How “Data Protection” and “Personal Data Protection” are different

“Information Security” has been a term which we are all familiar with. But in recent days, people have been using a term “Data Protection” and talking as if it is different. This is intriguing and requires some discussion.

If we look at the definition of “Data” under ITA 2000/2008, it appears that there is no difference between “Information” and “Data”. Both terms  refer to binary expressions which can be interpreted by computer devices as “Text”, “Sound” or “Pictures” or a combination of the same. Research is going on how the “Binary expressions” can also be converted into what we can feel by touch or what we can smell or taste. After all if we can establish a connect with the neurons in the human brain and send some stimuli triggered by some binary expressions, we will have a situation where human faculties of seeing, hearing, touching, smelling or tasting can all be replicated by binary triggers which may be called “Software” with the use of appropriate “Hardware”.

Hence if we talk of “Data Protection” as a measure of “Protecting” “Data or Information”, then our controls to ensure “Confidentiality”, “Integrity”, “Availability”, as well as “Authentication” and “Non Repudiability” should be considered sufficient to protect all kinds of data. The CISOs today along with their team of IS trained and certified army of professionals are geared to protect information and hence should be also capable of discharging responsibilities of “Data Protection” in whatever manner it is described.

However in recent days, there is a clamour for another kind of professionals in the industry. These are some times called “Privacy Officials”. Is this necessary?… Is this desirable? is a question that is bothering many.

These Privacy officers have a slightly different role than the Information Security Officers because, IS professionals focus on protecting the “Binary Data” without any reference to what a given set of binary data may mean when looked through an application and converted into a text or sound or picture.

On the other hand the Privacy officer looks at what the binary data translates into and whether it contains a name of an individual or any data which is identified with an individual. Such information is classified as “Personal Information” and the “Privacy Professional” focusses on how to protect such “Personal Information or Personal Data”. The Privacy officer then thinks of controls which are beyond what the IS professional has thought of.  The Privacy Officers therefore require to be heard separately.

Again as distinguished from the Privacy professionals who work within an IT organization trying to protect the personal data, there are privacy activists like lawyers who try protect the right to privacy of people, under the Constitution as a Right to liberty and Right to dignified life. These advocates are not protecting “Data” but they are protecting “Privacy”. The Courts also are making orders about “Privacy Protection” as if “Privacy Protectio” and Data Protection” are one and the same.

We therefore have two kinds of Privacy professionals, one trying to protect the Right to Privacy under the Constitution who fights in a Court, and another set who work within the IT organizations to protect the “Personal Data”. Are they same? or Different?…is another dilemma we need to sort out.

Same way, the current IS professionals protect all data while the Privacy Professional in an  IT organization tries to protect the “Personal Data”.

Since “Personal Data” is a subset of “Data” managed by an organization, it appears that the IS managers are already functioning as “Personal Data Protectors”. In such a scenario, there is a genuine question on why do we need a separate set of professionals called “Privacy Professionals” or “Data Protection Professionals” and some of them being coronated as “Data Protection Officers” (DPO).

India is on the threshold of a new Personal Data Protection Act (PDPA) which recognizes a special role for DPOs and if the legal provisions are taken seriously, the DPO will be a senior executive who will be reporting directly to the Board and some times even complain to the Data Protection Authority (DPA) even against the Board.

If we donot understand why this special status is given to the DPO, we are bound to have a fight within every organization where the CISO will expect that the DPO should report to him and not to the CEO or the Board. If the DPO reports to the Board or even to the CEO, it will undermine the position of CISO and this would create a disruption in the hierarchy.

To understand the difference why a protector of a subset of data needs more power than the protector of the super set of data, we can look around us to see the plight of the Police in Delhi who were struggling to control the Shaeen Bagh protests.

Normally one will say that Shaeen Bagh protest is like any other sit in protest and the Police should be able to handle it as they handle a worker’s strike or any other gathering.

