Friday, February 7, 2025
spot_img
More
    HomeBusiness InsightsProactive GRC Practices and Impact of DPDP Rules on Indian Businesses: Conversation...

    Proactive GRC Practices and Impact of DPDP Rules on Indian Businesses: Conversation with Sanjeev Singh and Besfort Kuqi

    Birlasoft, a global leader in digital transformation and IT consulting, has recently entered into a landmark partnership with Swiss GRC to implement their comprehensive Governance, Risk, and Compliance (GRC) Toolbox. With operations spanning 29 countries, Birlasoft will leverage Swiss GRC’s cutting-edge modules, including Risk Management, Third-Party Risk Management (TPRM), Audit, ISMS, Policy Management, and Business Continuity Management (BCM), as part of its proactive approach to enhancing GRC practices. Tech Achieve Media engaged in an insightful conversation with Sanjeev Singh, DPO and CISO of Birlasoft, and Besfort Kuqi, Co-founder and CEO of Swiss GRC, to explore the transformative potential of this partnership, the evolving GRC landscape, and the impact of the DPDP rules on Indian businesses.

    TAM: In your view, how has the GRC landscape evolved in India over the past couple of years?

    Sanjeev Singh: The GRC (Governance, Risk, and Compliance) landscape is still evolving. Traditionally, GRC efforts were primarily compliance-driven, with organizations often doing the bare minimum required to check the necessary boxes and meet regulatory requirements. However, with the evolving landscape of attackers and their methods, GRC is now becoming both more measurable and more meaningful. Organizations are beginning to approach GRC not just in letter but also in spirit. This shift marks a significant evolution in the GRC space. Instead of focusing solely on point-in-time compliance audits, organizations are moving toward a continuous GRC model, emphasizing ongoing evaluation and improvement.

    TAM: What are the most pressing challenges organizations face today in navigating the rapidly evolving regulatory landscape?

    Sanjeev Singh: As I mentioned earlier, the landscape is evolving rapidly, both in security and data privacy. In the realm of security, we have well-established industry standards such as ISO 27001, the NIST Cybersecurity Framework, or the NIST Risk Management Framework. These frameworks provide a consistent, globally recognized approach that organizations can adopt based on their needs. However, when it comes to data privacy, the situation is vastly different. Privacy laws are sovereign, meaning each nation has its own regulations that organizations must adhere to. Unlike security frameworks, there is no universal standard for privacy that businesses can follow. This creates a significant challenge. Organizations must navigate a multitude of regulations, each with thousands of clauses, and ensure full compliance. Missing even a single requirement can result in severe penalties and fines, making it a critical area of focus for businesses today.

    TAM: What strategies should organizations adopt to ensure compliance while maintaining operational efficiency?

    Sanjeev Singh: The first step is to go digital. Many organizations worldwide still view compliance as a checklist exercise, often managed through Excel sheets or Microsoft Word documents. However, given the increasing complexity and scope of today’s compliance landscape, it’s time to leverage technology. Digitizing and automating compliance processes can help organizations move toward continuous implementation. Compliance shouldn’t be a one-time activity. For instance, you might be compliant on the first day of the year, but by day five, you could fall out of compliance and remain so for the rest of the year—only to become compliant again on day one of the following year. That approach no longer works. The goal is to maintain compliance every day of the year, ensuring continuous alignment with regulations and best practices.

    TAM:  What are the key trends we can expect to see in the GRC landscape in the coming years?

    Besfort Kuqi: I believe there is a significant shift happening from basic compliance toward more proactive and continuous GRC processes. Additionally, a major trend is the growing use of AI technology to make these processes more efficient and effective—it’s a topic on everyone’s mind.

    TAM: How can businesses in India better align their GRC efforts with the evolving landscape?

    Sanjeev Singh: I think you’re right that India, as a market, is still evolving, with much work needed to achieve maturity in GRC practices. Within India, certain sectors like banking and financial services are relatively more advanced. However, many other sectors are still relying on Excel sheets or even paper-based methods for GRC. These organizations need to recognize that compliance isn’t just about ticking boxes or showcasing a checklist on their websites—it’s about embracing compliance in spirit. This approach fosters improved security, maturity, and resilience for organizations. I’m confident we’ll move in that direction. For example, with the introduction of the latest Digital Personal Data Protection Act (DPDPA) in India, we’re already seeing many organizations rushing to implement tools and controls to strengthen their compliance efforts.

