FDPPI had introduced an implementation and Certifiable audit framework for Data Privacy in the name of PDPCSI (Personal Data Protection Compliance Standard of India). This framework created by Naavi was meant to assist the organizations towards compliance of the data protection laws in India.
Initially PDPCSI was made compatible with PDPB 2019 and then to DPDPB 2022 and now DPDPA 2023. Since Naavi has always been holding that ITA 2000/8 is the operative data protection law of India even before DPDPA 2023 became the law, principles of ITA 2000/8 compliance have been integrated with PDPCSI and the framework was also referred to as DPCSI (Data Protection Compliance Standard of India). Under DPCSI, data was classified as Personal and Non Personal and DPDPA was applied for Personal Data and ITA 2000/8 for non personal data.
Now even after removal of Section 43A from ITA 2000/8, ITA 2000 continues to be part of Personal Data Protection regime for various other reasons. Hence the present PDPCSI takes into account the ITA 2000/8 to the extent it applies to Personal Data. In this aspect sections like Section 72A, 43,65,66,66C,66D,67C,69,69A,69B,70B etc are considered applicable to Personal Data Protection also. Hence the PDPCSI-2023 already amalgamated compliance of ITA 2000 with DPDPA2023. The Non Personal Data after classification was being treated separately as ITA 2000/8 compliance issue.
Naavi had introduced a framework titled IISF 309 (Indian Information Security Standard) to meet the requirements of compliance of ITA 2000/8 though many organizations preferred to use ISO 27001 for the same purpose.
Now with the release of a draft Standard by BIS for Adequacy of Organizational Data Governance & Management Practices which includes under Risk Management domain, the scenario of framework needs to be reviewed.
This suggested standard requires that the organization must have a defined privacy policy that defines all data that is to be considered as personal data. It must describe how each type of personal data will be collected, processed and stored. In particular the framework for obtaining consent for collecting, processing and storage of personal data and the acceptable methods for protecting such data throughout its lifecycle should be clearly described.
The outcomes expected are
a) Availability of a documented privacy policy and consent management framework
b) Standardized process to assess whether information is PII and categorize PII based on associated privacy risks.
c) Limits the collection of PII to the minimum elements identified for the purposes described in the notice
d) Retention of PII for which the individual has provided consent
e) Compliance with privacy requirements
f) Management of privacy risks as part of managing the enterprise risk management function
In view of this we can say that this standard includes all requirements of Privacy Protection into this standard.
The standard also speaks of Data Regulatory compliance and hence includes DPDPA compliance as well as ITA 2000/8 compliance as part of this standard.
But this is not the ISO 27701 replacement but considers more of the Managerial responsibilities of Data Governance.
Hence this framework is in close alignment with FDPPI’s PDPCSI which has 30 of its 50 model implementation specifications dedicated to the Management, the DPO, the Legal and HR responsibility centers.
The current PDPCSI therefore is the existing framework which completely is in compliance with the new proposed BIS standard.
In FDPPI trainings on the Audit Module, more details of how PDPCSI can integrate with this new standard would be discussed. Further FDPPI is considering merging the PDPCSI and DPCSI into a larger canvas of “Data Governance and Protection Standard of India” (DGPSI) which covers both Governance of Data as well as Protection of Data.
Henceforth companies in India can consider only FDPPI’s DGPSI as the Corporate Data Management standard and the IT system they develop on the basis of DGPSI which may be called DGPMS (Data Governance and Protection Management System) which will be audited by the certified auditors of FDPPI.
This is the future of Data Protection Audit in India. This is the reason why we stated yesterday that Data Protection Professionals are seeing another new and exciting development.
Now Forget all other frameworks and focus on FDPPI’s DGPSI.
Naavi
