In order to follow up what I am now going to discuss which I have called a new and Exciting development, kindly read through the following articles

https://www.naavi.org/wp/committee-on-data-governance-1-is-it-relating-to-anoymized-personal-data-or-non-personal-data/
https://www.naavi.org/wp/what-is-data-governance-framework/
https://www.naavi.org/wp/data-governance-framework-as-it-exists-in-india-now/
https://www.naavi.org/wp/data-productivity-vs-data-security/
https://www.naavi.org/wp/the-journey-to-the-development-of-the-theory-of-data-begins/

What I am now going to discuss is not the DPDPA 2023. It is something different.

A part of this is going to be incorporated in our ongoing CDPP training on Module I and the forthcoming training on Module A and the Course being conducted at IIM Udaipur starting on September 11. This will be another pioneering effort of Naavi after Cyber Laws in 2000, Personal Data Protection since 2018.

Naavi

In the earlier three articles, we covered three steps towards DPDPA compliance namely

1. Board to pass a resolution for conducting a Business Impact Assessment (BIA) consequent to the passing of DPDPA
2. Entrusting the conduct of BIA to an appropriate DPDPA Project Manager (DPM)
3. Undertaking an initiative for a Leadership Initiative for DPDPA consciousness (LID)

Let’s now discuss the concept of BIA.

We have earlier heard the concept of PIA (Privacy Impact Assessment) and DPIA (Data Protection Impact Assessment).

In PIA we evaluate the impact of a new process or event on how it affects the Privacy rights of the data subjects/Data Principals. If we are following GDPR, we may look at the legal basis of processing, how the rights are affected and whether there is any cross border transfer etc.

DPIA also follows a similar objective in a given process. DPIA is process centric while PIA may be enterprise centric

BIA is more in tune with DPDPA and focusses’ on the impact of an event (including a new process) on the overall business of the organization.

The overall business objective of an organization is preserving the shareholder value by ensuring that “Penalty Risks” arising out of non compliance are mitigated, a suitable Governance Structure is created to maintain the Compliance Status and obtain an appropriate third party audit certificate as an assurance.

The “Penalty Risk Management” objective requires an understanding of the law and its requirements, taking an inward look and conducting a Gap Assessment and then initiating measures to bridge the identified gaps.

“Bridging the gaps” may require many policy initiatives, managerial changes and technological measures. This is the Compliance journey the starting point of which is the BIS.

BIS itself can be conducted at multiple levels since the organization may have to first identify priority aspects, bridge the gaps and then identify further measures that are required. The journey of Compliance therefore goes through a cycle like the PDCA cycle used in other audits

Get an assessment done, consider the risk appetite and adopt a mitigation charter, implement the adopted measures, evaluate the implementation. This will be a spiralling cycle since with each cycle, new risks emerge with the changes in the environment and internal business structure and hence the evaluation leads to a re-assessment of risks and a re-adoption of another mitigation charter, re-implementation of mitigation measures and re-evaluation.

The DPDPA suggests multiple internal audits as well as an external third party audit. Possibly the external audit may be considered as an annual requirement where as the internal audit may be more frequent.

Presently the need to conduct DPIA and appoint a Data Auditor is restricted to Significant Data Fiduciaries and hence annual Data Audit and quarterly internal audit is likely to be a recommended system.

As a first step the BIS-1 needs to have a high level assessment of the impact of the Act on the entity and the key questions to be answered are

1. Am I processing Personal Data relevant to DPDPA compliance?
2. What is my status under DPDPA, Data Fiduciary (DF) or Significant Data Fiduciary (SDF) or Data Processor?
3. Is my status as DF/SDF applicable across all my activities or should I identify specific activity centers in which I am a DF/SDF and other activity centers where I am a Data Processor for a different DF
4. Am I able to segregate my Data into Personal and Non Personal, DPDPA relevant and others (GDPR Relevant) etc?
5. Do I have a Cyber Insurance to cover part of the Risks?
6. Do I have a designated person accountable for the compliance or Does the CEO take the responsibility?
7. Do I have enough expertise within the organization or should I take the services of an external consultant?

Naavi

“Awareness” is a common word used by the industry whenever new developments like the DPDPA happens. We all start conducting more and more “Awareness Training Sessions”.

But Awareness is often a surface level understanding and does not get deep into creating a behavioural change. When awareness is absorbed by an individual and internalized, it becomes “Consciousness”.

From now onwards the objective of all training initiatives of Naavi will be called “Building Consciousness instead of Building Awareness”.

This will be the distinguishing aspect of all Naavi, Cyber Law College and FDPPI efforts.

naavi

In the last two articles, we discussed how a Compliance oriented organization in India may react to the passing of the DPDPA with the following steps.

Step 1:

Conduct a Board Meeting in which the advent of the new law is taken note of and instructions passed on to a designated person and a high powered committee within the Company to make a Business Impact Assessment and present it to the Board for further action.

Step 2:

We presume that the CISO or an existing DPO if available would be requested to present a report on the first level impact of DPDPA and suggest measures to be initiated in the short, medium and long term to meet the assessed risks. We shall call him the DPDPA Project Manager or DPM.

Now as a third step, we assume the role of the DPDPA Project lead and try to suggest further steps. This process may be an iterative process and there may be discussions with the committee of functional leaders to understand the impact on each of their activities.

For example, the How does DPDPA affect the Marketing division? R & D division? HR Division?, Legal Division? Finance division? etc.

While the first reaction is to develop a questionnaire and send it across to each of them, we must remember that the functional heads might have only heard of DPDPA in the media and may not have in-depth knowledge themselves.