But controlling the Shaeen bagh was beyond the capability of the Delhi Police because there was sensitivity to the situation. The protesters were all Muslims and any action such as a lathi charge could only result in a riot as it happened later. The possibility of international ramifications of a charge on the protestors could also not be ruled out. Additionally most of the protesters were women and children and this human shield could not be tackled just as any other group of protesters.

Similar protests in China or Hongkong would have been handled differently and Indian Police did not have similar powers. This made a difference between their success or failure.

In other words , “Who the protesters were” made a difference to “What security operations could be conducted”. If the Police had treated them as just another group of protesters without having any racial outlook or discriminatory outlook, they would have been accused as “Communal” and “Gross violators of human rights”.

Hence “Controlling the Shaeen bhag protest” was different from controlling “Any other Protest”.

This is exactly the situation that confronts the “Information Security professionals” and the “Data Protection Professionals”. Even though “Personal Data” is part of the “Data” , those designated to protect the Personal data need certain skills that are different from those who are handling  protection of “Data” in general. “What the data is” makes a difference between the protector of “Data” and protector of “Personal Data”.

It is for this reason that the DPO is having a different brief than the CISO when it comes to protecting the data under his domain.

If “Personal Data” is more sensitive than “Data” in general then the DPO must have all the skills of a CISO and some thing more to handle the sensitivity. Hence the DPO assumes a role more important than the CISO in the organization and has to be on par with a CISO or even above him.

As a result the CISOs of today will have to accommodate the raise of another class of professionals called DPOs to occupy key professional positions in the organization. Some of these could be experts in Data Protection Laws but without much understanding of the technology and IS functions.  Until the Data Protection lawyers acquire a reasonable understanding of the technology, there will be a constant friction between the designated DPO and the current CISO.

Not all CISOs may be ready to acquire additional skills required to be elevated to the position of DPOs and giving up the tag of CISOs since at present the importance of DPOs is a little bit obscured compared to the importance of CISOs in the industry. But sooner or later they will realize that DPO is a more elevated position in the organization and unless they acquire additional qualifications such as the “Certified Data Protection Professional”  they may fall behind in the race to professional growth.

It is high time that CISOs and IS professionals realize this development and take steps to preserve their current industry position by acquiring additional Personal Data Protection Certifications.

CISOs and IS officials in India should also realize that acquiring certificates for GDPR knowledge with international certification agencies is not a substitute for acquiring certificates for PDPA knowledge and certifications that focus on the requirements of Indian Data Protection Professionals.

In this direction, the Certification program of FDPPI  stand out in a class of its own and deserves a serious look.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Cloud Forensics.. Some thoughts from the Perspective of a DPO

With the increased use of Cloud as an infrastructure for data storage and processing, some aspects of the Cloud functioning pose serious challenges to the data protection compliance which needs a debate by experts.

The essential aspect of data protection laws is to provide a choice to the data subject to be able to access the personal data and if required ask for updation, portability and erasure.

The Data Protection Officer (DPO) is responsible for the compliance of aspects under the law and has to exercise control on how the personal data of data subjects can be discovered in the pool of corporate data that is scattered across the cloud (often multiple clouds), ensure that Consents are tagged to each such data set, and whenever any correction is to be made, it is synched at all the location centers.

Further, if the personal data and the associated profile needs to be ported or erased, the DPO should be able to ensure that the personal data associated with a given data subject is gathered without any omission and ported. If the information has to be erased, the DPO should be able to confirm that the personal data set of the given individual has been erased from all locations except those locations where it is required to be maintained by virtue of the company’s legitimate interests or because of law enforcement or national security reasons.

The task of personal data identification, consent tagging, porting and erasure is a difficult task even if the entire data is handled through the company’s own data center since there is always a tendency for personal data to get scattered in the resources of the company particularly in an unstructured format.

In the extraordinary situation that we are presently in where most companies had to introduce Work From Home under the COVID 19 lock down conditions, the corporate data access had to be given to employees from their home devices without proper preparation as to the security requirements. This could have spread the sensitive personal data of the data subjects to many of the employees personal devices.

