Yesterday a cream of professionals in the Data Protection domain congregated to discuss a framework of compliance titled “DGPSI-HR”.
Since it was the first exposure of this framework, it was a time for most to absorb the information and contemplate the implications of what was discussed.
I have started receiving some queries in this regard and would be happy to discuss the same and continue the debate.
Question 1:
While there is already a framework DGPSI-Full and DGPSI-Lite which can be extended to DGPSI-AI, one of the first thoughts is what additional business needs that this new framework will address. ?
It is a pertinent question. DPDPA is a law and is conceptually a framework of its own. This has been captured in the DGPSI-Lite version which is a simple conversion of compliance clauses in DPDPA into a framework.
DGPSI -Full is a broader framework that adds certain governance issues and also enables DTS calculation. It is more comprehensive than DGPSI Lite and includes some higher level concepts such as Data Valuation and Distributed Responsibility.
However the Data Driven industry has some sectors to whom a sharper framework that addresses specific needs are required.
There were a few such sectors which were under consideration for us to think of DGPSI-HR.
One was the a large section of ancillary manufacturing industries typically the units in an industrial estate where there is one engineering entrepreneur who engages 10 workers and a few lathes or similar equipment and manufactures goods for specific customers.
DPDPA is applicable to such units and there is no specific dilution of the Act. I agree that the Government is empowered to provide some exemptions under Section 17 for such units and in fact may do so in the next 5 years. However, till such time law provides concessions we need to assist such organizations to be compliant to the law without too much of a pain. Such organizations mainly handles “Business Contact Data” and does not process personal data of the public. They do process the personal data of the employees some of them may be covered by employment contract and some under contract.
Such companies need to have a simpler version of DGPSI.DGPSI-HR may be more than sufficient for them to be compliant with the DPDPA.
Secondly there are many HR service organizations who are into back ground verification, payroll management, manpower hunting and placement etc. Such activities are project based activities which have joint data fiduciary responsibilities for the project. They “employ and deploy” human resources under a B2B contract with customers where these employees will process personal data of the customers. They may also “Contract and deploy” in some cases.
Thirdly in the health care sector there could be hospitals which engage medical practitioners on contract basis to render services as part of the hospital service but with the expert being in full control of the activity and often using the data for presentation for research and other purposes as a joint data fiduciary.
Fourthly there are many large IT organizations who work on “Employ and Deploy” model where they send their employees to work in client’s place. Such organisations can consider segregating this activity into a subsidiary activity and function like a Hybrid entity. In such a case DGPSI-HR may become useful as a focussed implementation framework for such a subsidiary.
It was necessary to innovate the new framework to address such instances.
We invite more use-cases to be referred so that we can continue to debate how the framework will be a useful for both the industry and the data auditors.
Naavi
