Personal Data Protection and Governance Management (PDPGM) in a corporate entity is a complex journey.
-It requires discovery and tracking of the data asset, Classification into different categories of data, Different Sensitivity types, Different Law jurisdictions, Different Value buckets etc.
-It also requires applying Organizational and Technical measures appropriate to each type of data and building a Privacy and Data Protection Culture across an organization.
-It also includes Data Governance aspect of “Monetization” and “Cross Border Transfer” strategies that are Law compliant.
Current approach of all organizations is for a Company to establish Privacy by Design Program involving management of “Legal basis” for personal data collection and processing, “Security measures” for protecting the Confidentiality, Integrity and Availability of digital information, which is monitored by the Data Protection Officer and periodically audited by an external Data Auditor.
In this process the Company is responsible for understanding the requirements, converting them into Policy and Technology controls and the Auditors verify and give their expert views.
In a scenario where the Privacy and Data Protection scenario is evolving and new laws are appearing every other day, new interpretations are evolving every day, a company engaged in productive business has to divert a large part of its resources to meet the requirements. In a large organization, there is a need to set up a Privacy Department and a DPO to supplement its CEO/CRO/CCO to achieve an acceptable level of compliance.
FDPPI as an organization with an objective of empowerment of the Data Protection eco system in India, has adopted an approach of Concurrent Consulting which involves a close interaction with the company in the designing and implementation of the Privacy and Data protection program with Concurrent audit and Continuous improvement.
In this model, a team of FDPPI is associated as an external PDPM consultant and works closely with the Company in assisting the designated Privacy Management team and the DPO. The project is managed by the designated Supporting members of FDPPI.
This is the “Partner In Progress” (PIP) approach of FDPPI where the FDPPI team would be involved in designing of the PDPM program, assisting the Company in its implementation and periodically reviewing the functioning of the PDPM program, suggesting and implementing corrections on a continuous PDCA cycle.
It is expected that this approach would be more suitable to the Indian market which is in the developmental stage where Privacy as a concept is new and companies have to put in extra efforts to adopt to the new global culture where Privacy infringements are considered one of the biggest regulatory threats which could result in penalties reaching upto a billion US dollar.
The engagement would be on a retainer basis with additional services sourced either from within the supporting member network or outside and billed as necessary. The team would design and implement the system on a best effort basis.
The system of an external data auditor which is inherent in the Indian law will ensure that the work of the FDPPI consultancy team is reviewed by an external auditor and should satisfy the puritans who fear conflict.
It is desired that after the system is stabilized, the FDPPI team can exit and handover the maintenance to an internal Privacy and Data Protection management team.
This arrangement is considered ideal when an organization is going through a Digital Transformation and implementing a switchover from the current privacy nd Data Protection regime under ITA 2000 to the DPDPB regime.