In such a situation, all the designated rights of the data subjects/principals are all subject to “Emergent Exceptions”.

Whenever a suspected data breach incident is reported, the first task of the DPO is to confirm the breach through an investigation and then an attempt to preserve the evidence through forensic measures. This is not only required to meet the demands of the Data Protection Authority subsequently, but is also a legal obligation under Cyber Crime laws.

If the DPO fails to meet the requirements, he would not only make the company liable for higher levels of fines for lack of proper post-incident response and also for criminal prosecution of the company’s CEO, Directors or CISO, besides himself.

When a company is maintaining its own data center to which it has physical access, several forensic methods may be available for the compliance. Some of these such as “Discovery of Personal Data”, “Consent Tagging” etc may be possible even in the cloud environment. But when it comes to portability and erasure, the cloud infrastructure presents a tough situation where the DPO is completely dependent on the Cloud Service Provider (CSP). If the client is a small entity and the CSP is an Amazon or Microsoft, it is clear that the DPO has no freedom to get what he may want from the CSP and he would be entirely at the mercy of the CSP to meet the compliance requirement of the cloud user.

Some of the Data Protection Contracts of Data Controllers which were developed in the pre-GDPR era had taken into consideration data storage in the company’s own data center and had Incorporated clauses which were feasible for implementation in that scenario. However with the migration of storage and certain functions to the Cloud, many of the data processors continue to function under the legacy contracts which contain provisions which are impossible to fulfill in a cloud scenario.

In many occasions, the clients from US and even EU may use their old contract format and not revise it to meet the changed circumstances of both the new responsibilities under GDPR and the use of cloud for storage as well as processing. The Indian processors may find it difficult to convince their clients that the contractual clauses are ab-initio not applicable to the system of data processing that both might have otherwise agreed to. Identification of such situations is essential for Indian data processors to protect themselves from agreeing to do what they know they cannot do.

One such condition we often find in these contracts is the “Data Erasure Standards” to be used both when the personal data has to be first mounted on a new hard disk and also when it has to be deleted permanently. The Data Erasure standards such as DOD 5220.22 M or Bruce Schneier’s algorithm or any other method is developed for hard disk forensics and can apply where the entire storage system is under the control of the data controller/processor/fiduciary. But they donot apply when the data is stored in the cloud where the facilities are shared with others.

Also the techniques of “Deleted Data Recovery” that can be used in Disk Forensics does not function in the shared data storage facilities where the user has only control over certain number of bytes of storage space spread over a non contiguous space within the hard disk.

Further most storage systems even within a computer have migrated from hard disks to SSDs, and the file systems work differently making it difficult to use legacy forensic systems to carry out forensic investigations.

While some of the challenges mentioned above is not within the control of the DPO to rectify, it is necessary to recognize these limitations and factor it into the data processing agreements as “Disclaimers”.

I look forward to receiving a feedback for Forensic experts to identify the “Limitations of traditional forensic techniques in a cloud environment” and finding solutions to Data Protection Regulatory compliance.

Naavi

Reference:

Data Sanitization for cloud storage

Erase Data Objects in Cloud

Data Deletion on Google Cloud Platform

Erasure on cloud

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Empathy… an Essential requisite of a good DPO

The functions of a Data Protection Officer (DPO) under the emerging Personal Data Protection Act (PDPA), includes the DPO being the single point contact for grievance redressal between the Data Principal and the Data Fiduciary.

In discharging this function, the DPO can chose to be like a post office receiving the grievance and passing it onto some body else in the orgnization for resolution. In that case he does not need to even understand what is the grievance and still call himself the “Contact Person”.

But the intention of PDPA is that the DPO is responsible for ensuring that the rights of the Data Principals is adequately met by the data fiduciary and if in any specific instance the data principal is not satisfied, he can contact the DPO for resolution. If the resolution is not satisfactory, the data principal can take the complaint to the DPA and seek adjudication.

It is the responsibility of the DPO therefore to try and understand the grievance and if possible try to provide a satisfactory resolution at his level itself so that the matter does not have to be escalated to the DPA.

