It is a standard practice in the Data Protection domain where an “Auditor” and an “Implementation Consultant” have different roles in establishing Privacy and Data Protection Compliance.
However, this traditional approach imposes a relatively larger responsibility on an organization to understand and interpret the emerging requirements and taking steps in their implementation. It is relatively easy for the auditor to step in, find faults, give impractical suggestions and exit. The company in most cases undertakes the audit exercise as a necessary formality and reverts to its usual ways of functioning and getting back to audit mode once a year whenever the audits happen.
Naavi would like to change this “I am not responsible for designing and implementation but responsible only for audit” approach.
We do understand that there could be a need for such an aprorach to avoid a “Conflict” in the consultancy and audit responsibilities. But this conflict can come in even in the traditional system because of the influence a reputed auditor can bring in on a consultancy firm. In many cases consultancy firms work in tandem with the auditing body and the difference between the two are only on paper. The auditor calls all the shots and the consultant falls in place.
Even in such cases, as long as the auditor is true to the objective of the implementation (eg: Privacy Protection) there is no need to consider that there has to be a conflict of interest where the objective would be compromised. But the practice and belief that the two roles should be kept separate continues to prevail and is sustained despite its inefficiencies.
Hence this keeping the Auditor and Consultant away from each other is considered artificial and if there can be a way of combining the consultancy and audit functions, it is not necessarily undesirable.
In India the DPDPB may expect that the DPO is an internal employee. In GDPR, there is a possibility of an external DPO. Even if the Indian law does not allow an external DPO, it could allow an external Data Protection Consultant to assist the DPO. Further the role of DPO is more aligned with a duty to protect the interests of data subjects and unless an organization has a separate Privacy Officer, there is an inherent conflict between the Data Principal protection duties of the DPO and the Advisory responsibilities within the organization.
Naavi has therefore proposed adoption of a new “Partner in Progress” approach to consulting and audit of Data Protection programs in India which will be experimentally used by FDPPI through its “Supporting Member” network of consultants.
A Brief description of this new approach is provided at here
The essence of this program will be that the organization will use the services of FDPPI for designing, implementing, monitoring with periodical review. In a way the entire PDCA cycle is managed by the FDPPI team which will consist of the chosen set of professionals from the support member group.
The engagement would be on a retainer basis with additional services sourced either from within the supporting member network or outside and billed as necessary. The team would design and implement the system on a best effort basis.
The system of an external data auditor which is inherent in the Indian law will ensure that the work of the FDPPI consultancy team is reviewed by an external auditor and should satisfy the puritans who fear conflict.
It is desired that after the system is stabilized, the FDPPI team can exit and handover the maintenance to an internal Privacy and Data Protection management team.
This arrangement is considered ideal when an organization is going through a Digital Transformation and implementing a switchover from the current privacy and Data Protection regime under ITA 2000 to the DPDPB regime.
Disruption of the current system of Auditing is necessary and desirable and I urge FDPPI to be the instrument of such disruption.
Naavi
