“Assess what is important” in the IDEA framework for Data Privacy What is important is seldom urgent, and what is urgent is seldom important. And a corollary to that – if you don’t pay enough attention to what is important when it is not urgent, it will become urgent and important. A five-alarm fire. Did […]
“Evaluate” in the IDEA framework for Data Privacy We have the Intent to maintaining Privacy of Data under our stewardship. We take the next step and Design a comprehensive Compliance framework to address the multiple regulators and standards that we need to comply with. As a result, we have now got a great policy frameworks […]
“Design” in the IDEA framework for Data Privacy to handle Multiple regulators and Multiple Jurisdictions We have the Intent to maintaining Privacy of Data under our stewardship. The next task is to design a framework that can address the requirements of multiple regulators and standards that we need to comply with. On an ongoing basis […]
“Intent” in the IDEA framework for Data Privacy It was the dawn of May 29, 1453, a Tuesday, when the confident defenders of Constantinople were blindsided by a charge from the ‘left field’ when Ottoman attackers found one open door of Kerkoporta and got through the impenetrable Theodosian walls of Constantinople. They were confident because […]
Data Privacy requires a 100% effort If one link can break the chain, every link must be verified. When I disassemble this, I find there are two parts to this. First, a chain is only as strong as its weakest link. Second, if you want to find the weakest link, sampling is not a wise […]
When I was going to take over command of my unit, one of my seniors gave one lesson which stuck with me. He said generally behind the commanding officer’s chair is a wall. It is to tell you that all things which flow from higher ups stops at you. You should not let any bad […]
I hung up my uniform on the 12 January 2026 and joined BISIL on the 15 January 2026. Before I could get my bearings correct or get my North aligned (In military the first thing you do when you are out in open is find out which way is North, helps in keeping you focused […]
Architecting a solution for achieving DPDPA Compliance The Digital Personal Data Protection Act (DPDPA), shifts focus from a just having policies (intent) to how it is implemented. It moves from an ad-hoc spreadsheet and email-based implementation to how it can be systematically implanted. That presents a system design problem. Policies alone are not useful – […]
The Clock Is Ticking – What’s next? We have the Assessment – So what’s the Action Plan now? Prepare and prevent, don’t repair and repent – Anonymous As I mentioned in my last blog on “What do we need to do”, you must identify the right problem to find a solution. And having identified the […]
Where are the GAPs in my Digital Data Protection Compliance? If I have one hour to save the earth, I will spend 55 minutes identifying the problem and five minutes resolving it – popularly attributed to Albert Einstein One must identify the right problem to find a solution! Why is this relevant to us? Here. […]
To start with most of the organizations that deal with customer data think that they are doing enough and more to protect their client’s data and have taken all the measures that are needed to safeguard the interests of all the stake holders. They think DPDPA is all about putting the documentation in order, to […]
It is clear from its name Digital Personal Data Protection Act – DPDPA, that it is about protecting personal data of individuals that any organisation maintains. So, if an organisation needs to answer this question – “Are we compliant?”, then the first step would be to determine what personal data of clients is an organization […]
Once we have determined that DPDPA applies to us as a company, the next question is what we must do to ensure that we are DPDPA compliant. We saw that there are two roles from the business side – Data Fiduciary and Data Processor. We could have either one or two roles. As a Data […]
My colleague Savita talked about DPDPA in her blog. When I read her blog, the question that I had, as I am sure you do too, is that if DPDPA applies to you. In order to answer that question my first step was to understand the law. So, I ‘decomposed’ my big question into the […]
Why is Data Privacy and Protection required? Can you send me some money urgently? One of my former colleagues saw this message popup on her WhatsApp feed. It happened not once. Twice! Someone took my LinkedIn picture and reached out to my ex-colleague on WhatsApp asking her to swiftly handle a transaction for me. Phone […]
Now that we’ve talked about what the ISO 27001 framework is all about and who actually needs it, let’s break it down a little more. ISO 27001:2022 Annex A Structure & Controls The 2022 version of the standard organizes 93 controls into four main themes: Organisational Controls (Clause 5):37 controls People Controls (Clause 6):8 controls […]
Why it Matters, Who Needs It and Why Protecting data can really feel overwhelming especially as the stakes keep getting higher. ISO 27001 offers a way of doing this systematically. However, implementing it seems like a huge and complicated endeavor. It does present some challenges but once you understand what it’s trying to do, it […]
Operational Challenges in Implementing Tech GRC In an earlier post I talked about the why organizations face difficulties as they implement a sound Technology GRC program. As I mentioned, there are three types of factors. Environmental, those outside your control Strategic, how you choose to respond. And Operational, how your response is implemented, which is […]
As I have mentioned earlier in my blogs on “Cyber attacks – What you cant see can hurt you” , “urgent is Loud and Important is quiet” and “Threats change faster than you can react”, organizations are constantly changing and evolving in response to the changing marketplace, customer needs, and threat environment. Organizations realize the value […]
“Could this have been prevented?” That’s the haunting question every technology leader and compliance officer asks after a major failure — when systems go down, customer data is exposed, or auditors uncover gaps that should have been caught months earlier. Take one example: a Fortune 500 global bank fined $1.5 billion for failing to maintain […]