In order to resolve such issues the DPO should be able to come down from his pedestal of a highly paid employee of an IT Company working in the AC cabin and moving around in a chauffeur driven car, and try to appreciate why a data principal is raising a query that he is wronged. It is quite possible that the data principal may be wrong. But the DPO still is responsible to ensure that the data principal is satisfied with whatever resolution he gets.

When the data principal is correct in his complaint, it may be easy to resolve since conflicts if any would be with other internal members all of whom are part of the super ordinate goal of compliance to PDPA.  But when the customer is wrong but is adamant that his right has been infringed, the situation is more challenging.

It is not always easy to deal with people who are wrong but donot know that they are wrong. It often happens when we deal with children who are adamant. A good parent always understands that the Child does not know as much as he/she and hence tries to come down to the level of the child to understand and resolve the issue in a manner in which the child understands. In such cases, we put ourselves in the shoes of the child and try to understand why he/she is adamant. This requires the parent to give up his ego and deal with the child as an equal, gain confidence and then slowly make him/her realise that the parent is providing some thing better than what he himself wanted.

This art of grievance redressal is often critical to any mediation. The ability to step into the shoes of another and understand his concerns and his views is  “Empathy” ,a human skill that is relevant for a good DPO.

Emotion researchers  define empathy as the ability to sense other people’s emotions, coupled with the ability to imagine what someone else might be thinking or feeling.

Two major kinds of empathy are often recognized namely the “Affective Empathy” and “Cognitive Empathy”.

“Affective empathy” refers to the sensations and feelings we get in response to others’ emotions; this can include mirroring what that person is feeling. This could be a dysfunctional response where one can feel stressed if the other is stressed.

“Cognitive empathy,” on the other hand is sometimes called “perspective taking,” and refers to our ability to identify and understand other people’s emotions. This is a positive characteristic of a good leader.

The DPO to be successful has to develop the Cognitive Empathy skills and avoid the affective empathy traits. When a complainant comes to you with a problem, being compassionate is one thing but getting lost in re-living the complainant’s distressed state is another and often, a problem.

An example which most of us might have seen is when a child is in some kind of a distress and the father and mother are both responding to the situation. The mother being compassionate to the suffering of the child starts crying and sobbing and the father contains his own feelings but immediately moves to do what is immediately necessary, such as picking up the child, rushing him to the hospital etc.

In a work situation also, HR managers often find themselves in such situations where they have to be sympathetic and show empathy with the people when they have some problems, but the solution may not be also become miserable themselves.

The “Counsellors” are often trained to react correctly in such situations where they are empathatic but not to the extent of reducing themselves to be mirroring the problems of others.

Understanding the principle of “Empathy” is relevant to appreciate the very definition of “Privacy Protection” itself since “Privacy” is a “State of mind” of another person and when we are trying to protect the Privacy, we are trying to give a feeling of assurance to the data subject that he feels that his privacy has been under his control only.

This principle of “Empathy”, how it differs from “Sympathy” and the benefits of “Cognitive Empathy” are behavioural skills that an effective DPO must posses.

(Comments are welcome)

Naavi

Reference Article:

Importance and benefits of Empathy.

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Crisis Management…An Essential Skill of a DPO

The Corona Crisis is opening the eyes of administrators on the problems that one faces in a situation of crisis.  “Damned if you do and damned if you do not”  is the kind of response the administrators get from the people around us.

A similar crisis often confronts a DPO when the organization faces a “Data Breach”. Suddenly the media will pounce on you, the data subjects will bombard you with e-mails, the DPA will send you a notice, the CEO will shout, your peers will say “I told you so”, the Cyber Insurance company will send a notice, the customers will start reminding you of the indemnity clauses, CFO goes nuts….and  like the German minister who committed suicide not able to face the economic crisis created by the COVID 19,  the DPO will suddenly face a situation which could push any weak person into depression and resignation.

