In a world of evolving regulations and heightened scrutiny, smart budgeting is the key to safeguarding data and ensuring compliance.
At DPO Club we have curated this research on Privacy Budgeting for DPDPA.
In this article, authored by Ankit Sharma, Information Security Compliance Lead at Pine Labs, Shivang Mishra and Akarsh Singh, Founder and CEO of Tsaaro Consulting, we dive deep into the realm of privacy budgeting, providing insights on streamlining processes, optimizing resources, and empowering privacy program for success.
We would like to thank Arya Tripathy, Partner at Priti Suri and Associates (PSA), Tanin Chakraborty (tc), Senior Director- Global Data Privacy Officer at Biocon Biologics and Aditya Gautam, Senior Manager Data Privacy at Adani Group for reviewing this article and providing their valuable inputs.
Introduction
In the early part of 21st century, regulators became vigilant, and companies began to adopt cybersecurity measures. Post 2010s, regulators also began to mandate data protection measures and placed an obligation on the bigger organizations to ensure data privacy. For the smaller businesses, privacy began as a trend. Smaller businesses began to follow the steps of the bigger businesses without understanding the applicability of privacy regulations.
In recent times, all stakeholders in the ecosystem have been keen, curious, and agile with expectations around cybersecurity, information security, and informational privacy. Thus, privacy programs have garnered a lot of attention, and companies have begun to invest in such programs.
It is very important to budget the program according to the requirements, and the current standing of the organization.
This has become even more important since the Digital Personal Data Protection Act, 2023 (DPDPA) has received Presidential Assent and its enforcement is anticipated.
To create an efficient, economic and effective privacy budget, a step-by-step approach can prove to be crucial. This is explained below-
1. Setting a Goal.
It is important that a goal is set. Thus, a professional should understand the working of the organization thoroughly. They should understand whether the entire organization needs privacy programs or specific programs for specific entities are required.
This is also important because robust privacy governance is a goal of the organization, but to achieve that there are certain departments which need to have specific measures to fulfill that goal.
2. Understanding the Current Standing of the Organization.
It is perhaps essential to acknowledge privacy budgeting is relative to where the organization stands. One should map the current standing of the organization vis- á-vis privacy measures. Since cybersecurity is also closely related, one also must see the security measures in place. For instance, one must see whether vulnerability management is in place for the organization or not. This is because if there are no basic measures present, budget will be higher.
3. Understanding Whether There is a Need for a Privacy Program.
A professional should understand the actual need of a privacy program. For instance, if a business is not dealing with Brazilian consumers, one does not have to set in place compliance measures with the Brazilian law (LGPD). It is important to understand which regulations apply and to what extend do they apply. A lot of times, not all provisions of a law are relevant for the organization. For instance, there are certain requirements placed by the DPDPA only on those platforms which would be designated as Significant Data Fiduciaries.
In case there is a contractual requirement for data privacy, the contract should be carefully read and understood to highlight the requirements that are mandated. These can then be accounted for in the privacy program budget.
4. Identify Expenses.
A company has many fixed and variable costs. It is only after taking these into account, the management of the company decides what budget can be for the privacy program.
It is also essential to understand the cash-in-flows of the business to better gauge what the optimum amount is for allocation. This is because privacy can be an expensive venture, and thus it is important to apportion financial resources for privacy to ensure that the processes are not hindered later.
5. Role of Third Parties and Technological Tools.
A privacy professional should look for third parties and tools which might be needed for the program. These depend on the regulatory requirements of the business, their contractual requirements, and their current status with regards to privacy.
Budgeting a program should take into account that there are costs for technology, processes and audits. For example, costs for privilege access management should be taken into account. Some experts in programs might also be needed to efficiently manage those programs.
6. Communication and Coordination.
Communication and collaboration are very important for budgeting. Internal stakeholders are coordinated with to help them understand the need of the program, and external stakeholders are communicated with to understand what the budget will be to achieve the goal.
Trusted partners are also communicated with, for understanding the on-ground realities. Since these people have worked in the privacy industry, they know the ins-and-outs of the requirements and can help in building a more robust budget plan.
Conclusion
For a privacy professional, it is important to narrow things down to what an entity requires, since only a limited budget is set for the program for the year, and it is vital that adequate financial resources are allocated for each requirement. For this, depth and nature of compliance mandates should be understood.
For optimum efficiency the limited budget should be apportioned for different functions. Bigger problems are broken down into smaller problems, in order to allocate resources in a better manner.
References
Disclaimer: DPO Club is a not-for-profit research initiative aimed at raising awareness regarding data privacy. The views expressed by the authors and reviewers are their personal opinions and do not necessarily reflect the views of their respective organizations.