Exam Preparation & Practice

DPDP Act 2023 (India) and GDPR (EU). If their AI system is high-risk under the EU AI Act, additional requirements apply. If they are a Significant Data Fiduciary under DPDP, they need a DPO, DPIAs, and independent audits.

GOVERN maps to Clauses 5 (Leadership) and 6 (Planning). MAP maps to Clause 4 (Context) and Clause 8 (Operation — risk assessment). MEASURE maps to Clause 9 (Performance Evaluation). MANAGE maps to Clause 8 (Operation — risk treatment) and Clause 10 (Improvement).

High-risk under Annex III (employment, workers management). Required: risk management system, data governance, technical documentation, record-keeping, transparency to deployers, human oversight, accuracy/robustness/cybersecurity, conformity assessment, CE marking, EU database registration, and post-market monitoring.

Five-step approach: (1) Identify and classify the AI system under each applicable framework, (2) Determine all applicable jurisdictions and regulations, (3) Map required controls from each framework into a unified control set, (4) Identify gaps through evidence collection and testing, (5) Recommend specific remediation actions prioritized by severity and regulatory urgency.

120 minutes for 80 questions = 1.5 min average. Allocate ~1 min for MC questions (50), ~1.5 min for multi-select (15), and ~2-3 min for scenario questions (15). Flag difficult questions and return to them. This leaves ~10-15 minutes for review.

DPDP Act: consent for data processing, transparency about AI use, data principal rights. RBI: model governance framework, independent validation, explainability for rejections, data localization for payment data. Third-party management: vendor due diligence, contractual safeguards, the NBFC remains fully responsible for compliance regardless of the vendor relationship.