Says CEOs should have an active part in the compliance efforts, engaging with employees, and considering how data is collated and used
Sachin Tayal, Managing Director, Protiviti
With the enforcement of data and privacy protection laws in India, data risk will transition into business risks. Companies will have to take a hard look at the data residing with their vendors and outsourced partners to ensure client confidence. While many entities have done a lot when it comes to setting a privacy framework, Sachin Tayal, Managing Director at Protiviti argued that Chief Executive Officers should have an active part in the compliance efforts, engaging with employees, and considering how data is collated and used in different parts of the organisation and extended organisation in the AI age. Edited excerpts:
Are CEOs gradually becoming more invested in the idea of DPDP compliance?
Absolutely. Their name is going to get published in the consent application, a challenge for them. Then, there are the fines under the Act that are also quite serious in nature. When the Vishakha guidelines came, CEOs said it is equally important to see what is really happening on workplace side as well. The same happened with Prevention of Corruption Act. There is also the impact on reputation. So, data is no more the Chief Data Officer’s problem, but the CEO’s problem.
Do you feel there is enough awareness among company clientele regarding data protection and privacy?
When we did a survey recently, 82 per cent of respondents said the data handled by companies is neither transparent enough nor trusted enough. What is going to happen is that more people (especially with Gen Z and Zen Alpha entering the workforce) are going to become very particular about how data is used. The seriousness of company responsibilities have increased and, hence, in the next one or two years, things are going to change drastically. Clients are very, very serious about it. They’re putting all their mind to ensure they are not just implementing it in letter but in spirit.
How would you advise CEOs to go forward with DPDP compliance?
It is extremely important for leaders to actively change workplace culture and to think in terms of data privacy. How do we protect the data and how to use that data? Employees need to be trained on that, which means every leader has to make it part of the leadership discussions. There are tools and technologies to manage such data and also such information. The whole process and workflow is becoming complex. CEOs must budget accordingly. Lastly, the response time when a breach or leak occurs, even if it is small in nature. How you address that will be very important. One of the credit bureaus in the US lost some 40 million users’ data, including credit card information. Thirty per cent of the share price dropped. Moreover, they did not didn’t have a policy or data officers.
What kind of structural change should companies anticipate?
The only structural change is they will start appointing one person as a Chief Data Officer for end-to-end data programmes: where data will go, who’s owning it, etc. It’s like an internal mechanism to ensure coordination between compliance and business, and that person also helps in terms of analytics, data science, AI. So, those positions will open up. There are some companies who have already done it.
How will small and medium businesses take the burden of the rehaul?
I don’t see as an extra compliance. They don’t need CDOs like big companies. That additional responsibility may be given to one of the executives in the organisation. For promoters or business owners, the messaging within the organisation while processing data is key.
Can you talk about how this idea of digital responsibility, or taking care of digital privacy, fits into the digital ambition of companies?
AI is based on data. It is very important to think about protecting data when collating and processing it. We must have a digital ambition, but it has to be built on the foundation of a proper data protection process of when such models are being built. They don’t have to slow down AI usage, but make sure all policies and frameworks exist, train every employee and ensure proper mapping of how data is collected, processed, stored and forgotten. Consent application needs to be applied, and the consent has to be graded. Lastly, CEOs need to make sure that any data leakages, escalations reach their desk. That is going to be very, very critical. In the next one year, they need to carve out time for having a monthly review on this issue.
aniltikotekar4sme.com 