IS 17428 and PDPSI

Recently, the Bureau of Indian Standards introduced a new standard called IS 17428 as the standard for providing privacy assurance for individuals and for organizations to set up a “DPMS” or data protection Management System.

Obviously there is a need to compare IS 17428 with PDPSI which is already being used to evaluate the Personal Data Protection Compliance System (PDP-CMS) in organizations that process Personal Data.

IS 17428 comes with a good pedigree since it is backed by the BIS . But compared to PDPSI, it is observed that the standard does not make an attempt to cover the requirements of the PDPB 2019 which is the forthcoming law of data protection in India. It also does not confine to the requirements under Section 43A of ITA 2000 which is the current law of data protection in India. The standard tries to look at GDPR and replicate ISO 27701.

Like ISO 27701, IS 17428 cannot be implemented without ISO 27001 and is not certifiable. On the other hand, PDPSI is inclusive of technical security measures and is certifiable with DTS calculation.

The IS 17428 standard has two parts, the first part being termed as “Requirements” and the second part as “Guidelines”. The Guidelines are said to be “Optional”.

Part 1 has the following six sections

1.Scope

2.References

3.Definitions

4.Privacy Engineering

5.Privacy Management

6.Compliance.

Part 2 contains the first 5 sections and not the 6th section.

The standard tries to distinguish the terms “Privacy Engineering” and “Privacy Management”. Rather than providing clarity on two roles in Privacy Protection one for the technical team and the second for the organizational team, this adds more confusion to the compliance process.  If Privacy Engineering refers to the technical side of processing and Privacy Management refers to the policy level of processing, it is unclear whether a Data Protection Officer is a Privacy Engineer or a Privacy Manager.

In PDPSI, it is not only the DPO who will be responsible for compliance but under the “Distributed Responsibility” concept, every employee is a DPO for his area of function. This concept raises the level of “Accountability” of the organization as an aggregation of the accountability of every employee.

PDPSI addresses “Privacy Engineering” by the Implementation specification on “Privacy By Design” but leaves the direction to the DPO along with the distributed responsibility of the engineering team.

Unlike ISO 27701 which integrates ISO 27001/2 into the standard itself IS 17428 only provides DPMS related requirements relegating the ISO 27001 reference to the optional guideline under Part 2.

As a result there is lack of adequate clarity in the document.

On the other hand, PDPSI comes with 12 standards and 50 implementation specifications. The Standards are a overview while Implementation specifications go a step further into the details.

The 50 implementation specifications of PDPSI cover not only the PIMS related aspects in ISO 27701 or the DPMS requirements under IS 17428, they also cover the requirements of the ISO 27001/2, though the requirements are clubbed under less than 50 items.

It is for this reason PDPSI is considered as “Essence of the Essentials but different by far”.

( Continued…)

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.