The advent of the DPDP Act, 2023, stands poised to revolutionize India's data landscape, forging a path toward enhanced data responsibility. With a nuanced aim to balance individual rights and corporate obligations, this act not only outlines governance structures for data collection and processing but also catalyzes organizational shifts to reinforce accountability in handling personal data. The ripple effect spans beyond mere compliance measures, fostering a reevaluation and reconfiguration of customer-facing operations and impacting diverse business facets, including HR, legal, procurement, and product engineering. Tarun Kaura, Partner and Cyber Leader at Deloitte India, unveils the profound transformations and challenges faced by organizations in adapting to these regulations and fortifying their cybersecurity postures. Excerpts:
How have recent regulations, such as DPDP (Digital Personal Data Protection Act, 2023) and others, influenced the way organizations handle personal data?
Regulations such as the DPDP Act, 2023 is going to usher in a new era of data responsibility in India’s digital landscape. It not only creates but attempts to balance the rights and obligations of individuals and companies. In terms of governance, it provides organizations with an understanding of how to collect and process the data of individuals. Hence, businesses will have to make changes that signify their sense of accountability towards personal data - ways to protect, seek consent, address grievances, handle breaches (if any) timely and appropriately. The Act will prompt organisations to rethink and reconfigure their customer facing business operations, that strongly consider data responsibility as a part of customer experience. Beyond that, the Act will also impact other business functions such as HR, legal etc., in how they conduct their ways of working when dealing with personal data, the procurement function in how they buy products and services handling personal data and the product engineering groups in how they design systems dealing with personal data.
What are some key challenges organizations face in complying with these data protection regulations, and how have they adapted their cybersecurity strategies to meet these requirements?
Historically, there hasn’t been such a strong focus on data privacy in India, and in the last few years digital transformation has also peaked, with cloud adoption, customer-facing applications, and internet businesses where data is at the heart of service offerings. Not every organisation would have adequately factored in data security and privacy. So, you can imagine - the attack surface has significantly expanded and data perimeters also don’t exist as it did before. Getting a full visibility of this data is becoming a challenge, and this data is held across business functions. This is perhaps the first step towards understanding their current personal data landscape. Other challenges can be overlaps and contradictions with other regulations, that also need to be managed. Companies are tackling these issues by bolstering their organization-level privacy policies, increasing awareness and trainings across departments, and adopting both security and privacy tools to enable and simplify the compliance processes.
How do data protection regulations affect the development and implementation of cybersecurity technologies and practices within organizations?
To comply with the data protection regulations, companies are considering technologies to identify and classify the data, automate the process of consent and management of individual rights as per the applicable laws. Security measures such as role-based access control, encryption, and password protection to secure information across its life cycle, are also being considered and implemented. At the same time, organizations are relooking and augmenting their privacy policies, with the review of governance, people, culture, third party risks, along with periodic privacy audits and assessments.
What are the key responsibilities of a CISO in today 's digital landscape?
A CISO’s responsibility covers the whole spectrum of securing (protecting against an attack with cyber strategies, policies, procedures, systems, and controls); vigilance (monitoring, threat and vulnerability management, and analytics to identify early warning signals); and resilience (robust incident response and crisis management, cyber war gaming, and other awareness programs). A CISO is looked at as the guardian of a company’s sensitive information and digital assets. They are also responsible for compliance with various security and privacy regulations. But a CISO in today’s digital age is transforming from being prescriptive to becoming a business influencer and an enabler, who collaborates with and empowers business leaders to think of security from the very onset. The office of CISO is entering a crucial pivot where there is a need to understand and empathise with the business and successfully leverage security in bolstering resilience, customer experience, and stakeholder value.
How does the CISO collaborate with other departments within an organization to enhance cybersecurity measures?
Today, a CISO very closely influences the digital transformation of an organization. This, of course, requires collaboration with other departments too. A CISO works with the IT team for implementation of security controls and to ensure that the confidentiality, integrity, and availability of information systems are upheld. A CISO collaborates with the CTO/CDO to ensure security, privacy, and resilience are embedded across digital initiatives and programs, including secure software development lifecycle. The legal teams work with the CISO to ensure compliance with security and privacy regulations. Working with the human resources, the CISO ensures that security training and awareness get seamlessly incorporated in onboarding processes and people development. The CISO collaborates with the CFO office for cyber budgets, skilling, and to optimize the spend. Last, but most important, the CISO collaborates with the board and the leadership to keep them updated on latest security issues and embed security right into the culture and the mindset of the organisation.