Yesterday, my article about DPDPA products being evaluated by FDPPI raised a valid concern with some of my friends. The concern is whether a “Certification” of software stifle competition. I fully accept the concern but would like to clarify why this concern is not valid. At the same time, I also would like to express why this is an attempt to expand the scope of FDPPI activities and how it meets the requirements of the DPDPA Eco system.
The DPDPA Eco-System tries to ensure that a “Data Principal” is able to ensure that his “Personal Data” is processed by Data Fiduciaries only in accordance with the stated law. “Compliance” is what ensures that this objective is met by the society.
In achieving this objective, the law makers have designated a “Regulator” which is the Data Protection Board (DPB). DPB at present focusses on “Grievance Redressal” and expects the community to manage “Compliance” by itself with the assistance of Compliance Consultants and auditors who are the “Regulatory Intermediaries”. The regulatory intermediaries consist of Compliance consultants, Data Auditors. They could be private entities but their mindset is assisting the regulators in achieving a DPDPA Compliance Society. Hence we look at them as “Regulatory Intermediaries” though they may not be mandated entities under law. At some of time in the future the Regulator may accredit some of these intermediaries though this is not desirable.
The Data Fiduciaries do not act on their own and often take the assistance of intermediaries like Data Processors (some of whom may even be Joint Data Fiduciaries) and software of various kind including AI algorithms. The DPO s will have fiduciary responsibilities but work as “Employees” within the organization of a Data Fiduciary. They have to exhibit both the implementation skills and regulatory support mindset. Just as a Data Fiduciary is expected to take care of the interests of a Data Principal, the DPO is a “Fiduciary of Fiduciary” and has to take care of both the interests of the Data Fiduciary as well as the Data Principal.
The Consent Manager is a special Data Fiduciary who works on behalf of the Data Principal and assists the Data Fiduciaries in obtaining consent.
Both the Data Fiduciary and the Consent Manager can be also considered as “Significant Data Fiduciaries” depending on the Volume and Sensitivity of the data processed. However the primary purpose of a Data Fiduciary is to develop business out of processing of Personal Data and that of the Consent Manager is to assist the Data Principal for managing his consent with different data fiduciaries.
At present, FDPPI is touching all these Eco-System builders. The DGPSI (Data Governance and Protection Standard of India) translates the law and provides an interpretation which is a guidance to all the members of the eco-system. DGPSI at the implementation stage assists the Data Fiduciary, the DPO and also the Data Processors. It also assists the compliance consultants and Data Auditors.
FDPPI provides training for certification of DPOs and Data Auditors and through affiliated consultants also provide Compliance assistance and Audit services.
In the midst of this eco-system lies the “Software Developers” who produce products and solutions for compliance. Some of these products could be AI driven or AI algorithms in totality.
Since the Data Fiduciaries will be “Dependent” on such implementation software, sooner or later it will these products which drive what is right or wrong in compliance in the industry till a Court comes out with its observation whether an organization is compliant or not.
Hence FDPPI role in Data Protection is incomplete without assisting the software developers in coming up with a DGPSI compliant software products or services.
FDPPI does understand the complexity and conflict involved in such involvement since commercial developers of software would be hurt if FDPPI does not provide a positive certification for their products. Such conflicts are common in the Audit Community when an audited and certified agency suddenly encounters a failure in business attributable to the certified product or service. Hence statutory auditors who certify a company may look like fools when frauds surface. ISO auditors may face situations where their clients suffer massive data breaches for security failure. Similarly the evaluation of a product by FDPPI for DPDPA Compliance also runs the risk of failure either because of inherent problems or mis configuration.
Instead of chickening out of this responsibility, FDPPI would like to bet on its honesty in evaluating a product and leave it to the auditee to either publish it or not. This is the same principle FDPPI uses when it evaluates the DTS (Data Trust Score) after an audit. It leaves it as a guidance to the auditee and does not publish it by itself.
By providing this service as a special service to its “Special Associate Members” (SAM), FDPPI is trying to assist the members to fine tune the product and improve rather than taking pride in being critical. Responsible product developers should appreciate this service as a “Free Consultancy” for product improvement where FDPPI/Naavi would be passing on IPR as part of this service.
I hope the industry would appreciate this movement to develop “DGPSI Compliant Software” would significantly contribute to developing a “DPDPA Compliant Society in India”.
We welcome readers to contest this thought and add their views as they deem fit.
Naavi
