[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]
We have so far discussed two important aspects of the PDPSI approach. One is the data classification system which recognizes 16 data types of personal data which may require different compliance controls based on the classification. The second is the Governance system where there is collective responsibility for the organization, monitoring at the highest level and integration of multiple functions which may have inherent conflicts in terms of authority into a Data Protection Committee (DPC).
These may be fundamental measures but they are the key aspects of PDPSI to ensure that the controls (that would be discussed later) at operational level would be implemented effectively.
Before we proceed further into the individual controls, it is necessary to indicate two other aspects of PDPSI structure which are essential for understanding the controls.
a) Defining the statutory scope of PDPSI
b) Building Measurability of Compliance
Statutory Scope of PDPSI
The objective of PDPSI is to provide the Indian Data Processing industry, a framework to have a uniform approach towards meeting the compliance requirements. This Indian Data Processing Industry (IDPI) operates in a global environment both because Internet itself is a border less entity and also because there is a large component of contractual data processing of international data that happens in India.
It is essential that IDPI recognizes and incorporates the concern of the international companies about compliance of laws applicable to them without which the IDPI cannot progress. Non compliance of international data protection laws would lead to reduction of flow in the BPO activity of Indian companies. On the other hand, an assurance of compliance on the international data protection laws should help in the IDPI garner more international data processing business with better price realization.
PDPSI therefore is not a competitor to other standards but is an amalgamation of all global standards into one standard and recognizes that India has to develop as the hub of international personal data processing.
The current Indian data protection law which is represented by Section 43A of ITA 2000/8 focusses on “Contractual Obligations” between the Indian Data Processor and the supplier of personal data. If the supplier of personal data is a US health care industry and signs a BA agreement as per HIPAA-HITECH Act, then Indian Company has to be compliant with HIPAA-HITECH Act even if it works in India. Similarly if the Indian Company processes EU data, it has to have in the BA contract an obligation to comply with GDPR.
Hence, a mandate to comply with ITA 2000/8 is automatically a mandate to comply with all necessary international laws through a system of contract management.
What PDPSI achieves additionally is a systematic process by which these laws are built into the system in the data classification itself.
Broadly the scope of PDPSI is defined with reference to Indian laws such as
- Personal Data Protection Act (PDPA 2018) as proposed and under development
- Information Technology Act 2000 as amended from time to time
- The Aadhaar (Targeted Delivery of Financial and other subsidies, benefits and services) Act, 2016 as amended from time to time
- Guidelines of sectoral regulatory authorities including RBI, SEBI etc
- Digital Information Security for Health Care Act (DISHA) as proposed and under development
- Electronic Heath Record (EHR) guidelines
- Any other law as may be considered relevant
In this list, “Any other law” includes GDPR, CCPA etc depending on the data in question. Hence incoming personal data from EU would automatically be tagged with GDPR and the controls as applicable would become applicable.
Since each country defines its own laws, the PDPSI leaves the Scope under item (G) above open ended. This will also take care of any future addition to Indian laws as well since Indian data protection laws are also in a state of evolution.
Measurability of Data Protection Compliance
In Risk Management, we some times discuss about Qualitative and Quantitative types of Risk measurement. In Technical risk assessment, various statistical methods are used to measure the risks. But in Techno Legal risk assessments, “Qualitative” or “Subjective” depiction of “Risk Measurement” is preferred.
Compliance is a “Techno Legal” factor and hence it is not easy to provide a quantitative assessment of how much of the risks are covered by the compliance process.
However, PDPA 2018 has proposed that a “Data Audit” shall be conducted annually by an external auditor and a “Data Trust Score” (DTS) is assigned to the organization. This DTS is therefore a measurable component of the “Status of Compliance” in an organization. It could be like the “Credit Rating” that is used in the Finance industry.
PDPSI recognizes the mandatory nature of DTS system in the Indian Data protection regulation and adopts it into its requirement though some changes may occur in this respect in due course when the final act is passed.
Naavi has already presented his system titled “5X5 Data Trust Score System”which attempts to present one model by which Data Audit results can be reduced to a “Numeric Index”. This is an example of how measurability can be introduced to the implementation of PDPSI.
PDPSI therefore prescribes that “Compliance shall be measurable”. It does not mandate the use of any particular system of measurement and it is left to the auditor to design an acceptable system. For the time being, Naavi’s 5X5 DTS system is considered as a suggestion which is an annexure to the PDPSI. Other measures as and when developed may also be considered for addition into the annexures. It is however recognized that though parts of the compliance and the assessment are “subjective”, at least the expression of measurability can be standardized through these annexed suggestions.
I am presenting the PDPSI concepts one by one so that experts can go through and suggest further refinements. This will continue.
Many of my friends are wondering how I as an individual can take on the globally recognized agencies and speak of a “Standard”. I can only say that if the intentions are right, even an individual should try to make a move towards the desired goal. At the same time, I am inviting all my friends to join me in developing these standards so that it becomes a participative exercise.
But participating in this process requires commitment, courage and a self belief that we are capable of defining what is good for the Indian market better than some other international agency which anyway hires our own people to create a proprietary document to make money.
All those who have such commitment are welcome to join this movement to create PDPSI and make it acceptable to the society.
- A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
- Data Protection Standard of India- (DPSI)
- Data Classification is the first and most important element of PDPSI
- Why 16 types of Data are indicated in PDPSI?
- Implementation Responsibility under Personal Data Protection Standard of India
- Naavi’s Data Trust Score model unleashed in the new year
- Naavi’s 5X5 Data Trust Score System…. Some clarifications
- Naavi’s Data Trust Score Audit System…allocation of weightages