Why manage technology Governance Risk and Compliance? And how? Because to err is human, to really mess things up requires a computer. I am sure you have heard the Paul Ehrlich saying. Now take it a step further, connect those computers. You now have a recipe for conditions that can go from zero to disaster, […]
4% of your workforce. On an ongoing basis! This is what GRC tasks will exact from you if they are not managed well. This is the magnitude of ‘things’ that an organization must deal with just to ensure it is in line with the generally accepted practices to keep its data and computing infrastructure safe […]
Making Compliance Simpler: The Power of the Unified Compliance Framework Managing Technology Compliance can get really complex. From GDPR and HIPAA to ISO 27001, NIST CSF, and more, there’s always a new mandate to follow, each with its own requirements, documentation, and reporting formats. There are regulations by the governing bodies like RBI, SEBI, IRDAI […]
Let’s be honest — Governance, Risk, and Compliance (GRC) often feels like a maze of policies, audits, and checklists. For many organizations, GRC is something they do because they must — not because they truly understand how well it’s working. So, Where Do We Begin? Before you can improve your GRC efforts, you need to […]
Urgent is Loud, Important is Quiet Are you listening to the quiet stuff? In some of my earlier posts I talked about factors that influence challenges that organizations face in implementing a sound Technology GRC program. As I mentioned, there are three types of factors. Environmental, those outside your control – Earlier Blog Strategic, how you […]
In a key development for regulated entities, the Securities and Exchange Board of India (SEBI) has extended the deadline for implementing Technology Compliance from the original date to August 31, 2025. The Banking, Financial Services and Insurance (BFSI) sector is navigating legacy technologies, rising risks, and at the same time trying to comply with SEBI […]
Environmental Challenges in Technology GRC Progress is man’s ability to complicate simplicity – Thor Heyerdahl As anything grows, gets wider acceptability, and achieves success, it goes from self-regulation to being regulated by norms. However, this success attracts people who want to take advantage and profit from dubious exploitation of that success. And that finally brings […]
Why is Technology GRC so difficult? “There are only two types of companies: those that know they’ve been compromised, and those that don’t know.” I am sure you have heard some variation of this quote variously attributed to John Chambers (former CEO of CISCO) or to Dmitri Alperovitch (formerly of McAfee) So, why is it […]
Why do Enterprises Struggle with Technology Compliance? In the last year, I have talked to leaders such as CXOs, VPs, Technology Heads and CISOs in medium and large organizations to understand how they track and establish if they are doing all they should be doing to secure their Technology assets. The topic of discussion was […]
As a provider of software solutions and in recent years hosting them on the cloud, we follow security standards diligently. In fact, that is a part of our deliverables to our customers. This write-up comes from the experience of being responsible for the security of our own information assets and those of our customers’. Ensuring […]
In IT compliance, control over data sharing is a major preventive step against accidental or intentional data breaches. Here are a couple of cases that could have been avoided with better control over data sharing. Roger Duronio was a UBS Wealth Management systems administrator. In 2006, he used a “logic bomb” to damage the company’s […]
Major public-facing companies have fallen victim to unauthorized individuals gaining access to sensitive data. Here are three famous cases which describe on the result of an authorized person gaining access or someone not being careful while granting access to the most sensitive data. Case 1 – Pennsylvania Department of Education — mis-assigned permissions In February 2018, […]
How is it that when I buy insurance or make a financial transaction, I immediately begin receiving contacts from companies offering similar products and services? They know me, my email ID, and sometimes my phone number. Is it an example of data or information theft? An insider theft? How many times do we hear about […]
Compliance has a cost. But non-compliance can be costlier. It could run into millions and billions as in the case that Ford Motor Co. is currently fighting. Ford Motor Co. said in June 2021 that it could face up to $1.3 billion in penalties in a long-running dispute over import duties paid on Ford Transit […]
In the last blog, I have covered Impact of Data Protection and Data Localization Regulations, one of the key trends unfolding across multiple geographies. There is one more trend slowly and silently taking the central stage, and will dictate how and where the companies need to focus in the next decade. The business world will […]
“Change is the only constant in life.” – Heraclitus. The Greek Philosopher’s words aptly apply to compliance as well. The latest developments in compliance are no less than paradigm shift. I have written about the impact of 2018 EU GDPR regulation in one of my previous blogs. GDPR has forced many companies to change their […]
In the previous two blogs we saw how Protection of Rights and Economic rationales influence public policies and compliance regime. In addition to these two reasons, companies set certain internally designed business policies for the betterment of the business. An example to internal compliance is when the accounts department follows the company’s policy and reconciles […]
“We welcome regulations and are very happy to comply!” rarely said any business leader ever. Often compliance is seen as unnecessary burden, and sometimes, it is felt to be detrimental to the growth of business. Some of the key questions around compliance come to our mind: Why compliance is needed? Who is protected and safeguarded […]
This may sound counter-intuitive to many of us. Are the compliance tasks not additional work? Is the compliance expense not an overhead cost? The fact is top management spends lot of their own valuable time with the accountants, legal team and compliance officers to meet deadlines and fulfil compliance requirements. CII – Deloitte Report on […]
