The initiative of DSCI and BIS to work on a framework for compliance under a working group ISO/IEC JTC 1/ SC 27/WG 5 – Privacy Protection & Personal Data Governance is a notable development.
It is good that 3 years after the passing of the DPDPA 2023 and also after the Draft Guidelines of BIS on Data Governance , an effort is being initiated to develop a standard for Data Protection .
It is however necessary to point out that this work should not end up as a “Reinvention of the Wheel”.
We draw the attention of BIS to the existing framework “DGPSI” or Data Governance and Protection Standard of India which
- Is a framework developed by an organization of the professionals namely the FDPPI which is a Section 8 company, exclusively for the Indian scenario
- FDPPI does not carry the vested interests of the Big Tech
- The DGPSI Framework is available as a Public Document
- The Framework is already under implementation by many auditors
- The Framework comes with variations such as
- DGPSI Full
- DGPSI Lite (For SMEs)
- DGPSI-AI (For AI deployers)
- DGPSI-HR (For HR systems)
- DGPSI-DP (For Data Processors)
- DGPSI-GDPR (For GDPR Compliance)
Documents are available in the form of published printed books and on different websites.
These frameworks could be adopted and fine tuned by BIS into modified frameworks. It is therefore not necessary for BIS to start a new work from scratch.
We note that BIS is trying to collaborate with DSCI an arm of NASSCOM, which is strongly influenced by the Big Tech Companies. It is well known that DSCI had filed a dissent note to the Justice Srikrishna Committee in support of the Big Tech Industry along with the many opposition politicians.
We foresee that the framework development process is likely to be under the influence of the Big Tech and not be independent.
We are sure that BIS would have examined this aspect and it would be interesting to understand the logic of BIS in not considering the upgradation of DGPSI into a BIS framework and opting to go for a different exercise for development from scratch.
Even now the BIS committee can hit the ground running if it picks up the DGPSI framework as the foundation and work a new BIS version.
DGPSI has already has incorporated the August 2023 draft guidelines released by BIS on Data Governance and Data Protection. It is already in the next level of compliance requirement addressing the requirement of deployment of AI by Data Fiduciaries, the special requirements of the HR sector, SME Sector. It is ready with a recommended framework for the Data Processors and even for the GDPR network.
Hence it does not seem logical that the DGPSI input is excluded from the work of BIS.
We request that BIS may set up a separate committee to study these frameworks and if found necessary, reject them before they invest on the new working group.
We draw the attention of the MeitY and the Standing Committee on IT in the Parliament to take the lead in setting up such a committee so that a proper logic be built on the need for a new effort at a higher cost rather than modification of the existing frameworks.
DGPSI is a framework made in India for the world..not as a mere slogan, but as a concrete work. FDPPI accepts that the framework can be improved and request BIS to study the framework and if possible adopt it as BIS-DGPSI framework.
We await the top management of BIS and the Ministry of Consumer Affairs to react to this proposition.
PS: A copy of this note is being forwarded separately to BIS for necessary action.
Refer:
Article on naavi.org: IS17428 and PDPSI
