In the current compliance and risk landscape, compliance is now a mandate for organisations rather than a discretionary activity. If there are lapses or violations, the senior leadership could be subject to legal action and penalties. Infractions of the law and regulations pose a threat to an organisation's reputation due to the increasing number of rules and regulations, and increased sensitivity to climate change and environmental issues. Although implementing compliance programmes might be burdensome for some enterprises, many are moving towards achieving their compliance goals.
Tarun Kaura is a Leader—Cyber Advisory in the Risk Advisory practice with over 20 years of experience in Information Technology and Security domain. In Deloitte, Tarun primarily focuses on Banking and Finance sector with additional responsibility to manage strategic alliances. His core technical domain is Security operations center, and he has executed large SOC design and implementation projects, also has designed next generation SOC and Fusion centers.
He also leads the Software license compliance & Software asset Advisory service line.
Tarun Kaura, Leader of Cyber Advisory in the Risk Advisory division at Deloitte India, shared insights with CIOL on Deloitte's point of view titled "The Future of Compliance." He discussed how compliance has transitioned from being discretionary to now being mandatory, emphasizing the potential legal repercussions for any lapses and delving into other related aspects.
How do you perceive the evolving regulatory landscape globally and its impact on compliance practices?
The landscape of technology regulations has been evolving significantly in various areas. The past decade saw the emergence of data protection regulations in all geographies. Governments or institutional bodies in several countries have cyber security regulations to protect their critical infrastructure and services. Some countries have already issued guidelines or regulatory frameworks on the ethical and responsible use of emerging technologies like AI, cryptocurrency and blockchain. Some regions are weighing in the need to regulate content on social media to address issues related to misinformation, hate speech, and the overall impact of social media platforms on the society at large. Given these developments, organisations are likely to see an increase in workload to constantly monitor for such regulations, take timely action in establishing the required policies and practices to stay compliant with the evolving laws. Investing in the right compliance solutions along with promoting adequate awareness can help minimise the compliance burden in organisations.
How does Deloitte foresee the DPDP Bill impacting the overall compliance framework for businesses in India?
While the DPDP Act provides legal recognition to an individual’s right to privacy and the enterprise’s responsibility to protect personal data, this law has also been drafted to work together with a few other established and upcoming regulations in India. While it nicely aligns with its peer global regulations like GDPR, CCPA etc., it would also need to compliment with the other laws in India like the IT Act or the upcoming Digital India Bill, the sector specific regulations, etc. For instance, the Reserve Bank of India (RBI) and the Department of Telecommunications (DoT) both provide guidelines for handling personal data especially from a customer/consumer data protection standpoint. It is therefore important for enterprises to understand the various regulatory frameworks addressing data protection, consolidate actions, harmonise the controls and establish an integrated framework to optimise compliance efforts within their organisation.
How can a robust compliance strategy, considering the DPDP Bill, be a competitive advantage for businesses?
Privacy laws like the DPDPA when embraced with the right mindset and implemented effectively can prove to be a business advantage. By complying with the laws, businesses can mitigate the legal and financial risks arising from penalties, law suits and operational disruptions. However, the businesses that prioritise privacy and data protection in the right spirit can also build trust with their customers through responsible business development practices. A positive image as a responsible business can boost the marketability of their products and services, increase their access to global markets and also act as a competitive differentiator. Businesses today have a choice to either drive compliance as a task or compliance as a growth enabler.
With the increasing focus on data privacy, how do you foresee compliance strategies adapting to ensure the protection of sensitive information?
The underlying objective of any compliance requirement is to either ‘protect’ or to ‘govern’. In case of regulatory compliance, the objective is usually to protect the integrity of the business or provide stability to the economy or protect the environment or provide a standard for uniform governance, etc. Understanding how sensitive information can be misused to disrupt the integrity, stability or governance of a business/society/economy at large is therefore important to then think of how compliance strategies must be adapted to protect such sensitive information. For an organisation dealing with sensitive information, the compliance strategy must take into account what measures help protect data throughout its lifecycle, how controls need to be defined and tested periodically, how the right behaviors are to be cultivated with awareness and trainings amongst other considerations.
Are there any emerging technologies or practices that excite you in the context of future compliance?
The market has plenty of solutions like GRC (Governance, Risk and Compliance) software, compliance automation platforms and several cyber security solutions that can enable prevention and detection capabilities for non-compliance. But what excites me the most is the use of Artificial Intelligence (AI) and Machine Learning (ML) in managing various compliance activities. The ability in systems to auto-detect anomalies, auto-correct a non-compliance or trigger immediate attention towards a violation is impressive.
In what ways can automation and AI be leveraged to enhance compliance efficiency and effectiveness?
We have seen the use of RPA (Robotic Process Automation) to automate routine and recurring compliance tasks like testing controls. The automation combined with AI to generate alerts when the violation requires human intervention not only reduces the workload but also makes the activity mistake-proof. When used together, these technologies can help achieve huge efficiencies by automating routine tasks, while allowing the professionals to handle more skilled and intelligent tasks or provide assurance to the system-managed activities.
What role does cybersecurity play in the future of compliance, and how should organizations prepare for potential challenges?
Cybersecurity is integral to the future of compliance. As businesses and economies continue to thrive on digital growth, protecting the digital infrastructure and data is non-negotiable. The regulatory landscape has therefore seen growing number of requirements in areas of privacy compliance, data protection, data breach management, third-party risk management and audit requirements along these lines as well. Organisations must assess the overall compliance requirements, plan, budget and prepare well to mitigate any challenges in operationalising these strategies accordingly.
What advice Deloitte would like to offer to organizations looking to future-proof their compliance strategies?
There’s no single bullet to future-proof your organisation from the ever evolving regulatory compliance requirements. What’s more important is to stay abreast of the new technologies, monitor emerging threats and vulnerabilities in the tech space, understand what’s required to ensure responsible usage of such tech and the prevention of any misuse. As you stay informed and take timely action, your compliance strategies will always be relevant.