Questions for the DCPLA were updated on : Nov 21 ,2025
Categorise the following statement:
"For an identified data leakage scenario, security team is struggling to configure rules."
B
Explanation:
The statement reflects an organization's difficulty in operationalizing privacy safeguards in response
to a known threat scenario. According to the DSCI Assessment Framework for Privacy (DAF-P©),
"Capability" refers to an organization’s ability to implement and maintain technical, procedural, and
administrative controls effectively.
A struggling security team in configuring rules for a known leakage scenario indicates a gap in
technical expertise or resources, which directly correlates with a lack of "Capability." This category
assesses how prepared an organization is in deploying privacy controls, managing incidents, and
aligning security technologies with privacy requirements.
Thus, the challenge in configuring protective rules is best categorized under "Capability" as it
denotes a functional inadequacy in handling privacy-related incidents.
Categorise the following statement:
"In case of eventualities or incidents, the organization struggles to locate source, evaluate reasons
and fix the accountability."
A
Explanation:
The "Visibility" parameter within the DSCI Privacy Framework evaluates how well an organization can
observe, trace, and explain personal data processing activities. The inability to locate the source,
assess the cause, or assign responsibility indicates a lack of operational visibility into data practices.
Hence, such a situation most appropriately falls under the "Visibility" dimension.
Which of the following is the least effective way to enforce privacy policy and practices?
D
Explanation:
In the DSCI Privacy Framework, enforcement refers to mechanisms used to implement and uphold
privacy policies and controls. While A, B, and C represent direct enforcement of privacy by assigning
accountability, establishing technical standards, and setting up governance processes, D relates more
to security monitoring than privacy enforcement per se. It is reactive and indirect in the context of
privacy enforcement.
Before planning the assessment, priority areas need to be determined by conducting a Risk
Management exercise. To adequately identify such priority areas, what possible parameters could be
considered? (Tick all that apply)
A, B, D, E, F
Explanation:
According to the DSCI Assessment Framework for Privacy (DAF-P©), risk-based prioritization is
essential in planning privacy assessments. Organizations are advised to consider parameters such as
the degree of harm from a potential privacy breach, the involvement of processes that handle
sensitive personal data (e.g., PHI or biometrics), technology solutions that may affect privacy, and
the extent of third-party involvement. These help determine the areas with high privacy risks
needing immediate attention.
C (business-related IP) is typically an information security concern, not a privacy concern unless it
involves personal data.
The objective of DSCI Privacy Assessment Framework – Organizational Competence of Privacy – is to
assess if the organization is able: (Tick all that apply)
A, B, C, E
Explanation:
The Organizational Competence aspect of the DSCI Privacy Assessment Framework evaluates
whether the organization:
Has structured processes to demonstrate privacy capability (A)
Can offer assurance to stakeholders through effective management systems (B)
Recognizes and supports the privacy framework while seeking improvements (C)
Validates adequacy and effectiveness of privacy safeguards implemented (E)
Meeting all applicable regulations is a result of these capabilities but not the primary focus of the
competence assessment layer itself.
[DSCI Assessment Framework for Privacy (DAF-P©)]
Which of the following is the most effective way of ensuring the conformity to legal and regulations
from the business functions, processes and relationships?
B
Explanation:
The most effective approach is "customised delivery of information" as per the DSCI Assessment
Framework. This ensures relevance and specificity, allowing functions, processes, and relationships
to comply with the exact regulations applicable to them. General information portals or broad
awareness sessions are useful but lack the precision and context that customized delivery can offer
for regulatory compliance.
[DSCI Privacy Framework Implementation]
Which of the following mechanisms or steps is/are likely to be taken by an organization for
implementing a privacy program?
i. Deploying physical and technology safeguards to protect personal information assets
ii. Privacy consideration in product and service design
iii. Privacy implementation to focus only on projects impacted by privacy breaches
iv. Benchmarking against industry peers' privacy implementation
v. Installing privacy enhancing tools and technologies for the projects dealing with organization's
Intellectual Property
B
Explanation:
Effective privacy implementation includes:
i: Deploying physical and tech safeguards
ii: Embedding privacy in product and service design (Privacy by Design)
iv: Learning through benchmarking industry practices
v: Using Privacy Enhancing Technologies (PETs), although privacy for IP is less relevant compared to
personal data, it still supports privacy infrastructure
iii is incorrect because focusing only on breach-impacted projects is a reactive approach, which
contradicts the proactive ethos of privacy frameworks like DPF.
