In the earlier three articles, we covered three steps towards DPDPA compliance namely
- Board to pass a resolution for conducting a Business Impact Assessment (BIA) consequent to the passing of DPDPA
- Entrusting the conduct of BIA to an appropriate DPDPA Project Manager (DPM)
- Undertaking an initiative for a Leadership Initiative for DPDPA consciousness (LID)
Let’s now discuss the concept of BIA.
We have earlier heard the concept of PIA (Privacy Impact Assessment) and DPIA (Data Protection Impact Assessment).
In PIA we evaluate the impact of a new process or event on how it affects the Privacy rights of the data subjects/Data Principals. If we are following GDPR, we may look at the legal basis of processing, how the rights are affected and whether there is any cross border transfer etc.
DPIA also follows a similar objective in a given process. DPIA is process centric while PIA may be enterprise centric
BIA is more in tune with DPDPA and focusses’ on the impact of an event (including a new process) on the overall business of the organization.
The overall business objective of an organization is preserving the shareholder value by ensuring that “Penalty Risks” arising out of non compliance are mitigated, a suitable Governance Structure is created to maintain the Compliance Status and obtain an appropriate third party audit certificate as an assurance.
The “Penalty Risk Management” objective requires an understanding of the law and its requirements, taking an inward look and conducting a Gap Assessment and then initiating measures to bridge the identified gaps.
“Bridging the gaps” may require many policy initiatives, managerial changes and technological measures. This is the Compliance journey the starting point of which is the BIS.
BIS itself can be conducted at multiple levels since the organization may have to first identify priority aspects, bridge the gaps and then identify further measures that are required. The journey of Compliance therefore goes through a cycle like the PDCA cycle used in other audits
Get an assessment done, consider the risk appetite and adopt a mitigation charter, implement the adopted measures, evaluate the implementation. This will be a spiralling cycle since with each cycle, new risks emerge with the changes in the environment and internal business structure and hence the evaluation leads to a re-assessment of risks and a re-adoption of another mitigation charter, re-implementation of mitigation measures and re-evaluation.
The DPDPA suggests multiple internal audits as well as an external third party audit. Possibly the external audit may be considered as an annual requirement where as the internal audit may be more frequent.
Presently the need to conduct DPIA and appoint a Data Auditor is restricted to Significant Data Fiduciaries and hence annual Data Audit and quarterly internal audit is likely to be a recommended system.
As a first step the BIS-1 needs to have a high level assessment of the impact of the Act on the entity and the key questions to be answered are
- Am I processing Personal Data relevant to DPDPA compliance?
- What is my status under DPDPA, Data Fiduciary (DF) or Significant Data Fiduciary (SDF) or Data Processor?
- Is my status as DF/SDF applicable across all my activities or should I identify specific activity centers in which I am a DF/SDF and other activity centers where I am a Data Processor for a different DF
- Am I able to segregate my Data into Personal and Non Personal, DPDPA relevant and others (GDPR Relevant) etc?
- Do I have a Cyber Insurance to cover part of the Risks?
- Do I have a designated person accountable for the compliance or Does the CEO take the responsibility?
- Do I have enough expertise within the organization or should I take the services of an external consultant?