If the DPO speaks out without proper information he could raise the panic levels. If he speaks anything wrong, he can face liabilities for misleading… the problems appear endless.

The DPO in such a situation has to manage the internal and external communications and at the same time initiate necessary corrective actions, maintain the morale both of customers, data subjects and co-workers. This requires a special skill and maturity that most DPOs of the day have not been tested for. We know that our DPO is carrying different knowledge based certifications, has put-in years of service in reputed organizations, but we donot know how he may crumble when despite his honest and tireless work he would be accused by everybody of not being able to prevent the data breach and more importantly prevent the breach of the information of data breach to the media.

“Crisis Management Skill” is therefore an essential requisite of a good DPO.

“Crisis” by definition is an “Unexpected” event of  disruptive proportions exceeding the “Risk Estimates” that are normally considered for mitigation. It carries an existential threat to the organization, and requires an out of box solution to stem the adverse effect quickly.

No amount of policies and procedures would help unless the essence of such policies are ingrained in the thinking process of the DPO. Just as an aircraft pilot faced with an immediate crash cannot think of reading through a voluminous manual and have to take an immediate decision on what to do next, the DPO has to take a quick decision often without any consultation with his superiors.

This calls for a “Decision Making” skill which is part of a good leader. To be able to make a reasonable decision within the capabilities of the person, one has to remain calm and not get panicky. If the DPO gets panicky then he would reduce whatever decision making skill he may actually have. Many drivers who panic in an accident situation often press the accelerator instead of the bake and cause more harm than what they could have done had they simply removed their foot from the peddle even if they had not pressed the brake simultaneously.

“Crisis Prevention” is definitely a strategy to remember and all our Information Security measures and Data Protection regulations are aimed at preventing a crisis from developing. But some day somewhere we may face a situation where the risk mitigation efforts have failed and the crisis has emerged.

Now the option before us is how do we handle the post crisis situation.

The first step in post crisis handling is to identify and control those within and outside the organization who would only worsen the crisis by demoralizing everybody around. Hence the DPO should learn to identify such elements and ignore them. The management should also recognize the possibility that all those who were inimical to the DPO will now take their daggers out and start accusing the DPO. Hence a “Disaster Committee” has to be formed with the CEO, DPO being involved in every decision.

The second step is to ensure that no “Mis information” is spread. At the same time the organization should avoid both false denials as well as pushing the problem under the carpet. Measured communication to the stake holders is of utmost importance. Setting up a Disaster information center to be a single source of contact for the public to know the impact of the disaster is also essential to prevent rumours being spread. Since the DPO’s email could be flooded in such a scenario, immediate technical measures to ensure that the load is disbursed to a back end support team to sift the queries and develop standard approved responses need to be organized.

If necessary the employees of the organization must be locked down in the sense that they should be prevented from communicating with the outside world about the crisis through a strict order whether some body cries out “Freedom of Speech” or “Privacy”. In a crisis situation, the rights of freedom of speech or privacy of the employees have to take a back seat.

It is only after such dousing of fire is attended to, can one focus on analysing the root cause, preventing further damage, making an impact assessment, reporting to regulators etc can take place.

To summarize, the requirements are

a) Stay calm and avoid panic

b) Lock down the systems and people from creating further damage

c) Set up a disaster center with a small number of decision makers like the CEO and DPO with support staff

d) Maintain balanced communication to the stake holders without deception or speculation

e) Ensure a single point information dissemination center to prevent rumors spreading

It is only after  these preliminary efforts that we can consider the “Data Breach Notification”, “Forensic Analysis” etc which are all necessary but need to be prioritized.

Decisive leadership skills including team building, taking tough decisions, absorbing personal risks, not being afraid of failure etc will be required besides the ingrained knowledge and culture that enables the DPO to respond even in sleep in the right direction.

At the end of it all, one can try to draw lessons from the crisis and share it as a knowledge base to address similar situation in future including prevention and monitoring. While we do recommend “Sanctions” for most of the data breach incidents, crisis some times requires a fresh look  since it may so often happen that the standard sanctions may require most employees to resign and go which may not be the solution for building a resilient organization for the future.

