[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]
The compliance of Privacy Protection regulation whether under PDPA 2018 or GDPR or any other law normally starts with
b) Information Security Policy
In a way, Information Security for Privacy Protection is a sub set of Information Security for the organization as a whole. If necessary, an organization may opt to develop a “Personal Data Protection Policy” (PDPP) which could be considered as a subset of the Information Security Policy and let a DPO/DPC manage the PDPP while the CISO handles the IS Policy of the organization.
In order to ensure that an organization is not confronted with the charge of “Non Compliance” when may be required to override certain standard practices for the legitimate business interests of the organization or for reasons such as National Security, Public Interest, Journalistic requirements etc., it is recommended that a separate policy document is drafted to codify why the regulation may be either not followed or followed differently with some safeguards and under what circumstances.
Not having a “Legitimate Interest Policy” would make the life of the DPO difficult since he would confront powerful business executives trying to bypass the privacy policies and justifying it in business interests while the resulting consequences of non compliance becomes the responsibility of the DPO. By having a separate Legitimate Interest Policy (LIP), the DPO knows exactly what he can do and what he cannot do.
[To Be Continued… Comments welcome]
Other Reference Articles
- A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
- Data Protection Standard of India- (DPSI)
- Data Classification is the first and most important element of PDPSI
- Why 16 types of Data are indicated in PDPSI?
- Implementation Responsibility under Personal Data Protection Standard of India
- India to be the hub of International Personal Data Processing…. objective of PDPSI
- Principles of PDPSI
- Pentagon Model of TISM…An implementation approach to PDPSI implementation
- Personal Data Gate Keepers and Internal Data Controllers in Organizations
- Naavi’s Data Trust Score model unleashed in the new year
- Naavi’s 5X5 Data Trust Score System…. Some clarifications
- Naavi’s Data Trust Score Audit System…allocation of weightages