AI Risk Management under DPDPA 2023

“Artificial Intelligence” is a new term that is sweeping the software world and naturally it has also percolated into the discussions of “Privacy” and DPDPA 2023.

The industry is now presented with a new ISO standard 42001 so that along with ISMS, PIMS, the concept of AIMS has now become the buzzword.

ISO 42001 is a standard that tries to establish the requirements of an AIMS (Artificial Intelligence Management System” that will focus on the system being a “Responsible AI System”. The standard can be used both by the Ai developer as well as the user.

Though the standard should be a good guideline for many companies, it appears that as regards privacy, the AIMS as suggested needs some more tweaking.

AIMS as is envisaged is like PIMS and has to be considered part of the ISMS. In otherwords, though a stand alone certification is envisaged under ISO 42001, an organization cannot avoid ISO27701 and ISO 27001 if it has to adopt ISO 42001 for Privacy. In other words about 40 new controls will get added to 93 controls of ISO 27001 and 49 controls of ISO 27701.

In the DGPSI system FDPPI proposes to consider AIMS, PIMS and ISMS as part of the DGPMS and accommodates all the controls within 50 implementation specifications. In this approach most of the individual controls of the ISO system that makes it bulky and unwieldy get absorbed in the customization of controls through the policies and processes developed in the user environment.

We hope this simplification would be useful to the industry and leave the scope for designing the controls by the implementers as per their specific needs.


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.