As many organizations process personal and sensitive information, continuously monitoring data protection practices should be a part of organizations’ data governance frameworks. 


Organizations need to implement robust privacy and security practices considering the standard industry practices, the data processing activities, and the applicable legal and regulatory requirements.


The adequacy of privacy and security practices always depends on whether they can address the dynamic risks and threats in the cyber sphere. Regular assessment of an organization’s privacy and security practices could help in verifying the adequacy of privacy and security practices.


Additionally, organizations can undergo appropriate data protection audits and obtain third-party data protection certifications such as ISO 27701, 27001, SOC2, and other certifications of the same kind. These certifications can reflect the strength of an organization’s privacy and security practices (and hopefully reduce insurance premiums). Additionally, ISO 27701 certification has controls that closely align with the requirements under the GDPR.


Data protection certifications and privacy and security practices may only mitigate the possibility of a breach, rather than prevent a data breach. In other words, due to the fast-paced change in technology, there is always a likelihood that the information would become subject to breach in the cybersphere, and organizations are still exposed to risks of financial, reputational, and other repercussions.


The penalty for breach under the DPDPA can be up to Rs. 250 crores, and under the GDPR it can go up to 10 million euros or 2% of an organization’s annual turnover and/or 20 million euros or 4% of an organization’s annual turnover of an organization. The penalty is determined depending on the severity and nature of the breach. Additionally, there could also be indemnification obligations towards third parties and they may be uncapped or capped at a substantially higher value.


Cyber liability insurance, to a considerable extent, helps the organization to accommodate these risks and indemnification obligations. It also minimizes the risk of closure of business operations. As general insurance would not usually cover these risks, it is recommended that organizations choose separate cyber liability insurance to add another layer of protection to their business operations.