[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI) The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]
An information security standard is a set of guideline which should help an organization reach a minimum level of desired level of security implementation. The primary requirements of the standard is meant for “Implementation” and the secondary purpose is “Certification”.
Hence, how an organization handles the allocation of roles and responsibilities for implementation of information security is also considered part of the standard itself. Other standards may also address this issue under “ISMS Organization”.
In IS implementation, Naavi recognizes the implementation priority based on the “Pyramid Model”. The implementation itself is expected to be also influenced by the “Theory of Information Security Motivation”. A brief discussion of these two concepts are required for explaining the logic behind the definition of implementation responsibility.
Naavi’s Pyramid model of prioritization of Information Security goals suggests that an organization follows the implementation as indicated in the following diagram.
What this representation means is that though we say that “Security is only as strong as its weakest link”, practically, an organization follows the priority chain where it first focuses on the Availability of information to its decision makers, then the integrity and then the Confidentiality before raising to the higher levels of authentication and non repudiation. This theory is at slight variance with the CIA principle which characterizes the understanding of Information Security in general.
As a result of this, an organization in its journey towards information security, would have first created a CTO and then moved onto a CISO for entrusting responsibilities of Information Security. When the legal aspects of information security gets recognized, we have the advent of the role of “Compliance Officials”. The advent of the recent generation of data protection legislation have now brought in the roles of “Data Protection Officers” either as employees of the organization or as external consultancy agencies.
PDPSI recognizes the possibility therefore that a subject organization may already have a CTO, CISO, CCO and perhaps a DPO before it is now thinking of PDPSI implementation. Some of them could have also attempted ISO 27001, HIPAA, PCI DSS implementation and hold necessary certificates. PDPSI tries to integrate all these implementations and creates a super controller who should be responsible for all the compliance requirements.
PDPSI therefore prescribes that the implementation responsibility for PDPSI lies with the top of the top management equivalent to the Board in a corporate structure. Implementation activity of PDPSI must therefore have the backing of a Board Resolution and also incorporated in the annual report to the shareholders or other equivalent disclosure documents.
Under PDPSI, every organization shall have a designated group of persons entrusted with the overall responsibility of compliance and shall constitute the Data Protection Committee (DPC) of which the CEO of the organization and at least one member of the Board of Directors shall be a part. The group shall also designate one individual coordinator who shall be the Data Personal Data Protection Officer (PDPO) of the organization and responsible for representing the organization with the regulatory authorities and the public for compliance related issues.
Periodical Data Protection Status Assessment (DPSA) may be conducted by the PDPO but every annual exercise of Assessment of Data Protection Status shall be undertaken by an independent external agency.
Thus the responsibility for PDPSI responsibility lies with the DPC at the operational level and the Board at the policy level. PDPO will be the coordinator of the activities and will assume all the responsibilities of the DPO as envisaged under PDPA 2018 or GDPR.
However, PDPO would periodically send such status reports to the DPC that the DPC shall not absolve itself of its collective responsibility. The DPC itself shall keep the Board appraised at periodical intervals and incorporated in the corporate disclosures through the annual report etc. This ensures that even the share holders shall be kept informed at suitable intervals so that there is transparency in the activities that provide assurance of information security implementation in the organization.
The creation of an ISMS structure needs to be customized for every organization and hence further details are left to the discretion of the management and would reflect the organizational commitment to fair implementation of PDPSI which an auditor may consider for evaluating the Data Trust Score or equivalent measurable representation of the standard.
In summary, the PDPSI standard for ISMS organization creates a shared responsibility at the Board level followed by the DPC and does not load the PDPO with a responsibility which he cannot enforce. However due to the power of statute, PDPO would be saddled with the responsibilities that a PDPA 2018 or GDPR envisages though he may try to build a protective shield by escalating the issues to the top management. This would check the tendency of some managements to manipulate the DPO and compromising security because of other business priorities.
It is envisaged that all genuine business related compromises are built into the document “Legitimate Interest Policy” which is discussed later and hence PDPSI takes into account both the theoretical prescriptions of the laws like GDPR and the practical realities at the level of implementation.
(Comments are welcome. Further discussions will continue)
Other Reference Articles
- A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
- Data Protection Standard of India- (DPSI)
- Data Classification is the first and most important element of PDPSI
- Why 16 types of Data are indicated in PDPSI?
- Implementation Responsibility under Personal Data Protection Standard of India
- India to be the hub of International Personal Data Processing…. objective of PDPSI
- Principles of PDPSI
- Naavi’s Data Trust Score model unleashed in the new year
- Naavi’s 5X5 Data Trust Score System…. Some clarifications
- Naavi’s Data Trust Score Audit System…allocation of weightages