Data Protection Governance Framework

Posted on January 30, 2023 by Vijayashankar Na

Naavi has been advocating a Data Protection Compliance Framework for organizations to follow as a replacement of international frameworks like ISMS under ISO 27001/27701 etc., without diluting the requirements of these frameworks but enhancing them to many new Governance related issues. In a way, the DPCMS advocated by Naavi/FDPPI was a Data Governance Model which included Data Protection as a part of Governance.

On the other hand, the other popular systems started with different objectives and had to introduce new supplementary frameworks to bring it in alignment to the corporate requirements to retain their relevance.

For example, quality management systems had to be upgraded to security management systems and security management systems had to be upgraded to cover Privacy issues, Privacy Management systems for one jurisdiction had to be supplemented with requirements for another jurisdiction etc.

Hence compliance today has become complicated and if it has to be certified then multiple frameworks need to be complied with and documented.

If we look at  PDP-CMS, the Personal Data Protection Compliance Management System which is built on PDP-CSI, or Personal Data Protection Compliance Standard of India, the framework presents itself as a “Unified Framework” that can be applied across jurisdictions as it is focussed on “Compliance” of a given law.

The reason why PDP-CMS is flexible is that it is not limiting itself to the “Security” aspect only but goes onto being a “Governance” model.

For example, the PDP-CMS comes with 50 Model implementation Specifications. Of these 20 are directly related to IT systems. 15 of the specifications are related to Management and another 9 to the DPO while 2 are for legal and 4 for HR requirements.

It may be therefore appropriate to consider PDP-CMS as a Governance model with a focus on Compliance of a given Data Protection Law.

The futuristic concepts that has been used in PDP-CMS and guided by PDP-CSI, include

a) Distributed Responsibility

b) Data Valuation and Accounting

c) Senior Executive development

d) Communication Management

e) Business Associate Approval

f) Regulatory Agency relationship

g) Augmented Whistle blower system

h) Grievance Redressal System

These are more “Governance Requirements” than IS requirements.

The visionary nature of PDP-CMS is evident in the fact that some of these requirements are now getting highlighted by experts as requirements for implementation.

Hopefully the  inherent strength of PDP-CMS will gain more recognition in the industry in the days to come.

Naavi

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.