Recognizing this need, Naavi has designed the “Certified Expert Data Protection Professional” program to include a module on  behavioural skills required for a DPO. This will be part of the FDPPI’s plans for extending the current knowledge modules such as Module-I, (Indian Laws), Module-G (Global Laws) and Module -T (Technology). The other two modules namely

Module A (Audit) and Module B (behavioural skills) represent skills to be cultivated before some body can be called an “Expert” data protection professional.

At present Naavi’s Cyber Law College in association with FDPPI  is still building the base module of Module-I which focuses on the knowledge part of Indian regulations. Though the importance of behavioural skills and Audit skills are also part of the coverage in the base module, they will be expanded in the coming days with independent modules.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

To Be a Leader?… or To Be a Follower?

It is always a dilemma for every professional to decide what is more comfortable…chose to be a leader? or be happy to be a follower?

Obviously if every one is a leader, there would be chaos. So nature has decided that not all would aspire to be the leader. It is also good for the leader that when he occupies the leadership position, there will be some ready to stand in the next line.

A true leader is like an explorer. He often meets challenging situations which others have not seen. He can make mistakes and even get hurt. But as long as he is pursuing the right path and exercising due diligence, as well as being capable of standing up even if he falls down, he is sure to reach the destination ahead of others.

These leadership qualities are necessary for professionals who want to carve out a new path of progress for themselves which no body else have so for pursued.

The above reflections appear appropriate at this point of time as the undersigned pursues the creation of a new set of leading professionals in India  who can hold the mantle of  “Data Protection Professional” .

The course which leads to the conferring of the title “Certified Data Protection Professional”, by FDPPI, the leading Data Protection Organization in India is set to create another batch of qualified professionals who will be aware of the law which India is adopting for personal data protection.

Though some professionals are as lethargic as they have always been and would like to wait…and wait…until the law descends upon them and then scramble to acquire the knowledge, a set of forward-looking professionals have decided to start their learning today.

There is no doubt that we are looking at a dynamic law and it will change in time not only because the final act will adopt some changes from the Bill which is currently being discussed, but even otherwise with the changing perceptions in the environment of What is Privacy?, How can Privacy be protected by Personal Data Protection?, What should be the Rights of the Data owners?, What should be the obligations of the Data handlers? What should be the exemptions to be given for industry and the Government… and so on.

FDPPI ensures that all those who are now opting to take up their certification course will be provided guidance to be made aware of any changes that may occur in the law when the Act is passed….

So the professionals who are currently pursuing the Course second batch of which will commence (Online) on April 4th, will be the early torch bearers of the knowledge of Personal Data Protection Act as it unveils in India.

We welcome all these early adopters who would be the foundation members of the Data Protection Professional community in India.

(P.S: Contact Naavi for more details)

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Certified Data Protection Professional Course to be accelerated

The Course on Certified  Data Protection Professional (CDPP) being conducted with virtual classes from Naavi  was planned to be conducted over 6 weeks with one session each on Saturday’s and Sundays starting from April 4th.

In view of the lock down conditions in the country with most professionals working from home, it has been decided to complete the course of 12 sessions over 3 weeks instead of 6 weeks, by conducting two sessions per day on Saturday’s, and Sundays on April 4, 5, 11,12, 18 and 19th.

The sessions will be conducted between 11 to 12.30 AM and 3.00 to 4.30 PM on these days.

This program will be called Module-I which is about the Indian laws regarding data protection. This is the foundation module for all Data Protection Professionals. In the coming days, FDPPI will be conducting additional modules such as Module G (Global laws including GDPR), Module T (Technology for Data Protection), Module A (Data Audit) and Module B (Behavioural skills for DPOs).

FDPPI welcomes professionals interested in entering the Data Protection domain to make use of this opportunity to upgrade their skills and knowledge and be ready before the Companies will be  looking out for professionals with the right attitude, knowledge and skills to take over the responsibility as DPOs.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment