IS 17428-I under para 5.12 states,
Staff handling personal information or activities related to processing personal information shall:
a) Be trained and kept aware about developments depending on their role;
b) Be aware of their responsibility in protecting data;
c) Be traceable to their actions or inactions;
d) Subject to appropriate disciplinary actions when proved to be in violation of responsibility.
The organization shall determine suitable criteria for qualification, competency and evaluate staff before assigning them responsibility related to data privacy.
In the PDPSI the need to equip the employees is handled both at the operative level as well as at the senior level.
Standard 10 under PDPSI states:
“The organization shall establish appropriate strategic and tactical measures to build and maintain a culture of Privacy Protection throug data protection across the entity and covering all stake holders.”
In the detailed explanation of Standard 10, it i stated,
“…Measures are therefore required to be taken by an organization to ensure that the compliance culture is built across all levels of employees, Vendors, business associates as well as the customers, so that every stake holder is aware of and implements the compliance measures as if the responsibility percolates to all.
This requires both incentivization and dis-incentivization strategies to be used for the best impact. Implementation of whistleblower policies and an effective grievance redressal mechanism both for internal and external disputes is also considered essential to maintain the compliance culture across the organization.”
This is further supplemented by the Model implementation specifications that cover “Employee Privacy Management”, “Work from Home”, “Augmented HR Policy” etc.
Additionally, Standard 9 mentions abut Employee onboarding/Termination policy besides other aspects.
PDPSI goes one more step further and identifies that Data Protection being a “Cross Functional Responsibility”, the DPO is likely to encounter issues of non cooperation or hostility from other senior management professionals and advises appropriate policy under Implementation specification no 7 that
“The organization shall adopt and implement a suitable policy to ensure harmonious functioning of the DPO with the other senior executives of the organization with an appropriate clarity of roles and responsibilities including measures to resolve differences.”
Thus PDPSI thinks far ahead of frameworks such as IS 17428 and retains its tag line..
Essence of the Essential and yet different by a distance. * meaning (*सब का सार, फिर भी, अलग…by Far