Naavi.org

According to this news report in NDTV profit, the Minister of IT Mr Ashwini Vaishnaw has stated that he is hopeful of the new data protection bill to be passed in the next budget session. It is stated that the draft is in final stages and would be released for public comments soon.

According to the statement Mr Vaishnaw is reported to have said

“Without compromising with any of the principles of privacy or with the SC judgement… we have prepared a new draft. We have completed the Parliament’s process today, and we will take the new draft through the approval process very soon. Very soon, hopefully by the Budget session, we should be able to get a new law passed,”

Minister of State for Electronics and IT Rajeev Chandrasekhar reportedly has said the government would develop a comprehensive framework covering all aspects of the digital economy with dedicated rules for data privacy, emerging technologies, and data governance framework.

If the report is to be believed, the next version of the bill will be a comprehensive legislation along with the Information Technology Act, National Data Governance framework.

On several occasions, Mr Rajeev Chandrashekar has stated that ITA 2000 is 20 years old and needs a comprehensive amendment.

We can therefore expect a combination of ITA 2ooo, current PDPB 2019 and the Non Governance data Governance framework as suggested by the Kris Gopalakrishna Committee.

If some body thinks that this will be less complex than the PDPB 2018/2019/DPA 2021, then we should see a miracle in the making.

The objective of ITA 2000 was to enable E Commerce and prevent Cyber Crimes besides setting up a system of quick grievance redressal through adjudication.

The Objective of PDPB2019 was to protect the Right to Privacy as per the Supreme Court definition of Privacy and the objective of DPA 2021 was broader to include some aspects of Non personal data protection.

Now it is intended that “Protection of Non Personal Data”, “Governance of Non Personal Data”, “Protection of Privacy through personal data protection” will all have to be combined in one single legislation.

The regulator of ITA 2000 (CERT-IN) is focussed on Cyber Security and regulator of PDPB 2019 was focussed on Personal Data Protection. The Non Personal Data Governance on the other hand is not a “Protective duty”. It is a promotion of monetization of Non Personal Data which goes with the promotion of E Commerce under ITA 2000 which was one of the objectives of ITA 2000.

The Government is again trying to create a mixture of “Promotion” and “Protection” into one law and one regulator which will introduce several challenges.

While we shall wait for the Government to release its draft for public comments, we intend developing a draft legislation so that it can address all the stated objectives of the Government.  There is no doubt that the Government is not expecting any assistance from the private sector in designing the law, but it is our duty to place our reasonable suggestions before the Government drafting committee so that the process of legislation can be speeded up.

From time to time, I will share the work in progress through these columns.

Naavi

Yesterday, in a surprise move, the Government of India withdrew the Personal Data Protection Bill 2019 in the Parliament. It was a huge embarrassment for the Government as it is clear that the withdrawal was because of the opposition from the Big Tech.

When MR Ravishankar Prasad lost his minister post for criticizing Twitter, it was clear that the Social Media was powerful enough to determine who should be there and who should not be there in the IT Ministry.

Since then excuses after excuses have been provided to delay the Bill until this decision to withdraw.

Publicly, it is stated (Refer zeeenews.com) that there were 81 amendments suggested in the 99 section bill and hence the Government wanted to revamp it completely.  The minister has stated that they will introduce a new bill in replacement. This means that the new bill will go again for a JPC and it will take a few more years to pass.

The Government of India must remember that they are working on public money and if two years of JPC work is being thrown to the gutter for not being able to re-write the 12 recommendations into the Bill during the debate, it is the public money is being wasted.

This is similar to the withdrawal of the Farmer’s bill where the Government has shown that it has no courage to take strong decisions even when it is not related to such complex legislations such as Uniform Civil Code or Freeing of Temples from Government Control or taking action against terrorism etc.

It is a black day for India and when we are in the process of showing our pride by displaying national flag on every house top as a part of 75 year celebration, this comes as a reminder that we as a country are yet to be courageous enough to lead the country to progress.

I have been already receiving messages from some friends expressing disappointment on the development.

However, Naavi.org as well as FDPPI will continue their work on  Privacy and Data Protection as well as for the use of Section 43A of ITA 2000/8 as the current law for Privacy Protection and Data Protection in India and wait for a the Government to muster enough courage to face the Big Tech and the political opposition.

Naavi

Foundation of Data Protection Professionals in India, which is the premier organisation in India dedicated to Privacy and Data Protection has come out with its latest issue of Data Protection Journal of India (www.dpji.in).

DPJI is presently a journal published on internet and its issues are available at www.dpji.in. The current issue is the 7th issue in the series. The earlier issues covered different aspects of Data Protection

In the past issues several interesting topics such as the Valuation of Data, the PDPSI framework (Now renamed as DPCSI framework), the need for compliance culture to be developed in India have been discussed.

In the current issue an important aspect of Data Protection namely the role of people have been discussed.

By focussing on the concept of “Human Firewall” a focus has been brought to the use of humans to develop a security cover to combat the risk of privacy and information security. Just as technology tools such as encryption, firewall and Intrusion detection systems are used to combat technology risks, this concept envisages that human skills have to be used for risk mitigation.

The involvement of humans as part of the security posture is important both because insider frauds constitute a large percentage of cyber risks and cannot be mitigated by policies, procedure and technology. Also even the technology or policy controls have to be implemented by the humans only and motivating them to be “Security Champions” is necessary.

This concept has been well ingrained in our earlier discussions on “Vulnerabilities in human space” and “Theory of Information Security Motivation” etc.

