At the dawn of the new year, India is on the threshold of a new “Data Protection Regime”. While the critics will continue to debate the Data Localization and the RTI related objections, the Government is likely to quietly go about its Governance duties by pushing through the bill currently titled “Personal Data Protection Act 2018”.
When the law eventually comes into operation, there will be a Data Protection Authority (DPA) which needs to provide several guidelines and rules of practice.
In the meantime, “We the Professionals shall adopt our own Data Protection Constitution of India” to protect the Data Sovereignty of our country, provide adequate “Data Security” for the e-Citizens of India and provide a Citizen’s model of Data Protection Regime that can make the work of the DPA easy. In order to ensure that the regulations eventually made by the DPA are complied voluntarily and without pain, there has to be a synchronization between what the Citizens perceive to be a reasonable self regulation and what the regulator eventually imposes.
Since it may take at least one more year for the DPA’s own regulations to be out with the public, Naavi.org with its associate activities such as Cyber Law College would try to put up its own methodologies which could be the thought starters.
In this journey towards a Responsible Data Protection Regime in India, Naavi presents the Data Trust Score model that he would be adopting for Data Audits conducted by him through Ujvala Consultants Pvt Ltd. This may be considered as a thought under development and would evolve over a period of time. Presently it is referred to as the “Naavi’s 5×5 Data Trust Score Model” (5×5 DTS)
What is Data Trust Score
Data Trust Score is a suggestion of the draft PDPA 2018 presented by Justice Sri Krishna Committee. Even if the concept is modified or even deleted when the draft becomes a law, the concept will always be relevant as a rating of different organizations against how they adopt and implement the recommendations of PDPA 2018.
According to PDPA 2018, an annual “Data Audit” is mandatory for all organizations processing personal data and the data auditor may assign a rating in the form of “Data Trust Score” to the Data Fiduciary pursuant to such audit.
According to the Act, the DPA will specify the criteria for assigning a rating in the form of a Data Trust Score having regard to various factors such as
a) Clarity and Effectiveness of Notices under Section 8 (Collection of data)
b) Effectiveness of the measures adopted under Section 29 (Privacy by Design)
c) Transparency in relation to processing activities under Section 30(Transparency)
d) Security Safeguards adopted pursuant to Section 31 (Security Safeguards)
e) Instances of personal data Breach and response of the data fiduciary
Naavi has developed an approach to assigning a Data Score based on an assessment of the requirements of compliance under 5 different base Foundation criteria on a scale of 5 namely A, B,C,D and E with A being at the top and E being at the bottom. C will be the minimum acceptable criteria for considering an organization compliant.
Naavi recognizes that “Compliance is a journey” over time and it is unfair to judge an organization as a snap shot. This is the fundamental weakness in many of the current rating mechanisms.
Naavi therefore considers rating of DTS over two levels. The first level is the snapshot at a particular point of time. The second level is the change over time with a minimum period of 3 years.
Just as in the financial analysis we use the Balance Sheet as a snap shot of the financial health of an organization and the Funds flow statement as a barometer of managerial prudence in funds management, the Level I and Level II DTS rating would capture the inherent strength of an organization in Data protection compliance.
For the Second level DTS to be evaluated, there has to be a minimum time span with annual data audits of atleast 3 consecutive periods to be available. It will therefore be a rating which can be released after next 3-5 years.
Level I DTS can however be a reality even now and continue when the DPA announces a formal criteria.
Five Foundation Domains
Naavi has clubbed all the requirements of PDPA into Five basic domains namely
- Commitment of the management
- Knowledge of the Organizational manpower
- Controls for implementation
- Review mechanism for improvement
- Redressal mechanism for grievances for the Data Principals
On the vertical coordinates, the assessment on each of these principals is assessed on the scale of E to A from the bottom.
To reduce the DTS Score for a single parameter, a weightage of the evaluation on this 5×5 grid would be adopted. The weightage can be equal (20%) for all five domains and the vertical scale moving from 0-20, 21-40, 41-60, 61-80,and 81-100.
In due course, a view would be taken on whether the domain weightage can be changed from an equal 0.2 for each domain to a differential rating where say Commitment could be 25%, Knowledge could be 15%, Controls could be 30%, Review would be 10% and redressal 20% etc.
In the beginning years, weightage has to be more on Commitment and Knowledge. In later years Commitment would be a hygiene factor, Knowledge would be high. Controls need to be modified from time to time because technology would change and hence greater attention would be required. Review would be a managerial discretion supported by the mandatory requirements and hence would also be a hygiene factor. Redressal will be the distinguishing factor between organizations which would be protecting data because of regulatory compulsion vs its own belief systems and hence may require to have a high weightage along with Controls.
The Second level weightage would depend on the trend of the score whether it is improving or declining or is being maintained.
A typical representation of how the assessment may look for two different organizations is shown in the accompanying picture above.
Certified Data Auditor
The suggested system above will be part of the “Certified Data Auditor” training that Cyber Law College would be undertaking in the coming days.
Comments are invited from the readers on the above concept.
I urge entities like the Foundation of Data Protection Professionals of India (FDPPI) to take this idea further and develop.
P.S: The word “Hygiene”has been used here as some thing which would become a mandatory need which has low positive value if it is there but will have negative value if it is not there. It is a term used in the motivational theory of Professor Herzberg.
Some additional clarifications based on comments received have been posted as a follow up.
2nd January 2019