[Privacy Governance]
With respect to privacy governance, which of the following statements are correct? (Tick all that
apply)
B, C, D
Explanation:
Privacy governance is about setting direction and defining roles and responsibilities across the
organization for managing personal data. It:
B: Defines strategy and takes decisions on privacy-related matters
C: Enables execution of policies to handle operational privacy incidents
D: Ensures that privacy accountability is not overlooked
Option A is incorrect because governance is not limited to computer resources—it spans all
organizational functions involving personal data processing .
What are the three main approaches for assessing privacy? Tick all that apply.
A, B, D
Explanation:
The DSCI Assessment Framework for Privacy (DAF-P©) outlines three key approaches for privacy
assessment:
Principle-based assessment (evaluates implementation of privacy principles like purpose limitation,
data minimization, etc.)
Organisational competence assessment (evaluates maturity of organizational processes and
resources for privacy)
Privacy risk assessment (identifies and mitigates potential risks to personal data)
These approaches collectively enable a comprehensive evaluation of an organization’s privacy
posture .
[Privacy Awareness and Training (PAT)]
"Evaluate the state of awareness of the organization with respect to privacy, privacy principles,
privacy regulations and preparedness." This is an imperative of which DPF practice area?
C
Explanation:
The DSCI Privacy Framework clearly places the responsibility of evaluating organizational awareness
about privacy laws, principles, and operational readiness under the "Privacy Awareness and Training
(PAT)" practice area. This includes assessing:
Employee understanding of privacy responsibilities
Organization-wide preparedness
Scope and effectiveness of training initiatives
PAT ensures that individuals at all levels of the organization are informed and competent in handling
privacy matters.
Which of the following statements is true?
B
Explanation:
The classification of data as "sensitive personal data" is context-sensitive and often varies across
different jurisdictions based on legal, cultural, and contextual factors. For instance, while health
information is universally recognized as sensitive, categories such as caste, political beliefs, or
biometric data may have differing interpretations depending on the local laws and societal norms.
Therefore, statement B is correct as it acknowledges the variability of data sensitivity by geography
and culture.
Who is a Data Processor?
D
Explanation:
A Data Processor under the Digital Personal Data Protection Act, 2023 is any entity that processes
personal data on behalf of a Data Fiduciary. It does not independently determine the purpose or
means of processing but strictly follows the instructions of the Data Fiduciary. Therefore, D is the
correct answer.
What are the criteria for deciding the role of Data Fiduciary? Tick all that apply.
A, D
Explanation:
Under the Digital Personal Data Protection Act, 2023, a Data Fiduciary is defined as any person who
alone or in conjunction with other persons determines the purpose and means of processing
personal data. Therefore, A and D are correct.
Option B is incorrect because acting on behalf of a processor implies a sub-processor or related role,
not a fiduciary.
Option C is incorrect because mere storage does not make an entity a Data Fiduciary.
What is the maximum penalty amount for Data Principals for breach of their duties under Section-15
of the Digital Personal Data Protection Act, 2023?
C
Explanation:
Section 15 of the Digital Personal Data Protection Act, 2023 outlines the duties of Data Principals. For
breaches of these duties, the Act prescribes a financial penalty not exceeding ten thousand rupees.
This provision ensures that Data Principals are accountable for misusing or violating data protection
norms while balancing their responsibilities under the Act.
