Personal Data Protection (PDP) Compliance Audit

Indian Personal Data Protection Framework

• Data Protection Plan - Policies, procedures and processes should focus on the core value of protecting the personal data and privacy of people as a top-most priority.
• Data requirement, collection and purpose – A company should clearly distinguish between personal, public, sensitive data and the need for collecting such data. The method of collection, the time of requirement and its purpose should be clear to the person whose data is being requested.
• Storage and transfer of Personal data – The company must define where the data is stored and what is duration for which it will be retained. It should also define if personal data is transferred to locations outside the country and if the same meets the PDP Bill requirements.
• Data Principal Rights – There should be processes defined to ensure individuals (data principals) can exercise the 4 major rights granted to them by the Bill by following the said processes.
• Breach Identification & Notification – A company should have procedures in place to identify breaches and notify the relevant Authority as prescribed in the bill.
• Grievance Mechanism - A company should have grievance redressal mechanisms in place to give individuals the right and access to highlight any issues or concerns regarding their personal data.
• Data Protection Impact Assessment – When using a new technology or adopting a new process/system, the company should conduct a Data Protection Impact Assessment to ensure personal data is protected always.
• Record-Keeping – A company should maintain personal data only for the time period they require and not exceed the same which would breach the requirements of the bill.
• Data Audits – The company should conduct an annual review of its data protection policies and processes to ensure adherence to the Bill requirements.
• Data Protection Officer – The company should appoint a data protection officer to carry out duties and functions as required by the Bill.
• Offences – Relevant staff handling personal data should be trained on the regulatory requirements of the PDP bill to ensure non compliances or negligence on their part do not invite any unsolicited fines and penalties which would tarnish the company reputation and lead to loss of clients/customer trust.

How Xiarch Can Help?

• Gap Assessments - Conduct a data privacy/protection gap assessment to highlight any gaps or lapses in your framework/policies/processes and suggest an effective data privacy management mitigation plan based on relevant industry best practices to close those gaps.
• Framework Setup - Define a data protection governance framework by setting up privacy policies, controls, risk assessments and consent forms which are compliant with the regulations of India’s Personal Data Protection Bill (draft) 2018. Riskpro can also help you implement the framework/policies/processes in a timely and systematic basis.
• Third Party Risk Assessments – If you have any third parties who handle processes wherein personal data may be involved, Riskpro can conduct third party risk assessment to give you clarity/ assurance regarding the level of adherence to the PDP Bill by your third parties. Riskpro can also suggest putting a plan in place so that potential personal data breaches by third parties are identified and rectified on a timely basis.
• Implement/ Review Regulatory Updates - Define procedures and processes in place to ensure any changes or updates in the bill are identified and incorporated within the company policies and implemented accordingly. Additionally, Riskpro can also conduct policy reviews to ensure the latest regulatory updates are reflecting therein.
• Compliance Audits – If you already have a data protection/privacy framework and policy/procedures defined, Riskpro can conduct a compliance audit to ensure the processes are working effectively and the controls/ framework defined is adequate and in accordance with the requirements of the PDP Bill.
• Training to Staff – Riskpro can conduct online or in-person trainings to relevant staff regarding the regulatory requirements of the Indian Personal Data Protection Bill and their duties while handling or processing personal data to ensure compliance to the bill.

Benefits of Conducting a PDP Compliance Assessment

• Competitive Edge – When your firm is certified as PDP compliant, it will give you an edge over your competitors who aren’t. This becomes a differentiating factor for you. You will get more clients having this as a feather in your cap.
• Customer Trust – You can earn the valuable trust of your existing and potential customers that personal data is handled securely and as per the compliances required by the PDP bill.
• Strengthen Controls – When you know you adhere to the compliances required by the PDP Bill; you are more confident about the controls with regards to data handling and processing within your company.
• Be Assessment Ready – By adhering to compliance requirements of the PDP Bill, you will be well prepared for internal assessments or audits by external firms rather than reacting to incidents or data breaches when they happen.
• Avoid Penalties – If there are gaps/ breaches highlighted during our assessment, you can take reasonable steps to ensure controls are in place to ensure such lapses and breaches don’t occur again thus avoiding hefty penalties.