Essence of the Essential, And different by a distance
PDPSI or Personal Data Protection Standard of India was unleashed in February 2019 with an article here titled “A step beyond BS 10012 and GDPR-Personal Data Protection Standard of India-PDPSI”.
At that time there was a need to create an Indian substitute for BS 10012. Subsequently ISO 27701 was also introduced. But both looked at PIMS from the GDPR angle. While that was the requirement in the international scenario, recognizing the need to introduce an India specific framework for Personal Information Management, the undersigned introduced the concept of PDPSI.
PSPSI was an extension of the IISF 309, which was a framework developed by Naavi in March 2009 for compliance with ITA 2000 and revised subsequently from time to time.
IISF 309 focused on ITA 2008 compliance of which Section 43A compliance along with other sections like Section 72A, 79 etc formed the Privacy part. PDPSI however was more focused on the PDPA 2018 which became available in December 2018.
Hence PDPSI was the first Privacy Protection Framework of India.
Since 2019 when PDPSI was launched, Naavi.org has been discussing the various aspects of the standard along with the DTS system a version of which was called “Naavi’s 5X5 DTS system” which had been launched a little earlier on the new year day of 2019.
Recently FDPPI adopted PDPSI and went ahead in creating an infrastructure for developing Lead PDPSI consultants and Lead PDPSI auditors. The FDPPI version of PDPSI was developed on the basis of PDPB 2019 and with lot of discussions with professionals who had experience in ISO and other audit systems. As a result the current version with 12 standards and 50 implementation specifications emerged and was used in training prospective Data Auditors.
With the recent release of IS 17428, there are a few who think that IS 17428 is the first PIMS framework for India. But I would like to correct this perception. IS 17428 is the second framework from India.
PDPSI remains the first Privacy related framework to be developed in India.
We however would like to call it “Personal Data Protection Management System ” (PDPMS) while ISO 27701 uses the terminology of PIMS (Personal Information Management System) and IS 17428 uses the terminology of “DPMS” (Data Privacy management System).
IS 17428 however presents itself more as a framework for complying with GDPR in India though it makes a reference to ITA 2000 and Section 43 A at some places. Whenever ITA 2000 is referred to, the IS 17428 speaks as if it is a third country law. Hence IS17428 appears to be an Indian Framework with the focus on data protection laws outside India. It does not recognize the law in the pipe line represented by PDPB 2019. This is one of the biggest disappointments about this framework.
This framework is driven by industry representatives, NASSCOM and DSCI which have been in the forefront of pulling down PDPB 2019 and perhaps this has reflected in the released document. Even the Annexure on legal provisions in India on Data Privacy speaks of the Indian Constitution and Section 43, 43A, 72A and Section 85 of ITA 2000/8 along with a multitude of other laws and sectoral regulations but avoids a mention of PDPB 2019.
Where the IS 17428 has erred is not recognizing the concept of “Due Diligence” which is mentioned under the Section 79 rules under ITA 2000 and also a part of the “Reasonable Security Practices” under Section 43A.
The concept of “Due Diligence” does not restrict itself to the written words in a statute or regulation but represents absorption of the environmental experiences into the operations of an organization.
If a law such as PDPB 2019 has been contemplated and presented in the Parliament and the principles of the Bill have already been implemented in some of the Government projects such as the NDHM (National Digital health Mission) project, it must be recognized as constituting the “Due Diligence” and part of the “Reasonable Security Practices”.
Hence PDPB 2019 at least deserved a mention in the footnote.
We donot know whether IS 17428 will be revised after PDPB 2019 becomes a law or the industry will try to claim that IS 17428 is bigger than PDPA -India and challenge the DPA into accepting IS 17428 as “Deemed Compliance” of PDPA -India.
Going by the past history the NASSCOM/DSCI views on Data Localization, Financial Information as Sensitive Personal Information etc., it appears that IS 17428 may be used as an instrument to suggest to the DPA that “If I am IS17428 compliant, you cannot question me on compliance of PDPA”.
I hope whoever takes the responsibility of being in the DPA as chairman or Member would steer clear of using the terminology of “Deemed Compliance used in the Section 43A notification under ITA 2000” and leave it to the market to adopt the best available framework because the ultimate responsibility for compliance lies in the implementation of the framework by the organizations. Frameworks can be tools to guide but Certificates cannot substitute implementation on the ground.
As a veteran watch dog of the developments in Cyber Law in India, Naavi will keenly watch the developments in this respect and will alert the community if there is any developments in this regard.
I also draw the attention of the Secretaries of Meity, Secretary of Law and the Chief Cabinet Secretary to such a possibility ( A copy of this article will be sent to the three secretaries for their information).
We however welcome the arrival of the Chota Bhai IS17428 to the field of Indian Data Protection Frameworks so that the family of frameworks becomes bigger and there will be more variety. PDPSI will absorb all essential requirements of Privacy Management and will be an “Inclusive” framework. Yet it will try to maintain some key differences so that it will be different from the rest. PDPSI will undergo frequent upgradations as would be dictated mainly by the developments of the Personal Data Protection regulation in India. Being dynamic would be one of the strengths of PDPSI.
Leaving this controversial issue aside, let us get back to our discussion on PDPSI as the big brother of IS 17428 and how much of the traits of PDPSI have been absorbed in IS 17428 and why PDPSI deserves a tag line… Essence of the Essential and yet different by a distance. *
(*सब का सार, फिर भी, अलग…by Far orಎಲ್ಲದರ ಸಾರ , ಆದರೂ ವಿಶೇಷಗಳ ಆಗರ )
(Watchout more in this Big Brother Series on PDPSI)