Organizations in India and elsewhere are today confronted with the need to be compliant with multiple data protection paws.
As long as the concern of a company was just “Security” of information, it was fine to adopt a common framework such as ISO 27001 and try to manage the Confidentiality, Integrity and Availability (CIA) of data and protect all the information under one umbrella.
Even when the CIA principle got extended to “Accountability” and “Non Repudiation” it was not difficult to extend the ISO 27001 framework with a few additional controls applicable across the company.
However in practice, companies always had difficulty in extending ISO 27001 across an enterprise spread over multiple locations and often an organization restricted the implementation to the most visible facility while calling itself “ISO 27001 compliant”.
The WHM situation at present completely negates the ISO 27001 as the facilities get spread out and the concepts of physical security loses its meaning.
Additionally many companies today process personal data from different countries and they are exposed to different laws to be complied with simultaneously.
Indian companies will soon enter into this uncertain zone since they were today required to only contend with ITA 2000 and Section 43A which could be applied to all the information they handled in electronic form.
But the situation is now changing. PDPAI (Personal Data Protection Act of India) is coming. PDPA will replace Section 43A of the ITA 2000 but the rest of ITA 2000 remains.
In this emerging scenario companies will have to be compliant both to ITA 2000 as well as PDPAI. Additionally if they handle data from EU they need to be compliant to GDPR. If they handle data from California, they need to be compliant with CCPA and so on. Ultimately, the company need to be compliant with 100 plus data protection laws if they want to be globally compliant. Hence one ISO 27701 with ISO 27001 will not suffice to be compliant with multiple data protection laws.
When the number of such data protection regulations were only a handful, the company could set up different sub-entities to handle different compliances like setting up “Dedicated ODCs”. This concept was suggested under HIPAA for handling of PHI and non PHI activities by the recognition of a “Hybrid Entity” and application of HIPAA only to the recognized HIPAA component of the facilities of the hybrid entity. This is also permitted under PDPAI (as per the current Bill) as a “Notified Facility processing information of foreign citizens under a contract”.
However, in the context of the number of compliances increasing to double digits at least, it is impossible to create physically the separate personal data silos. Hence we need to look for virtualization of the compliance process so that we virtually capture the personal data from different data protection regimes and apply different compliance requirements.
The “Personal Data Protection Standard of India” (PDPSI) proposed by Naavi and FDPPI will be the first such global data protection framework which can be applied not only in India but in the entire world.
This is a “Made in India – Made for the World” Project. It pursues the “One Company-One Compliance Framework” principle.
The PDPSI in implementation consists of a Core consisting of certain standards and is supported by implementation specifications which are consist of some common controls and some controls that are different at the procedural level depending on the law that applies.
The personal data classification system under PDPSI takes care of segregating the personal data as per the relevant data protection law so that different sets of implementation specifications are implemented for different sets.
However, one PDPSI implementation should be sufficient for compliance of all data protection laws. To the extent data protection includes securing the personal data under the CIA concept , the PDPSI also doubles up as the ISMS for the personal data component of the data.
Nothing prevents the organization to extend the same standard to the “Non Personal Data” as well with the set of specifications minus the data protection law specific controls.
Hence One Standard for the enterprise as a whole.
Because of this unique structuring of PDPSI it is capable of being used as a “Universal Compliance Standard” across countries, across different data protection laws.
Truly.. Made in India for the World.
FDPPI, (Foundation of Data Protection Professionals) is in the process of developing a set of Lead Auditors who can implement the PDPSI framework based compliance systems so that the concept does not remain a concept only but will soon be rolled out in India.
If any organization wants to adopt the PDPSI framework, they may contact the undersigned.