We had also incorporated several principles of using human resources in the unique indigenous framework for Privacy and Data Protection, namely the DPCSI (Data Protection Standard of India). In particular, we had introduced a standard titled

“Distributed Responsibility, along with implementations for Augmented HR policy which included incentivisation and dis incentivisation for motivational purpose. Further the “Augmented Whistle-blower policy” extended the concept to a “Human IDS system”.

Naavi.org has also been discussing from time to time, concepts such as the “Human Bomb”, “Deviant Minds in Workforce”, “Technology Intoxication” etc all revolving around the concept of “Mitigating human Risks” in Cyber Crime prevention.

It was therefore a pleasure to observe that Dr Anirban Ghosh, a professional working in BT group had actually worked on a research thesis on the topic of “Human Firewall” and with his permission the entire thesis has been reproduced in the July issue of the  journal.

We hope that professionals interested in the field of Cyber Psychology, Human Resource Management  and related topics would find the issue worth going through.

Kindly do share the copy within your organization as a part of your knowledge management.

Any queries on any of the topics are welcome.

Naavi

I often receive enquiries about how to respond when there is a cyber crime. I advise you to contact 112 and file the complaint as soon as you notice the crime.

In case of financial frauds through bank account, credit cards etc., also file a complaint with the relevant Bank demanding immediate reversal of transactions as per the “Limited Liability Circular” of RBI dated July 6, 2017

In case you contact the police early with the necessary details , they may be ale to help you. If there is a transfer of funds from your bank account, they may be able to stop its disbursal.

When you lodge the complaint about a financial fraud, please also add the name of the app through which the fraud occurred and the bank from which the money was transferred out.

Some of the complaints are related to small amounts of a few thousands of rupees. It would be difficult to proceed against such frauds through proper legal means such as Adjudication.

Also the adjudication system at present in all states is not working efficiently and hence it should be invoked only when large amounts has been lost and you have a good advocate to back you.

In all such complaints ensure that your complaint includes the Bank and all intermediaries as respondents.

Naavi

Ujvala Consultants Private Limited has now introduced a GDPR Compliance audit service which incorporates Data Importer’s Assurance Certification and DTS evaluation.

This “Augmented GDPR Compliance Audit” is being conducted on the DPCSI framework (Data Protection Compliance Framework).

DPCSI framework consists of 50 implementation specifications that cover all requirements of GDPR compliance including all the obligations stated under Chapter IV and Chapter V of the GDPR.

For more details, contact Naavi.

Naavi

Ujvala Consultants Pvt Ltd has introduced a mechanism for self assessment of an organization for GDPR Compliance and arriving at a Data Trust Score which reflects the effectiveness of compliance.

GDPR has been in existence since 2018 and there are established mechanisms to implement a compliance system. ISO 27701 is in the forefront of this evaluation as an audit system. However ISO 27701 is an extension o ISO 27001 and could be difficult to adopt with by SMEs/MSMEs. Hence an attempt was made to establish a more affordable and modularly implementable system of “Gap Assessment”, “Summary Assessment” and “Certification Audit” through the DTS-GDPR mechanism (Refer ujvala.com).

The system of reducing the compliance assessment to a number in the form of a DTS score is a concept introduced in the Indian law and not in GDPR. However there is no reason why this should not be applied to GDPR compliance assessment also as it brings some clarity to the complex mechanism of compliance assessment though it could be considered subjective to the auditor’s assessment.

After GDPR came into existence, there have been many online services which are like “Self Assessment Check List” and have been helpful to some extent. Ujvala’s attempt is not different from such services. However, in a techno legal compliance evaluation, it is difficult to keep the subjective evaluation of an expert out of the evaluation system. Hence any attempt to automate the assessment cannot avoid dilution of the assessment.

Ujvala DTS system acknowledges the inherent difficulty of a techno legal assessment based only on self assessment but tries to provide for better evaluation through the “Summary Assessment” based on scrutiny of policy documents  before a proper audit examination can be made.

The system therefore uses a set of around 239 questions which are self answered by an organization. The objective of these questions is to enable the organization to reflect on their own systems and bridge gaps indicated by the questions. It is agreed that this self assessment is not good enough for third parties such as the Data Exporters to accept blindly. But it is a good starting point in the journey towards compliance.

When policy documents are submitted for review, Ujvala as a consulting organization needs to evaluate the policies and provide an “opinion” which is a “Reasonable Assurance” for the Data Exporter sitting in EU.

Additionally, Ujvala may expect certain basic technical tools to be adopted by the organization for better management of Privacy By Design and Default.

The effort of Ujvala is to assist the management of the organization to improve its own confidence regarding presenting itself as a “GDPR Compliant Organization” to the data exporters so that it can be a “Data Importer” and offer its services as a joint controller or data processor.

GDPR authorities are  making their own efforts in ensuring smooth data transfers to “Non Adequacy” countries and this is taken note of by Ujvala as a guidance for implementation with the Indian data importers.

One such effort is  the suggested “Certification as a tool of transfer”.

Under this scheme, it is envisaged that a specific data transfers can be enabled based on a “Certification” that the transfer carries the necessary assurance as required under Article 46 (2)(f)  of GDPR.

Though Ujvala is not an accredited Certification body under this scheme, Ujvala is trying to adopt an assessment of data transfer mechanism so that it can be incorporated as an assessment criteria.

Ujvala will therefore introduce a “Data Importer Assurance Certification” which a data importer may share with the data exporter as an extension of the DTS-GDPR service. We hope that this “Data Importer Assurance Certification” (DIAC) will be both a GDPR Compliance assurance and the Data Importer’s specific assurance to the data exporter about the compliance of the Cross Border transfer requirements.

At present this will be an extension of DTS-GDPR self assessment followed by the Summary Assessment based on the policy documents submitted by the organization.

Naavi