Navigating Compliance Challenges: Insights from Sowmya Vedarth, Partner at Deloitte India, on the Impact of DPDP Act on ERP Systems

CXOToday has engaged in an exclusive interview with Sowmya Vedarth, Partner, Deloitte India

1. How does the DPDP Act, specifically affect the ERP system in organizations?

ERPs are essentially the crown jewel of any organisation, facilitating large scale operations across multiple functions and storing massive amounts of data. Hence, there is an increased impact of the new Digital Personal Data Protection Act (DPDPA) of India wherever the functions process personal or potentially personal data.

2. What challenges might CIO and CDOs face in ensuring ERP System comply with the DPDP Code?

As a Chief Information Officer (CIO) or a Chief Digital Officer (CDO) responsible for overseeing the entire ERP maintenance, and/or modernisation journey, it is important to ensure the implementation of the appropriate technological and organisational guardrails to ensure ERP systems’ compliance starting from the collection to destruction of data. Appropriate privacy requirements such as ensuring valid basis of processing, logging of consent, data minimisation, logging and monitoring, and data destruction have to be developed balancing the interest of the data principal and the businesses.

3. What tools or solutions are recommended for proper implementation and user acceptance in ERP System.

Numerous tools exist to help support privacy requirements across the data lifecycle for an ERP; organisations to weigh the need of the tool against the nature and scale of data processed along with the organisational goals to arrive at the right one.

4. In what ways can robotic process automation be used for compliance in ERP Systems?

We generally consider Robotic Process Automation (RPA) to reduce human error, improve data consistency and standardise decision making. A well designed automated process should eliminate human bias in the decision making process. We can also use automation to increase data quality and consistency via checks and balances of input/ output and testing a greater sample, even upto 100%, of data for consistency.

Some of the biggest risks of automation stem from poor planning and inadequate testing, including privacy risks. Including security and privacy by design within the design phase of automation can help overcome risks around inappropriate access, insufficient security and processing bias. Adequate testing with a variety of use cases to ensure data confidentiality and integrity is also crucial for ensuring compliance.  

5. How does the DPDP regulation reflect the changing nature of data obligations in the digital age?

Digitisation, by nature, opens up a whole world of possibilities for an organisation, encompassing the scale of data that can be handled, the time required for processing, and the accessibility to stakeholders, to name a few. The flip side of these is that it increases the risk of data breach, harm to individuals, both from the types of data leaked and the number of records, and the use of these data to profile individuals. DPDPA aims to ensure that there are enough checks and balances from collection to destruction as obligations placed on Data Fiduciaries, or the organisations collecting/ processing personal data. For example, it lays down requirements around restricting the collection of data based on a valid reason and limiting it to data that is necessary. This will reduce the risk of over collection of data by organisations. Other key privacy principles provide rights to data owners, or data principals as they are called in the Act, such as the right to  know the data processed about them by organisation, and asking for such data to be corrected or stopped from further processing.

6. What impact does the DPDP Act have on cloud-deployed ERP systems, and what are the shared responsibilities that organizations need to address in this context?

When hosted on the cloud, it’s crucial to be mindful of the shared responsibility between the organisation owning the data (or Data Fiduciary), the cloud provider and, as applicable, the SAAS provider. The Data Fiduciary, should ensure that security and privacy measures are properly implemented, whether they are utilising containers, databases, Master Data Management (MDM), data lakes, or any machine learning platform.