PDPSI was the first PDPMS to introduce the concept of “Data Centric Compliance Structure” while most other frameworks focus on the organization.
IS17428 discusses the applicability of the framework under the two heads of Jurisdiction and Classification.
- Under para 18.104.22.168, (pat 2) it recognizes that “Organizations that collect and process personal information should carefully determine their jurisdiction before determining the Privacy requirements”.
- Under para 4.1.4 it speaks of “Data Classification Criteria” stating that “It is important to establish a framework for classifying personal information on its level of sensitivity”. In a slightly contradictory indication, para 4.1.4(d) states that if an organization already has information classification guidelines such as “Restricted”, “Confidential” and “Public”, personal information may be classified as “Confidential” and “Sensitive personal Information” as “Restricted”.
- Additionally under para 1 of Part I, the scope of application is based on the entity as a whole. Further it recognizes the Data Controller and Data Processor status as mutually exclusive. Para 3.5 (Part I) is clear that “For an entity to become data processor, it shall also be a separate entity from Data Controller”
It is worth noting that PDPSI has a more flexible and practical approach to the role definition of a “Controller” and “Processor” which is referred to as “Data Fiduciary” and “Data Processor” according to which the roles will be defined as per the context. For example in one process and organization A may be a Data Controller of B. In another process, organization A may be a Data Processor of C or even B itself.
Further Standard 1 of PDPSI addresses the issue of multiple jurisdictions through “Classification” by stating
“Compliance plan shall be based on specified law applied on an identified Compliance entity”.
The explanatory note on Standard 1 states
When an organization is processing personal data on which laws of multiple jurisdictions are applicable, it is necessary to recognize that one law cannot be applied to the entire processing activity.
Hence scope of compliance program must be defined with reference to the applicable law.
Also since legal compliance is an administrative responsibility, the responsibility of compliance normally rests at the enterprise level.
Hence scope definition cannot ordinarily be restricted to a division or a location.
In certain cases, it will be necessary to restrict the application of compliance to a limited number of processes or people.
In such cases, it is necessary to treat the organization as a “Composite Entity” consisting of multiple sub-units each of which may be exposed to the risk of one data protection law. This is suggested so that some of the other sub-units can be kept out of the compliance without the risk of noncompliance.
This will also enable co-existence of one sub-unit which is GDPR compliant while the second sub-unit is PDPA (India) compliant and the third sub-unit is PDPA (Singapore) compliant etc.
This will simplify the compliance and avoid the errors that may creep in because of overlapping of the laws.
On Data Classification, Standard 5 states
“Appropriate Compliance oriented Data Classification shall be incorporated”
The explanatory note on the Data Classification Standard states as follows:
Every data protection law is applicable only to a certain definition of applicability. This is in almost all cases based on the need to protect the Privacy of the citizens of a jurisdiction to which the law belongs, and an organization may simultaneously handle personal data of multiple jurisdictions.
To avoid overlapping of laws and to avoid missing of compliance measures, personal data shall be classified as required for compliance of the specific law, so that a “Virtual Silo” of personal data can be created within an organization. Where personal data from multiple countries of origin are received, the classification may provide creation of multiple virtual silos of personal data, one for each country of origin so that provisions of specific laws may be applied to each silo separately.
Additionally, classification must consider the legal requirement and not based solely on the level of confidentiality which is normally used as a basis of data classification for Information Security purpose.
Hence data classification tags may include personal-non personal, employee-nonemployee, Minor-not a Minor, Sensitive-Not sensitive etc.
Few Countries have regulations where the objective of the data protection laws extend beyond protection of Privacy of an individual to protection of the business entity information or from living persons to deceased persons. These are considered as exceptional situations and classification of such non-personal information is considered as another “Special Category” of information.
The corresponding implementation specification actually goes further and provides a guideline for data classification as indicated below
The classification guideline therefore takes into account both the segregation of data based on applicable law and also in a manner that is relevant for PDPMS. All data which is not “Individually identifiable” automatically gets classified as corporate data asset or “Non Personal Data”.
If the organization can tweak their technology architecture this classification provides an option to create virtual silos of different kinds of personal data for effective management of controls even when multiple jurisdictional laws are involved.
It is for this reason that PDPSI is referred to as a “Unified ” law.
Additionally PDPSI provides for an ” Aggregation” of people and technology resources to create an “Compliance Entity within a larger Corporate entity” and apply the compliance related to specific law to the specific sub entity.
PDPSI also takes into account the needs of the “Work From Home” situation so that the sub entity can even be created as a “Virtual Entity”.
Thus PDPSI Vision is broader and stands taller than IS 17428.
For those who are not blinded by the aura around “ISO”, PDPSI is a Taller and Broader framework and leaves IS 17428 far behind in terms of futuristic outlook.
Professionals who understand the “Need to be compliant” rather than “Need to be Certified”, PDPSI would be the unmistakable choice.
While it is difficult to reproduce the entire PDPSI framework and compare with the entire IS17428 in these columns, any specific queries may be addressed to Naavi
Some of the FDPPI’s supporting members are already equipped to handle the responsibility as “Consultants” as well as “Auditors” with trained auditors available for providing the consultancy/audit services.
PDPSI audits come with an assurance of “Mentor Support” for a limited consultancy on quarterly basis as a continuing service for the auditee companies which also is a unique support that is made available to increase the confidence of organizations taking up the audits of their PDPMS under the PDPSI framework.