SIMULATION
[Scenario Based Questions]
PPP
Based on the visibility exercise, the consultants created a single privacy policy applicable to all the
client relationships and business functions. The policy detailed out what PI company deals with, how
it is used, what security measures are deployed for protection, to whom it is shared, etc. Given the
need to address all the client relationships and business functions, through a single policy, the
privacy policy became very lengthy and complex. The privacy policy was published on company's
intranet and also circulated to heads of all the relationships and functions. W.r.t some client
relationships, there was also confusion whether the privacy policy should be notified to the end
customers of the clients as the company was directly collecting PI as part of the delivery of BPM
services. The heads found it difficult to understand the policy (as they could notdirectly relate to it)
and what actions they need to perform. To assuage their concerns, a training workshop was
conducted for 1 day. All the relationship and function heads attended the training. However, the
training could not be completed in the given time, as there were numerous questions from the
audiences and it took lot of time to clarify.
(Note: Candidates are requested to make and state assumptions wherever appropriate to reach a
definitive conclusion)
Introduction and Background
XYZ is a major India based IT and Business Process Management (BPM) service provider listed at BSE
and NSE. It has more than 1.5 lakh employees operating in 100 offices across 30 countries. It serves
more than 500 clients across industry verticals — BFSI, Retail, Government, Healthcare, Telecom
among others in Americas, Europe, Asia-Pacific, Middle East and Afric
a. The company provides IT services including application development and maintenance, IT
Infrastructure management, consulting, among others. It also offers IT products mainly for its BFSI
customers.
The company is witnessing phenomenal growth in the BPM services over last few years including
Finance and Accounting including credit card processing, Payroll processing, Customer support, Legal
Process Outsourcing, among others and has rolled out platform based services. Most of the
company’s revenue comes from the US from the BFSI sector. In order to diversify its portfolio, the
company is looking to expand its operations in Europe. India, too has attracted company’s attention
given the phenomenal increase in domestic IT spend esp. by the government through various large
scale IT projects. The company is also very aggressive in the cloud and mobility space, with a strong
focus on delivery of cloud services. When it comes to expanding operations in Europe, company is
facing difficulties in realizing the full potential of the market because of privacy related concerns of
the clients arising from the stringent regulatory requirements based on EU General Data Protection
Regulation (EU GDPR).
To get better access to this market, the company decided to invest in privacy, so that it is able to
provide increased assurance to potential clients in the EU and this will also benefit its US operations
because privacy concerns are also on rise in the US. It will also help company leverage outsourcing
opportunities in the Healthcare sector in the US which would involve protection of sensitive medical
records of the US citizens. The company believes that privacy will also be a key differentiator in the
cloud business going forward. In short, privacy was taken up as a strategic initiative in the company
in early 2011.
Since XYZ had an internal consulting arm, it assigned the responsibility of designing and
implementing an enterprise wide privacy program to the consulting arm. The consulting arm had
very good expertise in information security consulting but had limited expertise in the privacy
domain. The project was to be driven by CIO's office, in close consultation with the Corporate
Information Security and Legal functions.
What are key issues in the policy design process? (upto 250 words)
See the
answer in
explanation below.
Explanation:
The PI policy (or for that matter any policy) needs to be purpose driven, clear, consize, easily
accessible to be effective. Ideally the PI policy controls needs to be implemented as a part of the
overall operations process so that the implementation of this policy is automatic. In this case, the
issues wiuth the policy design process was -
1. the policy was a generic and common policy for all the business functions/unit. Such policies
become lengty, complex and deters the policy subjects from adopting it.
2. All the client relationships and business functions are unique. They differ in their purpose,
objectives, process and hence also in the type of the information then collect and process. The policy
should be easy and customized for each department.
3. The policy is published on the intraned portal. There is no guarantee that the policy is read and
consumed by all desired stakeholder. As opposed to this, this policy matter should be made relevant
and customized for the stakeholders and be PUSHED to them agains them PULLING it at their
discretion.
4. The roles and responsibilities, accountability and penalty for each stakeholders should be defined
clearly so there is no confusion in the adherence to the policy.
5. The training workshop was generic and was short. It was not completed in time. the training
program should be customized and contextual to the department people that are being trained. the
program should be conducted in a very professional environment and method.
6. Since the policy, purpose, roles and responsibilities were not clear, the training program did not go
well.