In 200o December, Naavi started the promotion of the concept of “ITA 2000 Compliance”… as the digital mantra for the corporate era. In 2008, the amendments to ITA 2000 changed the characteristics of ITA 2000 into a security oriented law and ITA 2008 compliance became a mandatory requirement.
ITA 2008 compliance included compliance of Section 43A which covered Personal Data Protection.
This translated in 2009 into a framework named Indian Information Security Framework IISF 309 which was being used for ITA 2000 compliance. After some evolution, IISF 309 had become a 30 parameter framework as indicated below.
This framework was confined to 30 requirements and not the 114 requirements which we today look at in ISO 27002. However, it covered the essential aspects required for meeting all the requirements as required under ITA 2000 including the Grievance Redressal. It also recognized the responsibilities of operational executives other than the IT executives.
Consequent to the focus that has now come on PDPB 2o19, there was a need for a special framework for Personal Data Protection and it emerged as the PDPSI or the Personal Data Protection Standard of India. This framework had 50 implementation specifications under the umbrella of 12 standards. It was an expansion of IISF since new controls became necessary for Privacy management.
The PDPSI started with a “Classification” of data into “Personal Data” and “Non Personal Data” and thereafter PDPSI focused on the requirements for Personal Data Protection as per the law. The Non Personal Data Protection was left as “DPSI” or “Data Protection Standard of India” to follow under the IISF 309 approach.
This has now evolved into a 33 point framework as follows.
It may be observed that the new framework incorporates the concepts such as the Data Value accounting which came up during the PDPSI discussions.
It was initially expected that the PDPB2019 will restrict itself to Personal Data Protection and a separate law will be passed for “Non Personal Data Governance”.
The PDPB 2019 therefore defined “Data” as “Personal Data” based on certain parameters and what was not “Personal Data” was considered “Non Personal Data”. In this distinction there was one set of data which was “Personal Data” and upon Anonymization, became “Non Personal Data”.
There was a confusion in the industry which got onboarded onto the JPC that Anonymization is another form of De-Identification or Pseduonymization. The fact that Anonymization is “Irreversible” transformation of what was hitherto “Personal” into a “Non Personal Information” while the de-identification and pseudonymziation was “reversible” was not sufficiently digested. The Personal Data Protection Authority was expected to develop an acceptable standard of “Anonymization” that would render “Personal Data” into “Non Personal Data”.
The lack of confidence of technology specialists that there could be an acceptable level of “Anonymization” which could be adopted as a standard while a “Brute Force Attack to re-identify an anonymzied information” could be covered by the law that criminalzied such a “Brute Force de-anonymization” led to the new JPC to consider some changes to the PDPB 2019 as approved by the earlier JPC chaired by Mrs Meenakshi Lekhi.
The leaked reports about the possible modifications to the earlier draft of PDPB 2019 now contain a rumour that the “Data Protection Authority” to be named under PDPB 2019 will be entrusted with the responsibility of both Personal Data Protection and Non Personal Data Governance. Also the reporting of the “Data breach Notification” under PDPB 2019 will now also cover the reporting of “Non personal data breach” also.
The Non Personal Data Governance requirements as suggested by the Kris Gopalakrishna Committee require deliberation of a few years and cannot be brought into the PDPB 2019 in the draft which is expected to be presented in December 2021 to the Parliament. It is therefore expected that whatever changes may be made in the PDPB 2019 regarding Non Personal Data would only be peripheral.
While making the DPA responsible for the “Anonymization Standard” is natural and to that extent the DPA becomes an authority to regulate the “Converted Non Personal Data”, the entire regulation regarding Non Personal Data Governance is a completely new law which requires a different regulator. While PDPB 2019 is a “Privacy Protection oriented law”, the “Non Personal Data Governance Act (NPDGA)” as it may be called, would be a law on how to monetize the non personal data. This is more involving Data Valuation and Data Marketing.
Just as a CFO and CMO often have different perspectives in business, the PDPA regulator and the NPDPA regulator need to have diametrically opposite attitude to business. PDPA regulator will be close fisted and inward looking and the NPDPA will be an extrovert and more liberal.
Combining the two roles could result in some conflicts and be dysfunctional. The Coruts which are following the directions of the Puttaswamy Judgement and expecting PDPA-India to be able to meet the standards of Privacy protection under the Puttaswamy judgement guidelines will find the combined law if it comes forth as a Personal and Non Personal Data Protection Act of India as a dilution of the requirements expected for personal data protection.
This approach will deviate from the global standards which keep the Personal Data regulations under laws such as GDPR and CCPA and keep the Non Personal Protection as part of the “Computer Abuse regulation” or “Cyber Security Act”.
Since it appears that the declaration that the DPA under PDPA 2019 is also the regulator for Non Personal Data Protection (Which is now the responsibility of the Director CERT-IN under ITA 2000/8) and the “Non Personal Data Breach Notification” would be shifted from the CERT-In to the DPA under the new PDPB2019, the industry needs to gear up to meet this change.
With a view to ensure that an organization following PDPSI framework for meeting the standards of PDPA-India will have to watch their backs for protection of “Non Personal Data of whatever nature” is brought under the new version of the Bill (Eg: Anonymized Personal Data”), it has become necessary to emphasize that PDPSI has to be complimented with the DPSI at least as applicable to the “Data Breach Notification” requirements.
Even if the change is restricted to the reporting of breach of non personal data only, this would require identification of a potential data breach, forensic investigation, a harm audit all directed to Non personal data. Hence there would be a need to take a holistic view of the Personal Data Protection and the Non personal Data Protection (to the extent covered under the PDPA-India) at the time of compliance.
The 33 point framework indicated above therefore becomes the twin framework to be considered by all organizations.
The framework will be further expanded with detailed notes shortly.