    TAM: What motivated Birlasoft to partner with Swiss GRC for Governance, Risk, and Compliance solutions, and how does this collaboration align with your strategic goals?

    Sanjeev Singh: We had been searching for a solution for quite some time to bring greater maturity to our existing practices. Like many other organizations, we were managing compliance manually. While our processes were well-defined, the tracking and operational aspects of GRC remained highly manual. We were looking for a solution to automate the entire process end-to-end and transition us toward continuous compliance.

    Also read: India’s Leading IT Company Birlasoft Partners with Swiss GRC to Strengthen Cyber Resilience

    Although we had several tools in place, such as EDRs and XDRs, which provided some insights into continuous compliance from a technology perspective, they didn’t offer the strategic overview I needed as a C7 DPO. We wanted a solution that could provide a comprehensive strategic view while being highly agile at the tactical level. It was essential for us to find a tool that would help operational teams improve their efficiency, reduce manual workloads, and enable them to accomplish much more with fewer resources. Thankfully, we came across SwissGRC during our search. The product stood out as the best fit for our needs. We conducted a thorough POC process, and we were impressed with what we saw. That’s when we made the decision to invest in the tool. Thank you for developing such an excellent solution.

    TAM: What are the key success factors organizations should consider when evaluating a GRC solution?

    Besfort Kuqi: First of all, I want to thank Sanjeev and his team for putting their trust in us. It means a lot to us, and we are truly excited about the opportunity to work with Perla Soft, a major IT company in India, and to support your GRC journey.

    To answer your question, I see two critical points. First, it’s essential to have a clear vision of the objectives you want to achieve. This vision should be aligned with the broader goals of the company. Additionally, you need an execution plan that aligns with all stakeholders, ensuring you have the support of the relevant people. High-level acceptance from your key stakeholders is crucial for success, so building this foundation is key. Second, it’s increasingly important to shift from a reactive compliance approach to a more integrated and proactive risk management strategy. This shift is necessary for long-term success and should be a key consideration as you move forward.

    TAM: What role do you foresee this partnership playing in advancing the GRC ecosystem in India, particularly in the context of emerging technologies and data protection regulations?

    Sanjeev Singh: Birlasoft is an IT and IT services provider based in India, though we operate globally with large clients around the world. Our initial goal is to invest in SwissGRC for ourselves, build our expertise, and gain hands-on experience. In the future, we hope to become a shining example for others—showing how they can emulate our approach to improving GRC. Eventually, we plan to share this story with our clients and others, which could potentially lead to future partnerships.

    TAM: What are some of the objectives that you aim to achieve through this partnership?

    Besfort Kuqi: Birlasoft is our major client in India right now, and I’m confident that it will help support SwissGRC’s growth here, as India is a key market for us, along with the Middle East and Europe. We are fully committed to making this a success and will do our best to assist Sanjeev and his team in achieving higher maturity in GRC management.

    TAM: As a CISO and Data Protection Officer, The DPDP Draft rules are out, and it’s soon set to become an act. If you had to deliver one message to the organisations watching this interview, regarding the DPDP Act 2023, what would it be?

    Sanjeev Singh: If there’s one message I’d like to convey through this interview to those watching, it’s about the DPDP rules. First of all, I welcome the DPDP Act and the draft rules. For the first time, the common citizen in this country has a right to privacy. As we all know, privacy awareness at the individual level in India has been quite low. I hope that these rules do for India what GDPR did for Europe and its subsequent global impact. My hope is that it will significantly improve privacy awareness and foster a better privacy ecosystem in India in the coming years.

    Secondly, at the enterprise level, organizations that collect personal data—whether B2C or B2B companies—must become aware of their responsibilities: how to collect, process, store, and ultimately delete or destroy that data when appropriate. I hope we see significant maturity in this area. Fortunately, we’ve already been compliant with regulations like GDPR, CCPA, etc., in the geographies where we operate. As an ISO 27001-certified organization for the past five to six years, we were better prepared to implement the DPDP rules as soon as the Act was introduced. That said, there’s still a huge opportunity for organizations in India that have not yet started to take action. Now that the rules are out, there’s no excuse not to begin.

    Author

    RELATED ARTICLES

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here

    Most Popular

    spot_img
    spot_img