In the absence of Data Protection Authority as envisaged under the PDPB 2019 (Since withdrawn) , the regulation of Data Security under the general provisions of Information Security as envisaged under Information Technology Act 2000 as amended in 2008 assumes greater importance. Though the MeitY has also indicated that it would like to revise ITA 2000/8, we presume that they would not scrap ITA 2000 before a new law is passed as they did in withdrawing the PDPB 2019.
Hence until the new “Comprehensive” and “Perfect” “Digital India Act” (NDPAI) is passed into a law and notified, ITA 2000/8 will continue to be the ruling law on Data Protection in India and compliance of ITA 2000/8 continues to be the requirement for all IT Users.
ITA 2000/8 has three regulators namely “Adjudicators appointed under Section 46 of ITA 2000”, “Director General- Indian Computer Emergency Response Team” designated under Section 70A of ITA 2000/8 and the Police as per powers under Section 80 of ITA 2000/8.
All these agencies have Suo Moto powers of investigation . Police have the powers under cognizable offences. CERT IN has a duty to exercise monitoring of national cyber security and therefore accompanying suo moto powers. Though Adjudicators normally start acting on the basis of a complaint from a cyber crime victim, they also have the suo moto powers under the notifications of MeitY if they chose to exercise.
Hence all IT organizations who may be feeling comfortable with the withdrawal of PDPB 2019 may be under a false sense of security since ITA 2000 has more powers than what was envisaged under PDPB 2019 for the Data Protection Authority since ITA 2000 applies both to the handling of personal information and non personal information, both sensitive or otherwise and covers both civil penalties and imprisonment. Penalties may not be expressed in terms of 4% of global turnover but there is no upper limit. At the same time, criminal punishments can go upto life imprisonment.
Hence compliance of ITA 2000/8 becomes more onerous than compliance of PDPB 2019.
In the light of the above, the recent CERT In Guidelines assume greater importance since it indicates that the sleeping giant called CERT-In might have woken up to its duties, responsibilities and powers.
We therefore consider it necessary for organizations to work on compliance of ITA 2000 in general and CERT IN guidelines in particular are essential for compliance in the Corporate circles.
Naavi and Ujvala Consultants Pvt Ltd are therefore working on a framework for Compliance Rating under CERT In Guidelines similar to the DTS-GDPR and DTS-DPA 2021 which had been released earlier under the Data Protection Compliance Standard (DPCSI).
The details will be published shortly. The rating will be called CMR-CERT-IN.
We would like to emphasize that this is a voluntary exercise from Naavi and CERT-In has no role as an organization in this CMR development.
Naavi/Ujvala does not have any accreditation with CERT In for this purpose. However, Compliance is a voluntary exercise and we hope and believe that CERT In should be happy if organizations start complying voluntarily without the wielding of stick by CERT In.
A good rating under this scheme does not legally mean compliance of CERT IN guidelines though it is meant exactly for the purpose.
It may be noted that Naavi has been the Compliance evangelist since 2000 and had floated the idea of CERT-In in private sector 4 years prior to the formation of CERT IN as a division of the Ministry of IT.