If your organisation already has a GDPR framework in place, you are starting your DPDPA compliance journey closer to the top of the hill with your shoelaces tied, map in hand and destination in clear sight. All this puts you in a far better position than those who have no formalised programme and who are still wandering around looking to buy the right pair of shoes for the journey. But before you assume you are in touching distance of the summit, let’s consider what DPDPA readiness looks like in practice and why your GDPR labours, whilst helpful, still require some work.

How GDPR foundations support DPDPA compliance?
A programme designed to support GDPR compliance is a good starting point. Since GDPR has been in place now for close to 10 years, not only has it provided the overall framework, it has also instilled in you the discipline to not leave your personal data lying around unsupervised. If you have a mature GDPR-oriented privacy programme, you likely already have: 

• A strong understanding of privacy principles;

• A well-developed Record of Processing Activities (RoPA;)

• Familiarity with privacy impact assessments and established procedures for knowing when and how to conduct them;

• Established policies and procedures that act as strong organisational controls;

• Tools and processes to manage personal data breaches and privacy rights requests.

With these foundations in place comes insight: you know what personal data is being processed, where it resides, who has access to it and what controls are in place to protect it. You have mapped out your processes, identified risks and may well have also suffered a few challenges along the way with data breaches and retention challenges. 

Where the GDPR and the DPDPA diverge and why this matters
Whilst the DPDPA shares some similarities with the GDPR, there are equally clear points of divergence meaning pursuing compliance with one does not equate to compliance with both pieces of legislation. It is important to understand the differences in order to build the appropriate privacy programme that will cross the t’s and dot the i’s from a DPDPA perspective.

The DPDPA is more prescriptive than the GDPR in certain areas, especially regarding consent. Under the DPDPA, consent isn’t just one of the lawful bases for processing personal data – it is the key basis. 

What this means in practice is that consent will need to be managed more rigorously for more processing activities, supported by clearer and more specific communication and underpinned by a properly functioning mechanism that lets individuals withdraw consent as easily as they give it. The GDPR sets out multiple lawful basis to process personal data, consent being one of them. You organisation’s privacy programme will need to be adapted to incorporate this significant difference. 
 
A timely overhaul of organisational controls
Most organisations with GDPR-oriented privacy programmes have privacy policies and controls that were drafted some several years ago. Whilst they may well look great on an intranet page, the real question is: are they helping the organisation and the people? Are they being implemented consistently and are they still effective? 

While your business prepares for the DPDPA, now is the ideal time to review your existing policies and the extent to which they are being followed. This review could incorporate the requirements that the DPDPA mandates and to ensure that teams follow them. 

Keeping up with changes
GDPR has been around for nearly 10 years. In that time, much has changed with regards to both the organisation and technology in use. The way the organisation collects and processes data may also have changed. Complying with the DPDPA provides an opportunity to refresh your privacy programme. It is a chance to: 

• Revisit your GDPR compliance;
• Identify gaps that have crept in over time;
• Re-evaluate your data flows and controls;
• Re-educate your team with any changes.

Consider this the perfect moment to fully prepare for your ascent up the new hill of the DPDPA. Regardless of the privacy programme your organisation has in place,  you know where to begin. You know what you are doing well, you know your blind spots and possibly too, which areas may require some specialist privacy expertise. Having this level of awareness is valuable as you are not starting from scratch, rather you are building on something that already exists. 

For organisations still in the foothills, be warned, it’s a steep gradient to ascend! Starting now is critical. Don’t be fooled into thinking you can afford to wait until the regulator comes knocking on your door to demonstrate compliance – you can’t.

Compliance is a journey
One of the biggest misconceptions about privacy law compliance is that it is a one-time project and a tick box to tick. It isn’t - it’s an ever-evolving journey of your organisation. 

Data practices evolve, business models shift, new tools are adopted, teams change and with every change, the organisation’s privacy programme changes too. A new law is often the nudge organisations need to take a fresh look at their practices. Let us use that nudge wisely. 


 ------------------------ 

What’s next

Yet to start your DPDPA compliance journey, we can accelerate your preparations and turbocharge your planning. Get in touch to discuss.

DPDPA webinar series

We are partnering with Privy from IDfy on a webinar series to help organisations navigate their compliance journey.

The webinars are designed for CISOs, CPOs, DPOs, CTOs, Privacy Leaders, Governance & Risk Heads as well as wider teams responsible for designing or scaling DPDPA programmes.

Click here to join us for practical advice and insight.

DPDPA resources

If you are looking for more information regarding DPDPA compliance, visit our DPDPA resources page.