Hence Step 3.1 is to create an awareness about DPDPA amongst the top management through a Discussion. If necessary the DPM may invite an external expert such as FDPPI to take the top management through this process.

One of the easiest ways is to avail the service of “Leadership Awareness Session” available for all Corporate Members as a one time complementary activity. The Company may call this the “Leadership Initiative for DPDPA” (LID).

At the end of the session, the DPM can distribute a questionnaire for each of the funcional heads to reflect and respond. Following this DPM can chart out further action.

Naavi

In the earlier article we discussed the need for the Board of a company to immediately pass a resolution taking into notice the passage of DPDPA 2023 and initiating further action.

It would be most natural for most companies to immediately entrust the work of preparing a Board note on the impact of DPDPA on the company to the CISO.

However, the first feedback that the Board would like to get should be the “Business Impact” of the new Act which should include the “Financial Impact on the Company” and whether “Business would increase or Decrease”.

The Marketing head should make an assessment about whether any of the clients are asking for a Data Protection Compliance audit and whether it has been a business driver in the previous discussions with the clients. He may therefore give a feedback if his clients would be positively or negatively impacted if the Company declares “We are compliant to DPDPA”.

It is a common practice for customers to look at the website and see if a Company is HIPAA compliant or GDPR Compliant by looking to whether there is any name of the Compliance officer or DPO on the website. Similarly now the customers will look at the website and see if there is any indication of a DPO (India). If they donot find evidence of the appointment of a DPO, then they may need an explanation whether the Company is not a Significant Data Fiduciary or whether there are any other reasons for no DPO being appointed.

Hence the first reaction may come from the marketing head that there would be a positive impact or atleast prevention of any negative impact if the website contains a mention that the Company has appointed a DPO.

The Second person in the top management who would sit up and take notice of the new law is the CFO since he would have heard that there would be penalty of Rs 250 crore plus for non compliance even if there is no data breach.

Then the third person who may be required to respond is the legal head since the CEO will assume that the legal head should know what this law is all about.

While the CMO or CFO would not have had an opportunity to study the law in detail, it is likely that even the CCO may not have complete understanding of the issues involved since they would consider this compliance to be related to Information Security which is too technical for the lawyers to understand.

Under the circumstances, it is most likely that it would be the CISO who would be the person to whom all heads will turn and he would be asked to create a “Business Impact Assessment of DPDPA” in consultation with the CMO,CFO,CCO along with the CTO and the HR head. If the Company has a CRO designate, perhaps he also would be roped in. If the Company has a designation of “Chief Privacy Officer”, then he also may have to be brought in for the discussions

This essentially means that the first step for the Board is to create a “Data Protection Governance Committee” in which all the stakeholders are made a party to study and come back to the Board with their preliminary assessment. The Committee could be headed by an Independent Director and for the time being the CISO would be given the responsibility for creating the report.

At this time the CEO will definitely ask the question whether CISO is the right person to double up as a DPO or whether he should be a different person.

Thus almost in the first meeting itself, the Board would be concerned with how they should proceed.

It is for this reason that some wise Companies are requesting FDPPI members to deliver an initial awareness session to the top management so that these preliminary decisions can be taken.

We shall therefore open a discussion on how you as a CISO would respond if the Board asks you to suggest some preliminary steps on DPDPA Compliance.

…..To Be Continued

Naavi

.

Now that DPDPA 2023 has been gazetted with the Presidential Assent professionals in the industry are wondering what they should do now?

Should they expect that the Government will now sleep over it and the date of applicability may not be announced for the time being and they can relax and go back to what they were doing earlier?

With Mr Rajeev Chandrashekar driving the Act, it may not be wise to think the Government will forget DPDPA and move on. Probably by this time the Government has shortlisted the members of the Data Protection Board and would soon come up with the names of the members of the DPB and the Chairman so that they can take charge at the earliest. If DPB is set up in Delhi or Bangalore, or any other place, the selected members need to move into their destination and set up their preliminary office.

The DPB will then have to get a few members of their technical team to get ready and open a website and backend server to maintain whatever data they need to maintain.

Then the Government (MeitY) and the DPB will be working on the different notifications that would be required starting with the laundry list in Section 40.

Section 46 lists 26 different rules that needs to be made as per the law. Several more sub rules and clarificatory notifications will also be issued from time to time.

The rules include the “Manner of appointment of the Chairperson and the Members of the Board” [Sec 40(r)]. This notification has to be released before the constitution of the DPB is announced. Along with it the details of salaries and allowances and conditions of services of the Chairperson and the members of the Board need to be announced [Sec40(s)]. Then the terms and conditions of appointment and service of officers and employees of the Board [Sec40(u)] and the manner of authentication of orders, directions and instruments [Sec40(t)] need to be notified. The technolegal measures to be adopted by the Board [Sec 40(v)] and other matters related to DPB [Sec 40(w)] also have to follow.

These should be the first set of rules to be released.

However, for the industry it is immaterial how the DPB is going to be constituted or who will be the members of the DPB. They need to presume that sooner or later the DPDPA will become effective and non compliance could lead to penalties.

Hence the organizations need to start looking at what they should do now. The very first step that any responsible Corporate entity should do is to take note of DPDPA having been passed and start analysing its business impact.

Hence Corporate Managements need to include in their next Board Meeting a resolution that the Board takes note of the passing of DPDPA and develops a “Business Impact Report” to be submitted to the Board or a sub committee of the Board probably the Audit Committee within a short time.

The Independent Directors need to take the lead in this respect.

Next: Who should the Board ask for the Business Impact Assessment?

Naavi