The third parties here are mom-and-pop shops who work for large corporations in multi-tier ecosystem. Making them compliant is not a small challenge
India has finally come out with its draft personal data protection bill. If you are an information security professional, I assume that you have already gone through the draft and have identified the gaps that you need to fill. If you are part of an organization that has already complied with European GDPR, then at least you are familiar with the concepts and basic steps.
In the recently concluded 19th CIO&Leader Conference, I asked a number of CIOs—some of who also handle security in some capacity—about the preparation for complying with the regulation. It was heartening to know that most B2C companies are sensitized. Some have even created teams to figure out what to do. This is a long way from the state of affairs just a few months back. When I had asked a similar audience, nay, actually all security professionals about Srikrishna Committee white paper that had been released two weeks back, many of them had not even heard of it!
The growing sensitization is good. Because it is the security professionals who will ensure that some of the obligations are met with.
The cover story explores if CISOs or other security professionals would be designated as Data Protection Officers (DPOs) that the bill requires organizations to appoint.
India will face a unique challenge. Unlike in the West, in India, few citizens are worried about privacy. An INR 10 recharge will make people share all their details. The third parties here are mom-and-pop shops who work for large corporations in multi-tier ecosystem. Making them compliant is not a small challenge. Add to that India’s track record of enforcement (India is fairly progressive in enacting legislation) and it is going to be a tough game.
My guess is that the sectoral regulators and industry associations in industries like banking, telecom, insurance and mutual funds, will sit together to create some sort of guidelines. I also expect that the CISOs will be mandated to carry out the responsibility of DPO, at least initially.
So, get ready. And also, do not forget to go through the draft bill carefully and offer your suggestions. The government has asked for feedback on the draft bill, which has to be submitted by September 10.
All the best!